DETECTING ANOMALOUS ACCOUNTS USING EVENT LOGS
First Claim
1. A system for anomalous process detection, comprising:
- an event log module configured to receive a plurality of event logs;
a filter module configured to filter the plurality of event logs based on detected process creations;
a receiving module configured to receive a directory path and process name for each detected process creation;
a conversion module configured to convert each directory path to a sequence of integers based on a character count for each sub-directory of the directory path;
a detection module configured to detect an anomalous process based on a threshold number of matching character counts and matching process names; and
a display module configured to display the detected anomalous process.
1 Assignment
0 Petitions
Accused Products
Abstract
The claimed subject matter includes techniques for detecting anomalous accounts. An example method includes receiving, via a processor, a list of monitored machines and event logs including logons for the list of monitored machines for a predetermined window of time. The example method also includes generating, via the processor, a baseline based on the event logs for the predetermined window of time. The example method also includes collecting, via the processor, daily logon events after the predetermined time and comparing the daily logon events to the baseline. The method further includes detecting, via the processor, an anomalous account based on a difference of logon events of the anomalous account from the baseline. The method also includes displaying, via the processor, the detected anomalous account.
-
Citations
30 Claims
-
1. A system for anomalous process detection, comprising:
-
an event log module configured to receive a plurality of event logs; a filter module configured to filter the plurality of event logs based on detected process creations; a receiving module configured to receive a directory path and process name for each detected process creation; a conversion module configured to convert each directory path to a sequence of integers based on a character count for each sub-directory of the directory path; a detection module configured to detect an anomalous process based on a threshold number of matching character counts and matching process names; and a display module configured to display the detected anomalous process. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for detecting anomalous accounts, the system comprising:
-
a receiving module configured to receive a list of monitored machines and event logs comprising logons for the list of monitored machines for a predetermined window of time; a baseline module configured to generate a baseline based on the event logs for the predetermined window of time; a collector module configured to collect daily logon events after the predetermined time and compare the daily logon events to the baseline; a detection module configured to detect an anomalous account based on a difference of logon events of the anomalous account from the baseline; an update module configured to generate a new baseline by removing older event logs from the baseline based on a predetermined adjustment time and adding new event logs from non-anomalous accounts based on the predetermined adjustment time and comparing daily logon events to the new baseline; and a display module configured to display the detected anomalous account. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for generating bubble plot graphs, comprising:
-
a receiving module configured to receive processed event logs comprising logons of a logon account at a plurality of machines for a predetermined time; an aggregator module configured to aggregate the processed event logs for the logon account to generate a total number of logons, and a first and a last logon time for the logon account; a graphing module configured to generate a bubble plot graph comprising a bubble based on the total number of logons and a difference between the first and the last logon time for the logon account and a size of the bubble indicating an inverse difference between the first logon and the last logon for the logon account; and a display module configured to display the bubble plot graph. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method for anomalous process detection, the method comprising:
-
receiving, via a processor, a plurality of event logs; filtering, via the processor, the plurality of event logs to detect process creations; receiving, via the processor, a directory path and process name for each detected process creation; converting, via the processor, each directory path to a sequence of integers based on character count; detecting, via the processor, an anomalous process based on a threshold number of matching character counts; and displaying, via the processor, the detected anomalous process. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method for detecting anomalous accounts, the method comprising:
-
receiving, via a processor, a list of monitored machines and event logs comprising logons for the list of monitored machines for a predetermined window of time; generating, via the processor, a baseline based on the event logs for the predetermined window of time; collecting, via the processor, daily logon events after the predetermined time and comparing the daily logon events to the baseline; detecting, via the processor, an anomalous account based on a difference of logon events of the anomalous account from the baseline; and displaying, via the processor, the detected anomalous account. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A method for generating a bubble plot graph, comprising:
-
receiving, via a processor, processed event logs comprising logons of a logon account at a plurality of machines for a predetermined time; aggregating, via the processor, the processed event logs for the logon account to generate a total number of logons, and a first and a last logon time for the logon account; generating, via the processor, a bubble plot graph based on the total number of logons and a difference between a first logon time and a last logon time for the logon account; and displaying, via the processor, the bubble plot graph. - View Dependent Claims (27, 28, 29, 30)
-
Specification