METHODS AND APPARATUS TO IDENTIFY MALICIOUS ACTIVITY IN A NETWORK
First Claim
1. A network monitor comprising:
- memory including computer readable instructions; and
a processor to execute the computer readable instructions to perform operations including;
iteratively adjusting respective weights assigned to respective types of network activity features for devices monitored in a network, the iterative adjusting to determine an output set of weights corresponding to ones of the types of network activity features indicative of malicious network activity, the iterative adjusting to (1) reduce a first distance calculated between a first pair of reference devices selected from a first set of the devices previously classified as being associated with malicious network activity, and (2) increase a second distance calculated between a first one of the pair of the reference devices and a first unclassified device selected from a second set of the devices that are unclassified; and
determining whether a second unclassified device selected from the second set of the devices is associated with malicious network activity based on the output set of weights.
1 Assignment
0 Petitions
Accused Products
Abstract
Example network monitoring methods disclosed herein include iteratively adjusting respective weights assigned to respective types of network activity features for devices monitored in a network, the iterative adjusting to determine an output set of weights corresponding to ones of the types of network activity features indicative of malicious network activity. For example, the iterative adjusting is to (1) reduce a first distance calculated between a first pair of reference devices previously classified as being associated with malicious network activity, and (2) increase a second distance calculated between a first one of the pair of the reference devices and a first unclassified device. Disclosed example network monitoring methods also include determining whether a second unclassified device is associated with malicious network activity based on the output set of weights.
-
Citations
20 Claims
-
1. A network monitor comprising:
-
memory including computer readable instructions; and a processor to execute the computer readable instructions to perform operations including; iteratively adjusting respective weights assigned to respective types of network activity features for devices monitored in a network, the iterative adjusting to determine an output set of weights corresponding to ones of the types of network activity features indicative of malicious network activity, the iterative adjusting to (1) reduce a first distance calculated between a first pair of reference devices selected from a first set of the devices previously classified as being associated with malicious network activity, and (2) increase a second distance calculated between a first one of the pair of the reference devices and a first unclassified device selected from a second set of the devices that are unclassified; and determining whether a second unclassified device selected from the second set of the devices is associated with malicious network activity based on the output set of weights. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A network monitoring method comprising:
-
iteratively adjusting, by executing an instruction with a processor, respective weights assigned to respective types of network activity features for devices monitored in a network, the iterative adjusting to determine an output set of weights corresponding to ones of the types of network activity features indicative of malicious network activity, the iterative adjusting to (1) reduce a first distance calculated between a first pair of reference devices selected from a first set of the devices previously classified as being associated with malicious network activity, and (2) increase a second distance calculated between a first one of the pair of the reference devices and a first unclassified device selected from a second set of the devices that are unclassified; and determining, by executing an instruction with the processor, whether a second unclassified device selected from the second set of the devices is associated with malicious network activity based on the output set of weights. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A tangible computer readable storage medium including computer readable instructions which, when executed, cause a processor to perform operations comprising:
-
iteratively adjusting respective weights assigned to respective types of network activity features for devices monitored in a network, the iterative adjusting to determine an output set of weights corresponding to ones of the types of network activity features indicative of malicious network activity, the iterative adjusting to (1) reduce a first distance calculated between a first pair of reference devices selected from a first set of the devices previously classified as being associated with malicious network activity, and (2) increase a second distance calculated between a first one of the pair of the reference devices and a first unclassified device selected from a second set of the devices that are unclassified; and determining whether a second unclassified device selected from the second set of the devices is associated with malicious network activity based on the output set of weights. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification