METHOD FOR DETECTING ANOMALY ACTION WITHIN A COMPUTER NETWORK

US 20140165207A1
Filed: 07/25/2012
Published: 06/12/2014
Est. Priority Date: 07/26/2011
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting anomalous action within a computer network:

collecting raw data from at least one probe sensor that is associated with at least one router, switch or at least one server which are part of the computer network, said raw data includes at least one of;

traffic data, logs and flow data;

parsing and analyzing the raw data;

creating meta-data from said raw data;

identifying computer network actions based on existing knowledge about network protocols;

associating the meta-data with entities by analyzing the identified network actions and correlating between different computer network actions, wherein entities include at least one of;

Internet Protocol, IP address, users, services, protocols, servers and workstations; and

creating at least one statistical model of the respective computer network, said model including network actions'"'"' behavior pattern; and

online or batch detection of anomalous network actions associated with entities based on the statistical models.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting anomalous action within a computer network is provided herein. The method starts with collecting raw data from at least one probe sensor that is associated with at least one router, switch or at least one server which are part of the computer network. Next, the raw data is being parsed and analyzed and meta-data is created from the raw data. Computer network actions are being identified based on existing knowledge about network protocols. The meta-data is associated with entities by analyzing the identified network actions and correlating between different computer network actions. Finally, creating at least one statistical model of the respective computer network said model including network actions'"'"' behavior pattern and online or batch detection of anomalous network actions associated with entities based on the statistical models.

Citations

24 Claims

1. A method for detecting anomalous action within a computer network:
- collecting raw data from at least one probe sensor that is associated with at least one router, switch or at least one server which are part of the computer network, said raw data includes at least one of;
  
  traffic data, logs and flow data;
  
  parsing and analyzing the raw data;
  
  creating meta-data from said raw data;
  
  identifying computer network actions based on existing knowledge about network protocols;
  
  associating the meta-data with entities by analyzing the identified network actions and correlating between different computer network actions, wherein entities include at least one of;
  
  Internet Protocol, IP address, users, services, protocols, servers and workstations; and
  
  creating at least one statistical model of the respective computer network, said model including network actions'"'"' behavior pattern; and
  
  online or batch detection of anomalous network actions associated with entities based on the statistical models.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 22)
- - 2. The method according to claim 1 further comprising the step of running queries regarding actions of entities in the computer network and outside of the computer network by using a query sensor.
  - 3. The method according to claim 1 further comprising the step of eliminating duplications.
  - 4. The method according to claim 1 further comprising the step of correlating between different actions in the computer network for associating computer network actions.
  - 5. The method according to claim 1 further comprising the step of querying components in the computer network to receive relevant information for identifying relevant identities associated with computer network actions.
  - 6. The method according to claim 1 further comprising the step of associating collected data to entities that are outside the computer network.
  - 7. The method according to claim 1, further comprising the step of applying machine learning algorithms for creating statistical behavioral models.
  - 8. The method according to claim 1 further comprising the step of maintaining statistical models of behavior over multiple time periods for each entity.
  - 9. The method according to claim 1 further comprising the step for creating connectivity graph between entities for identifying functionality of entities and/or detecting abnormal connectivity.
  - 10. The method of claim 1 further comprising the step of clustering entities based on their actions by identifying common characteristics.
  - 11. The method of claim 1 further comprising the step of generating behavioral models for each entity and a model for each group of entities with common characteristics.
  - 12. The method of claim 1, wherein detecting anomalies comprise the step of comparing each action in the received data to models of entities and models of clusters of entities for analyzing likelihood of action validity.
  - 13. The method of claim 1, wherein detecting anomalies comprise the step of comparing a group of actions pattern to the received data to models of entities and models of clusters of entities, wherein actions pattern includes at least one of:
    - number of action per time or frequency usage.
  - 14. The method of claim 1 further comprising the steps of creating incidents by aggregating and clustering related anomalies based on specified parameters and ranking said incidents.
  - 15. The method of claim 1 further comprising the step of generating notifications or alerts based on identified anomalies according to predefined rules.
  - 16. The method of claim 1 further comprising the step of generating alerts based on identified anomalies according to identified attack patterns.
  - 17. The method of claim 1 further comprising the step of representing analyzed meta-data in a structured format.
  - 18. The method of claim 1 further comprising the step of continuously building a statistical model of the computer network, said model includes network actions behavioral patterns for different time periods.
  - 22. The method of claim 1 wherein the creating of at least one statistical model is preformed over multiple time periods.

19-21. -21. (canceled)

23. A system for detecting anomalous action within a computer network, said system comprised of:
- probe sensors associated with at least one router or at least one server in the computer network for collecting raw data, wherein raw data includes at least one of;
  
  traffic data, logs and flow data; and
  
  a network security processing unit associated with at least one sensor, said unit comprising;
  
  a condenser module for parsing and analyzing the raw data and identifying computer network actions based on existing knowledge of network protocols;
  
  a memory medium for representing analyzed meta-data in a structured format;
  
  an association module for associating the meta-data with entities by analyzing the identified actions and correlating between different actions in the computer network, wherein entities include at least one of;
  
  users, services, protocols, servers and workstations;
  
  a statistical modeling module for building a statistical model of the computer network, said model including;
  
  network actions behavior pattern for different time periods; and
  
  an anomaly detection module for online or batch detection of anomalies of actions associated with entities based on the statistical model.

24-40. -40. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Light Cyber Ltd.
Original Assignee
Light Cyber Ltd.
Inventors
Engel, Giora, Mumcouglu, Michael

Application Number

US14/234,165
Publication Number

US 20140165207A1
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 41/069   using logs of notifications...

H04L 41/12   Discovery or management of ...

H04L 41/142   using statistical or mathem...

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/0811   by checking connectivity

H04L 63/1425   Traffic logging, e.g. anoma...

METHOD FOR DETECTING ANOMALY ACTION WITHIN A COMPUTER NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR DETECTING ANOMALY ACTION WITHIN A COMPUTER NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links