Method and system for user network behavioural based anomaly detection

US 20070245420A1
Filed: 12/26/2006
Published: 10/18/2007
Est. Priority Date: 12/23/2005
Status: Abandoned Application

First Claim

Patent Images

1. In a LAN environment, the network traffic is highly dynamic and the operating attributes changes frequently. The said system applies profiling of user'"'"'s network behaviour to define a baseline that is subsequently used to detect anomalous network usage and malicious network behaviour.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A baseline can be defined using specific attributes of the network traffic. Using the established baseline, deviation can then be measured to detect anomaly on the network. The accuracy of the baseline is the most important criterion of any effective network anomaly detection technique. In a local area network (LAN) environment, the attributes change very frequently by many change agents; for example, new entities, such as users, application, and network-enabled devices, added to and removed from the LAN environment. The invention provides an improved method of establishing a baseline for network anomaly detection based on user'"'"'s behaviour profiling. A user behaviour profiling is a distinct network usage pattern pertaining to a specific individual user operating on the LAN environment. No two users profiling would be the same. A group of users that have similar network usage attributes can be extrapolated using data mining technique to establish a group profiling baseline to detect network usage anomaly. By combining user and group profiling, a network anomaly detection system can measure subtle shift in network usage and as a result separate good user'"'"'s network usage behaviour from the bad one. Using the said technique, a lower rate of false positives of network anomaly can be created that is suitable to operate in a highly dynamic LAN environment.

177 Citations

14 Claims

1. In a LAN environment, the network traffic is highly dynamic and the operating attributes changes frequently. The said system applies profiling of user'"'"'s network behaviour to define a baseline that is subsequently used to detect anomalous network usage and malicious network behaviour.
- View Dependent Claims (2, 3, 4, 6, 7)
- - 2. The user profiling recited in claim 1 correlates user presence with network usage information to link the identity of a network user to his network usage patterns. The said user presence information includes user'"'"'s login information, network IP address assigned to the user'"'"'s host machine, and user host machine'"'"'s network MAC address. The said network usage information includes IP address of network service, network protocol, entry point of network service, and type of network service.
  - 3. The user presence information recited in claim 2 can be obtained from an authentication system that allow or deny network access and maintains a database of user authentication data, such as Unix, Microsoft Windows domain controller and active directory, RADIUS, Microsoft Network Access Protection (NAP), Cisco Network Admission Control (NAC), 802.1x, and any authentication systems that exhibit such attributes of network access control and authentication data management.
  - 4. The user presence information recited in claim 2 can be obtained by a way of sniffing network traffic and then decoding any protocol in clear-text format, which contains user information, for example, DNS, DHCP, NBNS, NetToken, Windows Domain Login and Email Login traffic.
  - 6. The network usage information recited in claim 2 can be obtained by sniffing network packets via passive network Tap device, SPAN port of managed switches, and NetFlow, sFlow, jFlow, and cFlow data of vendor-specific network devices.
  - 7. A collection of the said user profiling as recited in claim 2 can be used to define a group profiling. The group profiling consists of a set of users who exhibit similar operating attributes in the LAN environment. The said attributes can be categorized by the user'"'"'s roles and responsibilities in an organization. For example, employees in the R&
    - D organization.

5. It is highly like that a person has multiple identities, and an efficient and accurate algorithm of aggregating multiple identities into one person has been presented, which is described as follows:
- we combine multiple identities, such as email identities, VPN and/or Windows login identity, when their status is successful login and all of them have the same IP address. Furthermore, if more than one email identity are found almost in the same time (for example, in one minute) with a same IP, the following actions will be performed;
  
  (A) By analyzing the identity names, the one which is more similar to the host name of the used machine will be considered as the identity of this user. (B) The identity which has already been used by another IP or host name will be not considered as the identity of this user. (C) The one which has the name such as support, admin, administrator, root, etc., will not be considered as the identity of this user. Then we have one email identity of these email identities as the identity of this user, other email addresses will be discarded.
- View Dependent Claims (8, 9, 10, 12, 13)
- - 8. The set of users in a group profiling as recited in claim 5 could be defined by system administrators or imported from an authentication system (for example, a Windows domain controller).
  - 9. The group profiling as recited in claim 5 is used to establish a baseline of common behaviour of a group of users. The said baseline is derived using data mining technique and it is then used to detect network usage anomaly. The said group profiling represents normalized good behaviour of a group of users based on the assumption that the majority of members in a group would exhibit good network usage behaviour.
  - 10. The group profiling recited in claim 5 is also used to reduce the effect of baseline shift due to behaviour changes by a small subset of users within the group. The group profiling reflects the common behaviour of majority members in a group, which can be considered as good behaviour since it is usually true that violators are just minority users in the LAN environment and majority of the users have normal acceptable network behaviour.
  - 12. The said system would detect a collective shift in network behaviour as recited in claim 9 and re-establish the user and group baselines. The said collective shift in network behaviour would exhibit similar changes in behaviour by the majority users in the same group profiling.
  - 13. The newly discovered normal behaviour as recited in claim 9 will be appended into the user and group profilings.

11. The said system also considers the use case that user'"'"'s network behaviour does change, although not too frequent. If a user'"'"'s network behaviour deviates too far off from the individual'"'"'s user profiling baseline and similar deviation also exhibit in other users in the same group, then the anomaly will be feedback to the said system as newly discovered normal user behaviour. The said feedback would result in re-establishing the user and group profiling baselines.

14. The said system that applies user and group profiling to monitor normal network usage allows security policy to be enforced at the user level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xiaodong Lin, Yuh Yong
Original Assignee
Xiaodong Lin, Yuh Yong
Inventors
Lin, Xiaodong, Yong, Yuh

Application Number

US11/644,993
Publication Number

US 20070245420A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 43/00   Arrangements for monitoring...

H04L 63/1425   Traffic logging, e.g. anoma...

Method and system for user network behavioural based anomaly detection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

177 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Method and system for user network behavioural based anomaly detection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

177 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others