SYSTEMS AND METHODS FOR DETECTION OF ANOMALOUS NETWORK BEHAVIOR

US 20160142435A1
Filed: 11/13/2014
Published: 05/19/2016
Est. Priority Date: 11/13/2014
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting anomalous behavior in a network, comprising:

receiving data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities;

extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity;

retrieving at least one relevant diversity value from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type;

calculating an abnormality score for said received at least one network activity based on said retrieved at least one relevant diversity value;

classifying said at least one network activity as anomalous or normal based on said calculated abnormality score; and

generating an alert when said at least one network activity is classified as anomalous.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a computer implemented method for detecting anomalous behavior in a network, comprising: receiving data representing at least one network activity, each network activity representing a certain data access event involving certain network entities; extracting from the data the certain network entities involved in the respective network activity; retrieving at least one relevant diversity value from a network behavior model based on the extracted certain network entities, wherein the network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; calculating an abnormality score for the received network activity based on the retrieved relevant diversity values; and classifying the network activity as anomalous or normal based on the calculated abnormality score.

110 Citations

View as Search Results

27 Claims

1. A computer implemented method for detecting anomalous behavior in a network, comprising:
- receiving data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities;
  
  extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity;
  
  retrieving at least one relevant diversity value from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type;
  
  calculating an abnormality score for said received at least one network activity based on said retrieved at least one relevant diversity value;
  
  classifying said at least one network activity as anomalous or normal based on said calculated abnormality score; and
  
  generating an alert when said at least one network activity is classified as anomalous.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said at least one network activity is classified as normal when the complete form of said at least one network activity is identified within the network behavior model.
  - 3. The method of claim 1, wherein said at least one relevant diversity value is retrieved based on matching at least one network entity extracted from said data of said network activity, to at least one diversity value based on said at least one network entity.
  - 4. The method of claim 1, wherein calculating said abnormality score and classifying said at least one network activity comprises:
    - calculating a first abnormality score using a first combination of relevant diversity values;
      
      calculating a second abnormality score using a second combination of relevant diversity values;
      
      designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and
      
      at least one member of the group consisting of;
      
      classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold.
  - 5. The method of claim 1, further comprising:
    - receiving data representing said at least one network activity over a period of time;
      
      retrieving, for each respective time slice of a plurality of time slices of said period of time, at least one relevant diversity value from said network behavior model;
      
      generating a diversity time series by organizing said at least one relevant diversity value based on chronological sequence of said plurality of respective time slices;
      
      receiving a new diversity value representing a next diversity value in said chronological sequence of said diversity time series, said new diversity value calculated based on another received network activity; and
      
      analyzing said new diversity value based on said diversity time series to identify said new diversity value as anomalous or normal diversity.
  - 6. The method of claim 1, wherein said network behavior model includes respective weights assigned to each respective diversity value and said abnormality score is calculated based on said respective weights assigned to each respective diversity value.
  - 7. The method of claim 1, wherein said retrieving at least one relevant diversity value is dependent on a confidence score associated with said at least one diversity value, said confidence score included in said network behavior model.
  - 8. The method of claim 1, wherein calculating said abnormality score comprises calculating based on a member selected from a group consisting of:
    - average of said retrieved diversity values, maximum value of said retrieved diversity values, and a weighted average of said retrieved diversity values.
  - 9. The method of claim 1, wherein calculating said abnormality score comprises calculating said abnormality score from said diversity values based on a function that increases said abnormality score when said retrieved at least one diversity value are relatively lower and decreases said abnormality score when said retrieved at least one diversity values are relatively higher.
  - 10. The method of claim 1, wherein said classifying said at least one network activity as anomalous or normal based on said calculated abnormality score is based on comparing said abnormality score to a predefined threshold.

11. A computer implemented method for generating a model for detecting anomalous behavior in a network, comprising:
- receiving data representing a plurality of network activities, each network activity representing a certain data access event occurring between certain network entities;
  
  extracting from said data representing each respective network activity, the certain network entities involved in said respective network activity;
  
  calculating at least one diversity value from said plurality of network activities, wherein each diversity value represents a certain relationship between at least one network entity and at least one network entity type;
  
  generating a network behavior model based on said calculated at least one diversity value; and
  
  outputting said network behavior model.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein said plurality of network activities is organized into a plurality of groups, each group including network activities having at least one shared network entity type, each group represented by a certain word.
  - 13. The method of claim 12, further comprising associating a certain context with each respective group.
  - 14. The method of claim 13, wherein said certain context is a member selected from a group consisting of:
    - a number of occurrences of activities within the respective group, a time of first occurrence of activities within the respective group, and a time of last occurrence of activities within the respective group.
  - 15. The method of claim 11, further comprising excluding certain network activities matching a predefined context from said network behavior model.
  - 16. The method of claim 15, wherein said predefined context includes a number of occurrences of said respective network activity within a predefined period of time.
  - 17. The method of claim 12, further comprising calculating a confidence score for each respective diversity value, said confidence score calculated based on a number of activities of a certain network entity in the respective group, or a number of activities of a combination of certain network entities in the respective group, said confidence score included within network behavior model.
  - 18. The method of claim 11, further comprising iterating said extracting, said calculating, and said generating, to update said network behavior model, according to at least one of periodically and when new network activities are received.
  - 19. The method of claim 11, further comprising assigning a weight to each respective diversity value, said weights designated based on a predefined logic defining the significance of each respective diversity value based on interaction between network entities.
  - 20. The method of claim 11, wherein said plurality of network activities are received from at least one member of the group consisting of:
    - monitoring of a network, gathering data from network entities, and obtaining data from a source connected to the network.

21. A system for detecting anomalous behavior in a network, comprising:
- an anomaly detecting server in communication with said network, said server configured to;
  
  receive data representing at least one network activity within said network, each network activity representing a certain data access event occurring between certain network entities in said network;
  
  calculate an abnormality score for said received at least one network activity based on a retrieved at least one relevant diversity value, said at least one relevant diversity value obtained by extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity, and retrieving said at least one relevant diversity value from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type;
  
  classify said at least one network activity as anomalous or normal based on a calculated abnormality score; and
  
  generating an alert when the at least one network activity is classified as anomalous.
- View Dependent Claims (22, 23)
- - 22. The system of claim 21, wherein said anomaly detecting server is further configured to classify said at least one network activity as normal when the complete form of said at least one network activity is identified within said network behavior model.
  - 23. The system of claim 21, wherein said anomaly detecting server further includes a trend analysis module configured to:
    - receive data representing said at least one network activity over a period of time;
      
      retrieve, for each respective time slice of a plurality of time slices of said period of time, at least one relevant diversity value from said network behavior model;
      
      generate a diversity time series by organizing said at least one relevant diversity value based on chronological sequence of said plurality of respective time slices;
      
      receive a new diversity value representing a next diversity value in said chronological sequence of said diversity time series, said new diversity value calculated based on another received network activity; and
      
      analyze said new diversity value based on said diversity time series to identify said new diversity value as anomalous or normal diversity.

24. A system for generating a model for detecting anomalous behavior in a network, comprising:
- a learning server in communication with a network, said server configured to;
  
  receive data representing a plurality of network activities within said network, each network activity representing a certain data access event occurring between certain network entities connected to said network;
  
  generate a network behavior model based on at least one diversity value calculated from said plurality of network activities, wherein each diversity value represents a certain relationship between at least one network entity and at least one network entity type, the certain network entities involved in said respective network activity extracted from said data representing each respective network activity; and
  
  output said network behavior model.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein said learning server is further configured to iterating said generating, to update said network behavior model, according to at least one of periodically and when new network activities are received.

26. A computer program product for detecting anomalous behavior in a network, comprising:
- one or more non-transitory computer-readable storage mediums, and program instructions stored on at least one of the one or more storage mediums, the program instructions comprising;
  
  program instructions to receive data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities;
  
  program instructions to extract from said data representing each respective network activity, the certain network entities involved in the respective network activity;
  
  program instructions to retrieve at least one relevant diversity value from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type;
  
  program instructions to calculate an abnormality score for said received at least one network activity based on said retrieved at least one relevant diversity value;
  
  program instructions to classify said at least one network activity as anomalous or normal based on said calculated abnormality score; and
  
  program instructions to generate an alert when the at least one network activity is classified as anomalous.
- View Dependent Claims (27)
- - 27. The computer program product of claim 26, further comprising:
    - program instructions to receive data representing a plurality of network activities, each network activity representing a certain data access event occurring between certain network entities;
      
      program instructions to extract from said data representing each respective network activity, the certain network entities involved in said respective network activity;
      
      program instructions to calculate at least one diversity value from said plurality of network activities, wherein each diversity value represents a certain relationship between at least one network entity and at least one network entity type;
      
      program instructions to generate said network behavior model based on said calculated at least one diversity value; and
      
      program instructions to output said network behavior model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Original Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Inventors
BERNSTEIN, Ruth, Dulkin, Andrey

Granted Patent

US 9,565,203 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1441 Countermeasures against mal...

SYSTEMS AND METHODS FOR DETECTION OF ANOMALOUS NETWORK BEHAVIOR

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

110 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DETECTION OF ANOMALOUS NETWORK BEHAVIOR

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links