DETECTING ANOMALOUS WEB PROXY ACTIVITY
First Claim
Patent Images
1. A method of detecting anomalous web proxy activity comprising:
- filtering the plurality of records extracted from the proxy log by the detection module to exclude records that do not include identified information;
calculating a number of distinct destination addresses to which a source address is connecting;
comparing the number of distinct destination addresses to a threshold number established for the source IP address; and
determining, with the detection module, whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparing.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system and apparatus for detecting anomalous web proxy activity by end-users are disclosed. The techniques include analyzing records from a web proxy log and determining whether the records contain anomalous end-user activity by inspecting a uniform resource locator and a connect instruction included therein. The techniques also include generating an alert in response to the analysis.
-
Citations
20 Claims
-
1. A method of detecting anomalous web proxy activity comprising:
-
filtering the plurality of records extracted from the proxy log by the detection module to exclude records that do not include identified information; calculating a number of distinct destination addresses to which a source address is connecting; comparing the number of distinct destination addresses to a threshold number established for the source IP address; and determining, with the detection module, whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparing. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An article comprising a machine-readable medium storing machine-readable instructions that, when applied to a machine, cause the machine to:
-
filter the plurality of records extracted from the proxy log to exclude records that do not include identified information; calculate a number of distinct destination addresses to which a source address is connecting; compare the number of distinct destination addresses to a threshold number established for the source IP address; and determine whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparison. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising a service delivery device coupled to a network, the service delivery device including a processor and memory storing instructions that, in response to receiving a request for access to a service, cause the processor to:
-
filter the plurality of records extracted from the proxy log to exclude records that do not include identified information; calculate a number of distinct destination addresses to which a source address is connecting; compare the number of distinct destination addresses to a threshold number established for the source IP address; and determine whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparison. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification