SYSTEMS AND METHODS FOR DETECTION OF ANOMALOUS NETWORK BEHAVIOR
First Claim
1. A computer implemented method for detecting anomalous behavior in a network, comprising:
- receiving data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities;
extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity;
retrieving at least one relevant diversity value from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type;
calculating an abnormality score for said received at least one network activity based on said retrieved at least one relevant diversity value;
classifying said at least one network activity as anomalous or normal based on said calculated abnormality score; and
generating an alert when said at least one network activity is classified as anomalous.
1 Assignment
0 Petitions
Accused Products
Abstract
There is provided a computer implemented method for detecting anomalous behavior in a network, comprising: receiving data representing at least one network activity, each network activity representing a certain data access event involving certain network entities; extracting from the data the certain network entities involved in the respective network activity; retrieving at least one relevant diversity value from a network behavior model based on the extracted certain network entities, wherein the network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; calculating an abnormality score for the received network activity based on the retrieved relevant diversity values; and classifying the network activity as anomalous or normal based on the calculated abnormality score.
110 Citations
27 Claims
-
1. A computer implemented method for detecting anomalous behavior in a network, comprising:
-
receiving data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities; extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity; retrieving at least one relevant diversity value from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; calculating an abnormality score for said received at least one network activity based on said retrieved at least one relevant diversity value; classifying said at least one network activity as anomalous or normal based on said calculated abnormality score; and generating an alert when said at least one network activity is classified as anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer implemented method for generating a model for detecting anomalous behavior in a network, comprising:
-
receiving data representing a plurality of network activities, each network activity representing a certain data access event occurring between certain network entities; extracting from said data representing each respective network activity, the certain network entities involved in said respective network activity; calculating at least one diversity value from said plurality of network activities, wherein each diversity value represents a certain relationship between at least one network entity and at least one network entity type; generating a network behavior model based on said calculated at least one diversity value; and outputting said network behavior model. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system for detecting anomalous behavior in a network, comprising:
-
an anomaly detecting server in communication with said network, said server configured to; receive data representing at least one network activity within said network, each network activity representing a certain data access event occurring between certain network entities in said network; calculate an abnormality score for said received at least one network activity based on a retrieved at least one relevant diversity value, said at least one relevant diversity value obtained by extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity, and retrieving said at least one relevant diversity value from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; classify said at least one network activity as anomalous or normal based on a calculated abnormality score; and generating an alert when the at least one network activity is classified as anomalous. - View Dependent Claims (22, 23)
-
-
24. A system for generating a model for detecting anomalous behavior in a network, comprising:
-
a learning server in communication with a network, said server configured to; receive data representing a plurality of network activities within said network, each network activity representing a certain data access event occurring between certain network entities connected to said network; generate a network behavior model based on at least one diversity value calculated from said plurality of network activities, wherein each diversity value represents a certain relationship between at least one network entity and at least one network entity type, the certain network entities involved in said respective network activity extracted from said data representing each respective network activity; and output said network behavior model. - View Dependent Claims (25)
-
-
26. A computer program product for detecting anomalous behavior in a network, comprising:
-
one or more non-transitory computer-readable storage mediums, and program instructions stored on at least one of the one or more storage mediums, the program instructions comprising; program instructions to receive data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities; program instructions to extract from said data representing each respective network activity, the certain network entities involved in the respective network activity; program instructions to retrieve at least one relevant diversity value from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; program instructions to calculate an abnormality score for said received at least one network activity based on said retrieved at least one relevant diversity value; program instructions to classify said at least one network activity as anomalous or normal based on said calculated abnormality score; and program instructions to generate an alert when the at least one network activity is classified as anomalous. - View Dependent Claims (27)
-
Specification