Network anomaly detection
First Claim
1. A computer-implemented method for detecting an anomalous activity in a network, the method being implemented by one or more computer readable storage devices configured to store computer executable instructions, and by one or more hardware computer processors in communication with the one or more computer readable storage devices configured to execute the computer executable instructions, the method comprising:
- logging, to the one or more computer readable storage devices, user activity for a plurality of users in the network;
sorting the plurality of users into a plurality of cohorts;
detecting a new activity by a first user of the plurality of users, wherein the first user is sorted into a first cohort of the plurality of cohorts;
determining a geographic region from which the new activity originated;
determining attack origin distribution data, wherein the attack origin distribution data includes statistical information of network attacks originating in a plurality of countries, and wherein the attack origin distribution data further includes at least a first probability that network attacks originate from the geographic region;
determining network activity origin distribution data, wherein the network activity origin distribution data is based on an analysis of origins of network activity over a period of time, and wherein the network activity origin distribution data further includes at least a second probability of network activity originating from the geographic region, wherein the network activity includes both malicious and non-malicious traffic;
determining a third probability of a network attack;
generating a statistical probability that the new activity is the network attack based at least in part on a combination of the first probability, the second probability, and the third probability; and
generating an indicator of a potential anomaly for display based at least in part on the statistical probability.
8 Assignments
0 Petitions
Accused Products
Abstract
A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.
313 Citations
19 Claims
-
1. A computer-implemented method for detecting an anomalous activity in a network, the method being implemented by one or more computer readable storage devices configured to store computer executable instructions, and by one or more hardware computer processors in communication with the one or more computer readable storage devices configured to execute the computer executable instructions, the method comprising:
-
logging, to the one or more computer readable storage devices, user activity for a plurality of users in the network; sorting the plurality of users into a plurality of cohorts; detecting a new activity by a first user of the plurality of users, wherein the first user is sorted into a first cohort of the plurality of cohorts; determining a geographic region from which the new activity originated; determining attack origin distribution data, wherein the attack origin distribution data includes statistical information of network attacks originating in a plurality of countries, and wherein the attack origin distribution data further includes at least a first probability that network attacks originate from the geographic region; determining network activity origin distribution data, wherein the network activity origin distribution data is based on an analysis of origins of network activity over a period of time, and wherein the network activity origin distribution data further includes at least a second probability of network activity originating from the geographic region, wherein the network activity includes both malicious and non-malicious traffic; determining a third probability of a network attack; generating a statistical probability that the new activity is the network attack based at least in part on a combination of the first probability, the second probability, and the third probability; and generating an indicator of a potential anomaly for display based at least in part on the statistical probability. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer system comprising:
-
one or more computer readable storage devices configured to store computer executable instructions; and one or more hardware computer processors configured to execute the computer executable instructions in order to cause the computer system to; log, to one or more computer readable storage devices, user activity for a plurality of users in a network; sort the plurality of users into a plurality of cohorts; detect a new activity by a first user of the plurality of users, wherein the first user is sorted into a first cohort of the plurality of cohorts; determine a geographic region from which the new activity originated; determine attack origin distribution data, wherein the attack origin distribution data includes statistical information of network attacks originating in a plurality of countries, and wherein the attack origin distribution data further includes at least a first probability that network attacks originate from the geographic region; and determine network activity origin distribution data, wherein the network activity origin distribution data is based on an analysis of origins of network activity over a period of time, and wherein the network activity origin distribution data further includes at least a second probability that network activity through the network originated from the geographic region, wherein the network activity includes both malicious and non-malicious traffic; determine a third probability of a network attack; generate, a statistical probability that the new activity is the network attack based at least in part on a combination of the first probability, the second probability, and the third probability; and generate an indicator of a potential anomaly for display based at least in part on the statistical probability. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A method for detecting anomalous network activity, the method comprising:
-
logging user activity for a plurality of users through a network; sorting the plurality of users into a plurality of cohorts; detecting a new activity by a first user of a first plurality of users, wherein the first user is sorted into a first cohort of the plurality of cohorts; determining attack origin distribution data, wherein the attack origin distribution data includes statistical information of network attacks originating in a plurality of countries, and wherein the attack origin distribution data further includes at least a first probability of network attacks originate from the geographic region; determining network activity origin distribution data, wherein the network activity origin distribution data is based on an analysis of origins of network activity over a period of time, and wherein the network activity origin distribution data further includes at least a second probability of network activity originating from the geographic region, wherein the network activity includes both malicious and non-malicious traffic; determining a third probability of a network attack; generating a statistical probability that the new activity is the network attack based at least in part on a combination of the first probability, the second probability, and the third probability; and generating an indicator of a potential anomaly for display based at least in part on the statistical probability. - View Dependent Claims (16, 17, 18, 19)
-
Specification