Method and apparatus of detecting network activity
First Claim
1. A method of identifying behaviour patterns in respect of a system that operates over a communications network, the system comprising a plurality of server computers and client computers, wherein at least some of the server computers are arranged to deliver data to, and receive data from, one or more client computers over the communications network, the method comprising the steps of:
- (a) receiving data in respect of data which have been sent within the system, each of the received data items identifying the computer, within the system, to and/or from which the said data item has been sent;
(b) organising the received data into a representation indicative of the distribution of data sent within the system, as a function of identified computer; and
(c) using the representation to train a classification means to recognise a plurality of behaviour types.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the invention are concerned with a method of, and apparatus for, identifying types of network behaviour for use in identifying aberrant network behaviour. In particular, embodiments are concerned with identifying email viruses. The method comprises the steps of: collecting data representative of network traffic that has travelled over a network; training a classification means to recognise a plurality of network behaviour types from the collected data; and for unseen data travelling over the network, classifying the unseen data into one of the defined network behaviour types.
-
Citations
30 Claims
-
1. A method of identifying behaviour patterns in respect of a system that operates over a communications network, the system comprising a plurality of server computers and client computers, wherein at least some of the server computers are arranged to deliver data to, and receive data from, one or more client computers over the communications network, the method comprising the steps of:
-
(a) receiving data in respect of data which have been sent within the system, each of the received data items identifying the computer, within the system, to and/or from which the said data item has been sent;
(b) organising the received data into a representation indicative of the distribution of data sent within the system, as a function of identified computer; and
(c) using the representation to train a classification means to recognise a plurality of behaviour types. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. Apparatus for identifying aberrant behaviour in respect of a system that operates within a communications network, the system comprising a plurality of server computers and client computers, wherein each server computer is arranged to deliver data to, and receive data from, one or more client computers over the communications network, the apparatus comprising
receiving means arranged to receive data in respect of data which have been sent within the system, each of the received data items identifying the computer, within the system, from and/or to which the said data item has been sent during a time period; -
means operable to arrange the received data into groups of received data as a function of type of sent data, so that each group represents a type of behaviour;
organising means arranged to organise data in each group into a representation indicative of a distribution of data sent within the system, as a function of identified computer during the period; and
a classification means operable to receive the representation as input and operable to generate an output representative of a behaviour corresponding to the group. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. An email activity device for use in identifying email viruses, the device being located in a network and operable to communicate with other devices in the network, comprising
retrieving means operable to retrieve data representative of email traffic, during a time period, from any one of: - a log file being part of a firewall arrangement, or a log file accessible from an email server machine, or a plurality of log files accessible from a plurality of email server machines;
organising means arranged to organise the retrieved data into a representation indicative of a distribution of the said email traffic during the period;
transforming means arranged to transform the representation into a format suitable for input into a classification means; and
a classification means operable to receive the transformed representation as input and operable to generate an output representative of a type of email traffic.
- a log file being part of a firewall arrangement, or a log file accessible from an email server machine, or a plurality of log files accessible from a plurality of email server machines;
Specification