System and method for detecting anomalies associated with network traffic to cloud applications
First Claim
1. An anomaly detection system comprising:
- a processor;
a memory; and
a security application stored in the memory and including instructions, which are executable by the processor and are configured to;
collect information of behavior data for a plurality of users of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of users, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider;
establish a plurality of baselines for each of the plurality of users and for each of the one or more cloud application(s) or types of cloud applications of the organization;
detect anomalies based on the plurality of baselines;
provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple users of a same cloud application during a same period of time,wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity,wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, andwherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies;
determine a risk value based on the aggregated anomaly data; and
perform a countermeasure based on the risk value.
1 Assignment
0 Petitions
Accused Products
Abstract
An anomaly detection system is provided and includes a processor, a memory, and a security application that is stored in the memory and includes instructions. The instructions are configured to collect information of behavior data for the users of an organization accessing cloud applications via a distributed network. The behavior data includes one or more parameters tracked over time for the users. The instructions are further configured to: establish baselines for each of the users and for each of the cloud applications or types of cloud applications of the organization; detect anomalies based on the baselines; provide aggregated anomaly data by aggregating anomalies corresponding to two or more of the baselines and a same behavior or corresponding to multiple users of a same cloud application during a same period of time; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value.
22 Citations
21 Claims
-
1. An anomaly detection system comprising:
-
a processor; a memory; and a security application stored in the memory and including instructions, which are executable by the processor and are configured to; collect information of behavior data for a plurality of users of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of users, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider; establish a plurality of baselines for each of the plurality of users and for each of the one or more cloud application(s) or types of cloud applications of the organization; detect anomalies based on the plurality of baselines; provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple users of a same cloud application during a same period of time, wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity, wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, and wherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An anomaly detection system comprising:
-
a processor; a memory; and a security application stored in the memory and including instructions, which are executable by the processor and are configured to; collect information of behavior data for a plurality of client computers of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of client computers, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider; establish a plurality of baselines for each of the plurality of client computers and for each of the one or more cloud application(s) or types of cloud applications of the organization; detect anomalies based on the plurality of baselines; provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple client computers accessing a same cloud application during a same period of time, wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity, wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, and wherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. One or more computer readable hardware storage device(s) having stored thereon computer-executable instructions that are executable by one or more processor(s) of a computer system to cause the computer system to detect an anomaly associated with access of a cloud application by causing the computer system to:
-
collect information of behavior data for a plurality of users of an organization accessing one or more cloud application(s) via a distributed network, wherein the behavior data includes tracked information tracked over time for the plurality of users, and wherein the one or more cloud application(s) are implemented on one or more server computer(s) of a service provider; establish a plurality of baselines for each of the plurality of users and for each of the one or more cloud application(s) or types of cloud applications of the organization; detect anomalies based on the plurality of baselines; provide aggregated anomaly data by aggregating the anomalies (i) corresponding to two or more of the plurality of baselines and a same behavior, or (ii) corresponding to multiple users of a same cloud application during a same period of time, wherein the aggregated anomaly data includes weighted values describing the aggregated anomalies, with higher weights of the weighted values indicating higher likelihoods that the aggregated anomaly data is associated with malicious activity, wherein multiple different types of aggregations are selectably performable to aggregate the anomalies, each of the multiple different types of aggregations being associated with a corresponding weight used to weight the weighted values, and wherein determining which specific weight to apply to the weighted values is based on which particular type of aggregation included within the multiple different types of aggregations is selected to aggregate the anomalies; determine a risk value based on the aggregated anomaly data; and perform a countermeasure based on the risk value. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification