Method and system for user network behavioural based anomaly detection
First Claim
1. In a LAN environment, the network traffic is highly dynamic and the operating attributes changes frequently. The said system applies profiling of user'"'"'s network behaviour to define a baseline that is subsequently used to detect anomalous network usage and malicious network behaviour.
0 Assignments
0 Petitions
Accused Products
Abstract
A baseline can be defined using specific attributes of the network traffic. Using the established baseline, deviation can then be measured to detect anomaly on the network. The accuracy of the baseline is the most important criterion of any effective network anomaly detection technique. In a local area network (LAN) environment, the attributes change very frequently by many change agents; for example, new entities, such as users, application, and network-enabled devices, added to and removed from the LAN environment. The invention provides an improved method of establishing a baseline for network anomaly detection based on user'"'"'s behaviour profiling. A user behaviour profiling is a distinct network usage pattern pertaining to a specific individual user operating on the LAN environment. No two users profiling would be the same. A group of users that have similar network usage attributes can be extrapolated using data mining technique to establish a group profiling baseline to detect network usage anomaly. By combining user and group profiling, a network anomaly detection system can measure subtle shift in network usage and as a result separate good user'"'"'s network usage behaviour from the bad one. Using the said technique, a lower rate of false positives of network anomaly can be created that is suitable to operate in a highly dynamic LAN environment.
177 Citations
14 Claims
- 1. In a LAN environment, the network traffic is highly dynamic and the operating attributes changes frequently. The said system applies profiling of user'"'"'s network behaviour to define a baseline that is subsequently used to detect anomalous network usage and malicious network behaviour.
-
5. It is highly like that a person has multiple identities, and an efficient and accurate algorithm of aggregating multiple identities into one person has been presented, which is described as follows:
- we combine multiple identities, such as email identities, VPN and/or Windows login identity, when their status is successful login and all of them have the same IP address. Furthermore, if more than one email identity are found almost in the same time (for example, in one minute) with a same IP, the following actions will be performed;
(A) By analyzing the identity names, the one which is more similar to the host name of the used machine will be considered as the identity of this user. (B) The identity which has already been used by another IP or host name will be not considered as the identity of this user. (C) The one which has the name such as support, admin, administrator, root, etc., will not be considered as the identity of this user. Then we have one email identity of these email identities as the identity of this user, other email addresses will be discarded. - View Dependent Claims (8, 9, 10, 12, 13)
- we combine multiple identities, such as email identities, VPN and/or Windows login identity, when their status is successful login and all of them have the same IP address. Furthermore, if more than one email identity are found almost in the same time (for example, in one minute) with a same IP, the following actions will be performed;
-
11. The said system also considers the use case that user'"'"'s network behaviour does change, although not too frequent. If a user'"'"'s network behaviour deviates too far off from the individual'"'"'s user profiling baseline and similar deviation also exhibit in other users in the same group, then the anomaly will be feedback to the said system as newly discovered normal user behaviour. The said feedback would result in re-establishing the user and group profiling baselines.
-
14. The said system that applies user and group profiling to monitor normal network usage allows security policy to be enforced at the user level.
Specification