NETWORK ANOMALY DETECTION
First Claim
Patent Images
1. A computer system comprising:
- one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and
one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to;
receive information indicative of an access to a network by a user, wherein the information comprises at least;
an identity associated with the user;
a hostname of a machine associated with the user;
a time associated with the access to the network; and
location information associated with the identity;
determine, based at least on the information, a host score indicative of a first likelihood that the user access to the network was malicious, wherein the host score is determined based, at least in part, on a number of unique machines associated with the user;
determine, based on the information, a speed score indicative of a second likelihood that the user access to the network was malicious, wherein the speed score is determined based, at least in part, on a calculated travel speed for the user;
determine, based on the information, a location score indicative of a third likelihood that the user access to the network was malicious, wherein the location score is determined based, at least in part, on attack origin distribution data; and
determine an aggregate score based at least in part on the host score, the speed score, and the location score.
8 Assignments
0 Petitions
Accused Products
Abstract
A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.
-
Citations
20 Claims
-
1. A computer system comprising:
-
one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to; receive information indicative of an access to a network by a user, wherein the information comprises at least; an identity associated with the user; a hostname of a machine associated with the user; a time associated with the access to the network; and location information associated with the identity; determine, based at least on the information, a host score indicative of a first likelihood that the user access to the network was malicious, wherein the host score is determined based, at least in part, on a number of unique machines associated with the user; determine, based on the information, a speed score indicative of a second likelihood that the user access to the network was malicious, wherein the speed score is determined based, at least in part, on a calculated travel speed for the user; determine, based on the information, a location score indicative of a third likelihood that the user access to the network was malicious, wherein the location score is determined based, at least in part, on attack origin distribution data; and determine an aggregate score based at least in part on the host score, the speed score, and the location score. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer system comprising:
-
one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to; receive information associated with a plurality of accesses of a network by a user, wherein the information includes, for each of the accesses of the network, at least; an identity, provided by the user, associated with the access of the network; a respective hostname of a machine used by the user to access the network; a respective time associated with the access to the network; and respective location information associated with the access to the network by the user; determine respective host scores for each of the accesses of the network, wherein the host scores indicate respective likelihoods of malicious activity based, at least in part, on a number of unique machines used to access the network; determine respective speed scores for each of the accesses of the network, wherein the speed scores indicate respective likelihoods of malicious activity based, at least in part, on calculated travel speeds; determine respective location scores for each of the accesses of the network, wherein the locations scores indicate respective likelihoods of malicious activity based, at least in part, on attack origin distribution data; determine respective aggregate scores for each of the accesses of the network, wherein the respective aggregate scores are based, at least in part, on the respective host scores, speed scores, and location scores; and generate one or more user interfaces including; a list of users including the user; respective anomaly scores associated with users of the list of users, wherein the respective anomaly scores are based, at least in part, on the aggregate scores associated with each respective user of the list of users. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer system comprising:
-
one or more computer readable storage devices configured to store computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to; receive information associated with an access to the network by a user via a computer, the information comprising an identity provided by the user and an identification of the computer, wherein the user has not previously accessed the network via the computer; determine a first host score based, at least in part, on the identification of the user and an identification of the computer, wherein the first host score indicates a likelihood that the access to the network was malicious; after receiving the information, receiving second information associated with a later access to the network by the user via a new computer, the second information comprising the identity provided by the user and an identification of the new computer, wherein the user has not previous accessed the network via the new computer; determine a second host score based, at least in part, on the user accessing the network via the new computer, wherein the second host score indicates a lower likelihood that the access to the network was malicious compared to the first host score. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification