METHOD FOR DETECTING ANOMALY ACTION WITHIN A COMPUTER NETWORK
First Claim
1. A method for detecting anomalous action within a computer network:
- collecting raw data from at least one probe sensor that is associated with at least one router, switch or at least one server which are part of the computer network, said raw data includes at least one of;
traffic data, logs and flow data;
parsing and analyzing the raw data;
creating meta-data from said raw data;
identifying computer network actions based on existing knowledge about network protocols;
associating the meta-data with entities by analyzing the identified network actions and correlating between different computer network actions, wherein entities include at least one of;
Internet Protocol, IP address, users, services, protocols, servers and workstations; and
creating at least one statistical model of the respective computer network, said model including network actions'"'"' behavior pattern; and
online or batch detection of anomalous network actions associated with entities based on the statistical models.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for detecting anomalous action within a computer network is provided herein. The method starts with collecting raw data from at least one probe sensor that is associated with at least one router, switch or at least one server which are part of the computer network. Next, the raw data is being parsed and analyzed and meta-data is created from the raw data. Computer network actions are being identified based on existing knowledge about network protocols. The meta-data is associated with entities by analyzing the identified network actions and correlating between different computer network actions. Finally, creating at least one statistical model of the respective computer network said model including network actions'"'"' behavior pattern and online or batch detection of anomalous network actions associated with entities based on the statistical models.
-
Citations
24 Claims
-
1. A method for detecting anomalous action within a computer network:
-
collecting raw data from at least one probe sensor that is associated with at least one router, switch or at least one server which are part of the computer network, said raw data includes at least one of;
traffic data, logs and flow data;parsing and analyzing the raw data; creating meta-data from said raw data; identifying computer network actions based on existing knowledge about network protocols; associating the meta-data with entities by analyzing the identified network actions and correlating between different computer network actions, wherein entities include at least one of;
Internet Protocol, IP address, users, services, protocols, servers and workstations; and
creating at least one statistical model of the respective computer network, said model including network actions'"'"' behavior pattern; andonline or batch detection of anomalous network actions associated with entities based on the statistical models. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 22)
-
-
19-21. -21. (canceled)
-
23. A system for detecting anomalous action within a computer network, said system comprised of:
-
probe sensors associated with at least one router or at least one server in the computer network for collecting raw data, wherein raw data includes at least one of;
traffic data, logs and flow data; anda network security processing unit associated with at least one sensor, said unit comprising; a condenser module for parsing and analyzing the raw data and identifying computer network actions based on existing knowledge of network protocols; a memory medium for representing analyzed meta-data in a structured format; an association module for associating the meta-data with entities by analyzing the identified actions and correlating between different actions in the computer network, wherein entities include at least one of;
users, services, protocols, servers and workstations;a statistical modeling module for building a statistical model of the computer network, said model including; network actions behavior pattern for different time periods; and an anomaly detection module for online or batch detection of anomalies of actions associated with entities based on the statistical model.
-
-
24-40. -40. (canceled)
Specification