Relating to the monitoring of network security
First Claim
1. A method of monitoring a network and its nodes for security threats, the method comprising:
- monitoring the activity of a plurality of network nodes by measuring parameters and/or actions associated with each network node;
calculating a plurality of node scores for each of the network nodes based upon the measured parameters and/or actions;
comparing the calculated one or more node scores against a reference activity, the reference activity including both ofa peer node score indicative of the monitored activity of a peer node having a similar type as the respective network node, anda network node score indicative of the monitored activity of a network node having a historically similar activity profile as the respective network node;
calculating a node suspicion score representing the likelihood of suspicious activity for the one or more network nodes based upon the comparison, wherein the node suspicion score for a particular network node includes a weighted sum ofa) a peer anomaly score representing a difference between a cumulative peer node score for an individual network node over time and a mean of cumulative peer node scores for all of the network nodes, the difference then divided by a standard deviation of the cumulative peer node scores for all of the network nodes, andb) a discord anomaly score representing a difference between an average of the network node scores for the individual network node over time and a mean of the average network node scores for all of the network nodes, the difference then divided by a standard deviation of the average network node scores for all of the network nodes; and
applying a Grubbs test to determine whether the node suspicion score is a statistical outlier.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention provides a target centric monitoring of a network enabling a likelihood score for the existence of an attack to be calculated. The score is calculated by monitoring a plurality of network nodes for a range of symptoms. Detected symptoms are then profiled using a classical Bayesian-based framework such that a node score is calculated for every node. The node scores are compared against reference activity so as to identify deviations from reference activity. The reference activity may comprise peer analysis comparing the node scores against the nodes scores or per nodes and discord analysis comparing the node score of a particular node against historical behaviour. Based on the deviations, the method can enable the calculation of a likelihood of suspicious activity for each node.
-
Citations
12 Claims
-
1. A method of monitoring a network and its nodes for security threats, the method comprising:
-
monitoring the activity of a plurality of network nodes by measuring parameters and/or actions associated with each network node; calculating a plurality of node scores for each of the network nodes based upon the measured parameters and/or actions; comparing the calculated one or more node scores against a reference activity, the reference activity including both of a peer node score indicative of the monitored activity of a peer node having a similar type as the respective network node, and a network node score indicative of the monitored activity of a network node having a historically similar activity profile as the respective network node; calculating a node suspicion score representing the likelihood of suspicious activity for the one or more network nodes based upon the comparison, wherein the node suspicion score for a particular network node includes a weighted sum of a) a peer anomaly score representing a difference between a cumulative peer node score for an individual network node over time and a mean of cumulative peer node scores for all of the network nodes, the difference then divided by a standard deviation of the cumulative peer node scores for all of the network nodes, and b) a discord anomaly score representing a difference between an average of the network node scores for the individual network node over time and a mean of the average network node scores for all of the network nodes, the difference then divided by a standard deviation of the average network node scores for all of the network nodes; and applying a Grubbs test to determine whether the node suspicion score is a statistical outlier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
Specification