Method and system for detecting suspicious administrative activity

US 10,623,428 B2
Filed: 09/12/2017
Issued: 04/14/2020
Est. Priority Date: 09/12/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting network threats, comprising:

collecting network traffic corresponding to communications within a network over a first time period;

analyzing metadata for the network traffic to identify an administrative realm comprising an administrator host that performs administrative activity and an administered host that is administered by the administrator host;

collecting additional network traffic corresponding to additional communications within the network over a second time period after the first time period and corresponding to two or more protocols;

determining whether respective communications of the additional communications correspond to anomalous activity on a protocol by protocol and a communication by communication basis, at least by processing each communication individually, processing at least comprising;

selecting a first communication corresponding to the additional network traffic and a first protocol;

determining whether the first communication is to be identified as anomalous using the administrative realm and a first heuristic based on a first type of the first protocol;

generating a first alert to identify suspicious activity pertaining to the first communication using the first protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the first heuristic;

selecting a second communication corresponding to the additional network traffic and a second protocol;

determining whether the second communication is to be identified as anomalous using the administrative realm and a second heuristic based on a second type of the second protocol; and

generating a second alert to identify suspicious activity pertaining to the second communication using the second protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the second heuristic.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.

23 Citations

24 Claims

1. A method for detecting network threats, comprising:
- collecting network traffic corresponding to communications within a network over a first time period;
  
  analyzing metadata for the network traffic to identify an administrative realm comprising an administrator host that performs administrative activity and an administered host that is administered by the administrator host;
  
  collecting additional network traffic corresponding to additional communications within the network over a second time period after the first time period and corresponding to two or more protocols;
  
  determining whether respective communications of the additional communications correspond to anomalous activity on a protocol by protocol and a communication by communication basis, at least by processing each communication individually, processing at least comprising;
  
  selecting a first communication corresponding to the additional network traffic and a first protocol;
  
  determining whether the first communication is to be identified as anomalous using the administrative realm and a first heuristic based on a first type of the first protocol;
  
  generating a first alert to identify suspicious activity pertaining to the first communication using the first protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the first heuristic;
  
  selecting a second communication corresponding to the additional network traffic and a second protocol;
  
  determining whether the second communication is to be identified as anomalous using the administrative realm and a second heuristic based on a second type of the second protocol; and
  
  generating a second alert to identify suspicious activity pertaining to the second communication using the second protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the second heuristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the metadata for the network traffic is analyzed by:
    - receiving the network traffic for analysis;
      
      pre-processing the network traffic by performing a task, including at least one of protocol identification, generating summary statistics over a time interval, or filtering network traffic data;
      
      storing pre-processed data into a database; and
      
      accessing the pre-processed data in the database to identify the administrator host that performs the administrative activity and to identify the administered host that are administered by the administrator host.
  - 3. The method of claim 2, wherein the database comprises a graphical database that stores connection relationships between hosts in the network, wherein a vertex represents the host and edges represents communications between hosts.
  - 4. The method of claim 1, wherein identification of the administrator host is performed per administrative protocol over a time period, and determination of the administrator host is performed via a heuristic or graph theoretic measure with consideration of at least one of account connection stability, connection volume, graph outbound degree, graph centrality, or graph connectedness.
  - 5. The method of claim 1, wherein processing each communication individually further comprises:
    - identifying a source and destination for the communication; and
      
      the first alert or the second alert corresponds to at least one of the protocol, the source, or the destination being different from established patterns previously identified for the administrative realm.
  - 6. The method of claim 5, wherein at least one heuristic corresponds to an administrative protocol originating from a host that is not within the administrative realm and directed to administered host within the administrative realm.
  - 7. The method of claim 5, wherein at least one heuristic corresponds to (a) a non-administrative protocol originating from or directed to a host that is within the administrative realm;
    - (b) an administrative protocol originating from a known administrator host even if the known administrator host is not within the administrative realm;
      
      or (c) an administrative protocol originating from the administrator host to the administered host within the administrative realm.
  - 8. The method of claim 1, further comprising updating administrative relationships by:
    - receiving the network traffic for analysis;
      
      identifying a communications pattern that is consistent over a time period; and
      
      updating the administrative relationships for the administrative realm based at least in part upon the communications pattern.

9. A system for detecting network threats, comprising:
- a memory for holding a sequence of instructions; and
  
  a processor that executes the sequence of instructions to perform a set of acts comprising;
  
  collecting network traffic corresponding to communications within a network over a first time period;
  
  analyzing metadata for the network traffic to identify an administrative realm comprising an administrator host that performs administrative activity and an administered host that is administered by the administrator host;
  
  collecting additional network traffic corresponding to additional communications within the network over a second time period after the first time period and corresponding to two or more protocols;
  
  determining whether respective communications of the additional communications correspond to anomalous activity on a protocol by protocol and a communication by communication basis, at least by processing each communication individually, processing at least comprising;
  
  selecting a first communication corresponding to the additional network traffic and a first protocol;
  
  determining whether the first communication is to be identified as anomalous using the administrative realm and a first heuristic based on a first type of the first protocol;
  
  generating a first alert to identify suspicious activity pertaining to the first communication using the first protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the first heuristic;
  
  selecting a second communication corresponding to the additional network traffic and a second protocol;
  
  determining whether the second communication is to be identified as anomalous using the administrative realm and a second heuristic based on a second type of the second protocol; and
  
  generating a second alert to identify suspicious activity pertaining to the second communication using the second protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the second heuristic.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the set of acts further comprise:
    - receiving the network traffic for analysis;
      
      pre-processing the network traffic by performing a task, including at least one of protocol identification, generating summary statistics over a time interval, or filtering network traffic data;
      
      storing pre-processed data into a database; and
      
      accessing the pre-processed data in the database to identify the administrator host that performs the administrative activity and to identify the administered host that are administered by the administrator host.
  - 11. The system of claim 10, wherein the database comprises a graphical database that stores connection relationships between hosts in the network, wherein a vertex represents the host and edges represents communications between hosts.
  - 12. The system of claim 9, wherein identification of the administrator host is performed per administrative protocol over a time period, and determination of the administrator host is performed via a heuristic or graph theoretic measure with consideration of at least one of account connection stability, connection volume, graph outbound degree, graph centrality, or graph connectedness.
  - 13. The system of claim 9, wherein processing each communication individually further comprises:
    - identifying a source and destination for the communication; and
      
      the first alert or the second alert corresponds to at least one of the protocol, the source, or the destination being different from established patterns previously identified for the administrative realm.
  - 14. The system of claim 13, wherein at least one heuristic corresponds to an administrative protocol originating from a host that is not within the administrative realm and directed to the administered host within the administrative realm.
  - 15. The system of claim 13, wherein at least one heuristic corresponds to (a) a non-administrative protocol originating from or directed to a host that is within the administrative realm;
    - (b) an administrative protocol originating from a known administrator host even if the known administrator host is not within the administrative realm;
      
      or (c) an administrative protocol originating from the administrator host to the administered host within the administrative realm.
  - 16. The system of claim 9, the set of acts further comprising updating administrative relationships by:
    - receiving the network traffic for analysis;
      
      identifying a communications pattern that is consistent over a time period; and
      
      updating the administrative relationships for the administrative realm based at least in part upon the communications pattern.

17. A computer program product embodied on a non-transitory computer readable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor, performs a set of acts for detecting network threats, the set of acts comprising:
- collecting network traffic corresponding to communications within a network over a first time period;
  
  analyzing metadata for the network traffic to identify an administrative realm comprising an administrator host that performs administrative activity and an administered host that is administered by the administrator host;
  
  collecting additional network traffic corresponding to additional communications within the network over a second time period after the first time period and corresponding to two or more protocols;
  
  determining whether respective communications of the additional communications correspond to anomalous activity on a protocol by protocol and a communication by communication basis, at least by processing each communication individually, processing at least comprising;
  
  selecting a first communication corresponding to the additional network traffic and a first protocol;
  
  determining whether the first communication is to be identified as anomalous using the administrative realm and a first heuristic based on a first type of the first protocol;
  
  generating a first alert to identify suspicious activity pertaining to the first communication using the first protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the first heuristic;
  
  selecting a second communication corresponding to the additional network traffic and a second protocol;
  
  determining whether the second communication is to be identified as anomalous using the administrative realm and a second heuristic based on a second type of the second protocol; and
  
  generating a second alert to identify suspicious activity pertaining to the second communication using the second protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the second heuristic.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product of claim 17, wherein the metadata for the network traffic is analyzed by:
    - receiving the network traffic for analysis;
      
      pre-processing the network traffic by performing a task, including at least one of protocol identification, generating summary statistics over a time interval, or filtering network traffic data;
      
      storing pre-processed data into a database; and
      
      accessing the pre-processed data in the database to identify the administrator host that performs the administrative activity and to identify the administered host that are administered by the administrator host.
  - 19. The computer program product of claim 18, wherein the database comprises a graphical database that stores connection relationships between hosts in the network, wherein a vertex represents the host and edges represents communications between hosts.
  - 20. The computer program product of claim 17, wherein identification of the administrator host is performed per administrative protocol over a time period, and determination of the administrator host is performed via a heuristic or graph theoretic measure with consideration of at least one of account connection stability, connection volume, graph outbound degree, graph centrality, or graph connectedness.
  - 21. The computer program product of claim 17, wherein processing each communication individually further comprises:
    - identifying a source and destination for the communication; and
      
      the first alert or the second alert corresponds to at least one of the protocol, the source, or the destination being different from established patterns previously identified for the administrative realm.
  - 22. The computer program product of claim 21, wherein at least one heuristic corresponds to an administrative protocol originating from a host that is not within the administrative realm and directed to the administered host within the administrative realm.
  - 23. The computer program product of claim 21, wherein at least one heuristic corresponds to (a) a non-administrative protocol originating from or directed to a host that is within the administrative realm;
    - (b) an administrative protocol originating from a known administrator host even if the known administrator host is not within the administrative realm;
      
      or (c) an administrative protocol originating from the administrator host to the administered host within the administrative realm.
  - 24. The computer program product of claim 17, wherein the sequence of instructions which, when executed by a processor, updates administrative relationships by:
    - receiving the network traffic for analysis;
      
      identifying a communications pattern that is consistent over a time period; and
      
      updating the administrative relationships for the administrative realm based at least in part upon the communications pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vectra AI Incorporated
Original Assignee
Vectra Networks, Inc.
Inventors
Beauchesne, Nicolas, Ni, Kevin Song-Kai
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Corum, Jr., William A

Application Number

US15/702,454
Publication Number

US 20180077186A1
Time in Patent Office

945 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 2463/146   Tracing the source of attacks

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Method and system for detecting suspicious administrative activity

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting suspicious administrative activity

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links