BEHAVIOR-BASED SECURITY SYSTEM
First Claim
1. In a network comprising at least one client computing device and at least one security server regulating access to the network for the at least one client computing device, a method of detecting unauthorized access to the network, the method comprising:
- (A) receiving, at the at least one security server from a client computing device, at least one request for a security operation to be performed for an entity;
(B) comparing properties of the at least one request to a behavioral profile for the entity to determine a similarity score for the at least one request, the behavioral profile identifying properties of requests commonly transmitted by the entity; and
(C) when the similarity score is below a threshold, increasing security restrictions on the entity.
2 Assignments
0 Petitions
Accused Products
Abstract
Described herein are techniques for operating a security server to determine behavioral profiles for entities in a network and to detect attacks or unauthorized traffic in a network based on those behavioral profiles. In one technique, a behavioral profile may be generated based on requests for security operations to be performed that are received at a security server from an entity in a network. The behavioral profile may be generated using learning techniques, including artificial intelligence techniques such as neural networks. When the security server receives from an entity one or more requests for security operations to be performed, the security server may compare properties of the requests to the behavioral profile for the entity and properties of requests commonly sent by the entity. The security server may determine a similarity score indicating how similar the request are to the behavioral profile and to requests commonly received from the entity.
98 Citations
20 Claims
-
1. In a network comprising at least one client computing device and at least one security server regulating access to the network for the at least one client computing device, a method of detecting unauthorized access to the network, the method comprising:
-
(A) receiving, at the at least one security server from a client computing device, at least one request for a security operation to be performed for an entity; (B) comparing properties of the at least one request to a behavioral profile for the entity to determine a similarity score for the at least one request, the behavioral profile identifying properties of requests commonly transmitted by the entity; and (C) when the similarity score is below a threshold, increasing security restrictions on the entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. At least one computer-readable storage medium encoded with computer-executable instructions that, when executed by a computer cause the computer to carry out, in a network comprising at least one client computing device and at least one security server regulating access to the network for the at least one client computing device, a method of detecting unauthorized access to the network, the method comprising:
-
(A) establishing at least one respective behavioral profile through analyzing properties of a plurality of requests for security operations to be performed transmitted by each entity communicating in the network, each respective behavioral profile being associated with an entity and identifying properties of requests commonly transmitted by the entity; (B) establishing at least one group behavioral profile based at least in part on a plurality of respective behavioral profiles, each group behavioral profile identifying properties of requests commonly transmitted by entities in the group; (C) receiving at the at least one security server from a client computing device at least one request for a security operation to be performed for a particular entity; (D) identifying a group to which a particular entity belongs; (E) comparing properties of the at least one request to a respective behavioral profile for the entity and to a group behavioral profile for the group to determine a similarity score for the at least one request; and (F) when the similarity score is below a threshold, increasing security restrictions on the entity. - View Dependent Claims (13, 14, 15, 16, 20)
-
-
17. An apparatus comprising:
-
at least one network adapter; and at least one processor adapted to; receive, via the at least one network adapter, a behavioral profile for an entity from at least one security server of a network to which the at least one network adapter has established a connection; receive at least one request to transmit into the network, on behalf of the entity, at least one request for a security operation to be performed; compare properties of the at least one request to the behavioral profile for the entity to determine a similarity score for the at least one request; and when the similarity score is below a threshold, prevent the at least one request from being transmitted into the network. - View Dependent Claims (18, 19)
-
Specification