Data surveillance system with patterns of centroid drift
First Claim
1. A computer-implemented method of surveillance of a plurality of packets of data in a computer network of an organization, said method executing computer program instructions stored in a non-transitory storage medium and comprising the steps of:
- (a) analyzing a protocol of said data;
(b) analyzing a user-behavior of a user of said computer network;
(c) analyzing a content of each packet belonging to said plurality of packets of said data by utilizing deep packet inspection (DPI);
(d) establishing a baseline of said data by assigning said each packet to a cluster of said packets amongst a plurality of clusters of said packets of said data;
(e) computing an overall score of said each packet along axes comprising said protocol, said user-behavior and said content;
(f) based on said overall score, computing an absolute distance between said each packet and a center of said cluster of said packets of said data;
(g) scoring said each packet based on its distance from a centroid of said baseline; and
(h) analyzing a drift of said centroid in accordance with the activities of said organization.
1 Assignment
0 Petitions
Accused Products
Abstract
Data surveillance techniques are presented for the detection of security issues, especially of the kind where privileged data may be stolen by steganographic, data manipulation or any form of exfiltration attempts. Such attempts may be made by rogue users or admins from the inside of a network, or from outside hackers who are able to intrude into the network and impersonate themselves as legitimate users. The system and methods use a triangulation process whereby analytical results pertaining to data protocol, user-behavior and packet content are combined to establish a baseline for the data. Subsequent incoming data is then scored and compared against the baseline to detect any security anomalies. A centroid representing the normal population of the data packets is identified. The movement or drift of the centroid in response to various events is measured and analyzed. This allows the system to evolve its baseline over time thereby preventing issuing false positives for such events.
-
Citations
20 Claims
-
1. A computer-implemented method of surveillance of a plurality of packets of data in a computer network of an organization, said method executing computer program instructions stored in a non-transitory storage medium and comprising the steps of:
-
(a) analyzing a protocol of said data; (b) analyzing a user-behavior of a user of said computer network; (c) analyzing a content of each packet belonging to said plurality of packets of said data by utilizing deep packet inspection (DPI); (d) establishing a baseline of said data by assigning said each packet to a cluster of said packets amongst a plurality of clusters of said packets of said data; (e) computing an overall score of said each packet along axes comprising said protocol, said user-behavior and said content; (f) based on said overall score, computing an absolute distance between said each packet and a center of said cluster of said packets of said data; (g) scoring said each packet based on its distance from a centroid of said baseline; and (h) analyzing a drift of said centroid in accordance with the activities of said organization. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for surveilling a plurality of packets of data in a computer network of an organization, said system including computer-readable instructions stored in a non-transitory storage medium and a microprocessor coupled to said storage medium for executing said computer-readable instructions, said microprocessor configured to:
-
(a) analyze a protocol of said data; (b) analyze a user-behavior of a user of said computer network; (c) analyze a content of each packet belonging to said plurality of packets of said data by performing deep packet inspection (DPI); (d) establish a baseline of said data by an assignment of said each packet to a cluster of said packets amongst a plurality of clusters of said packets of said data; (e) compute an overall score of said each packet along axes comprising said protocol, said user-behavior and said content; (f) based on said overall score, compute an absolute distance between said each packet and a center of said cluster of said packets of said data; (g) score said each packet based on its distance from a centroid of said baseline; and (h) analyze a drift of said centroid in accordance with the activities of said organization. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification