Context Aware Network Security Monitoring for Threat Detection
First Claim
1. A method for context aware network security monitoring for threat detection, the method comprising:
- monitoring, by at least one processor, behavior of at least one node, associated with at least one user, in a network to generate a behavior profile for the at least one user;
comparing, by the at least one processor, the behavior profile for the at least one user with a baseline behavior profile for the at least one user;
determining, by the at least one processor, when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user;
flagging an event associated with the difference, by the at least one processor, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and
classifying the event, by the at least one processor, to an event classification.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed method involves monitoring behavior of at least one node, associated with at least one user, in a network to generate a behavior profile for the user(s). The method further involves comparing the behavior profile for at least one user with a baseline behavior profile for the user(s). Also, the method involves determining when there is a difference between the behavior profile for at least one user and the baseline behavior profile for the user(s). Further, the method involves flagging an event associated with the difference: when the difference exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and/or does not meet at least one criterion. Additionally, the method involves classifying the event to an event classification. Further, the method involves transmitting the event to at least one other node in the network and/or a network operations center.
463 Citations
37 Claims
-
1. A method for context aware network security monitoring for threat detection, the method comprising:
-
monitoring, by at least one processor, behavior of at least one node, associated with at least one user, in a network to generate a behavior profile for the at least one user; comparing, by the at least one processor, the behavior profile for the at least one user with a baseline behavior profile for the at least one user; determining, by the at least one processor, when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user; flagging an event associated with the difference, by the at least one processor, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and classifying the event, by the at least one processor, to an event classification. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for context aware network security monitoring for threat detection, the system comprising:
-
at least one processor to monitor behavior of at least one node associated with at least one user in a network to generate a behavior profile for the at least one user;
compare the behavior profile for the at least one user with a baseline behavior profile for the at least one user;
determine when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user;
flag an event associated with the difference, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and
classify the event to an event classification; andat least one transmitter, associated with the at least one node associated with the at least one user, to transmit the event to at least one of at least one other node in the network and a network operations center. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
Specification