BEHAVIOR-BASED TRAFFIC PROFILING BASED ON ACCESS CONTROL INFORMATION
First Claim
Patent Images
1. A method performed by a device, comprising:
- receiving, by the device, one or more of user information, role information, or authorization information associated with a user accessing a network;
selecting, by the device, a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information;
monitoring, by the device, the traffic flow;
determining, by the device, whether an anomaly of traffic behavior exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information; and
performing, by the device, a security response when it is determined that the anomaly exists.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.
-
Citations
20 Claims
-
1. A method performed by a device, comprising:
-
receiving, by the device, one or more of user information, role information, or authorization information associated with a user accessing a network; selecting, by the device, a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information; monitoring, by the device, the traffic flow; determining, by the device, whether an anomaly of traffic behavior exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information; and performing, by the device, a security response when it is determined that the anomaly exists. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A network device, to:
-
receive one or more of user information, role information, or authorization information associated with a network access of a user; select a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information; store a traffic behavior pattern corresponding to the one or more of user information, role information, or authorization information, based on one or more previous network accesses by the user; compare traffic flow information, associated with the traffic flow, with information associated with the traffic behavior pattern; determine that an anomaly of traffic behavior exists when the traffic flow differs from the information associated with the traffic behavior pattern; and perform a security response when it is determined that the anomaly of traffic behavior exists. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable medium having stored thereon instructions, executable by at least one processor, the computer-readable medium comprising:
-
one or more instructions for receiving one or more of user information, role information, or authorization information associated with a network access by a user; one or more instructions for selecting a traffic flow, where the traffic flow is associated with the network access; one or more instructions for monitoring the traffic flow; one or more instructions for determining whether an anomaly of traffic behavior exists with respect to the traffic flow by comparing the traffic flow with a traffic behavior pattern associated with the one or more of user information, role information, or authorization information; and one or more instructions for performing a security response when it is determined that the anomaly exists. - View Dependent Claims (17, 18)
-
-
19. A network device, comprising:
-
means for receiving one or more of user information, role information, or authorization information associated with a granted network access to a user; means for selecting a traffic flow resulting from the granted network access; means for monitoring the selected traffic flow; means for receiving a traffic behavior pattern associated with the one or more of user information, role information, or authorization information; means for comparing information associated with the selected traffic flow with the traffic behavior pattern; means for determining whether an anomaly of traffic behavior exists based on the comparing; and means for providing a security response when it is determined that the anomaly of traffic behavior exists.
-
-
20. A device, to:
-
receive traffic flow information; construct a traffic profile associated with one or more of user information, role information, or authorization information relating to a granted network access; update a traffic behavior pattern associated with the one or more of user information, role information, or authorization information based on the traffic profile, where the traffic behavior pattern includes values or ranges of values indicative of non-deviant traffic behavior; and provide the updated traffic behavior pattern to another device.
-
Specification