Modeling and Outlier Detection in Threat Management System Data
First Claim
1. A method of identifying potential threats on a network comprising:
- accumulating traffic data from the network over a period of time;
calculating a first set of metric values for endpoints communicating on the network from the traffic data;
fitting a first mixture distribution to the first set of metric values;
identifying outlying metric values based on the mixture distribution; and
generating a list of outliers comprising the endpoints having an outlying metric value.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.
104 Citations
20 Claims
-
1. A method of identifying potential threats on a network comprising:
-
accumulating traffic data from the network over a period of time; calculating a first set of metric values for endpoints communicating on the network from the traffic data; fitting a first mixture distribution to the first set of metric values; identifying outlying metric values based on the mixture distribution; and generating a list of outliers comprising the endpoints having an outlying metric value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a memory for storing a program containing computer-executable instructions for identifying potential threats on a network; and a processor functionally coupled to the memory, the processor being responsive to the computer-executable instructions and operative to; receive traffic data accumulated from the network over a period of time, calculate a first set of metric values for endpoints communicating on the network from the traffic data, fit a first mixture distribution to the first set of metric values, identify outlying metric values based on the first mixture distribution, and generate a list of outliers comprising the endpoints having outlying metric values. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to:
-
receive traffic data accumulated from a network; calculate a first set of metric values for endpoints communicating on the network from the traffic data; fit a negative binomial mixture distribution to the first set of metric values; identify outlying metric values based on the negative binomial mixture distribution; and generate a list of outliers comprising the endpoints having an outlying metric value. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification