MALICIOUS ACTIVITY DETECTION ON A COMPUTER NETWORK AND NETWORK METADATA NORMALISATION
First Claim
1. A method for identifying abnormal user interactions within one or more monitored computer networks, comprising the steps of:
- receiving metadata from one or more devices within the one or more monitored computer networks;
identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer networks;
extracting relevant parameters from the metadata and mapping said relevant parameters to a common data schema, thereby creating normalised user interaction data;
storing the normalised user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks;
testing the normalised user interaction event data against a probabilistic model of expected user interactions to identify abnormal user interactions; and
updating said probabilistic model from said stored user interaction event data.
0 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a network security and data normalisation system for a computer network, IT system or infrastructure, or similar. According to an aspect, there is provided a method for identifying abnormal user interactions within one or more monitored computer networks, comprising the steps of: receiving metadata from one or more devices within the one or more monitored computer networks; identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer networks; storing user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks; updating a probabilistic model of expected user interactions from said stored user interaction event data; and testing each of said plurality of user interactions with the monitored computer networks against said probabilistic model to identify abnormal user interactions.
-
Citations
100 Claims
-
1. A method for identifying abnormal user interactions within one or more monitored computer networks, comprising the steps of:
-
receiving metadata from one or more devices within the one or more monitored computer networks; identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer networks; extracting relevant parameters from the metadata and mapping said relevant parameters to a common data schema, thereby creating normalised user interaction data; storing the normalised user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks; testing the normalised user interaction event data against a probabilistic model of expected user interactions to identify abnormal user interactions; and updating said probabilistic model from said stored user interaction event data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 40, 41)
-
-
35. Apparatus for identifying abnormal and/or malicious user interactions within one or more monitored computer networks, comprising:
-
a metadata-ingesting module configured to receive and aggregate metadata from one or more devices within the one or more monitored computer networks; a data pipeline module configured to identify from the metadata events corresponding to a plurality of user interactions with the monitored computer networks; a data store configured to store user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks; and an analysis module comprising a probabilistic model of expected user interactions and an artificial neural network trained using one or more predetermined models developed from previously identified malicious user interaction scenarios, wherein the probabilistic model is updated from said stored user interaction event data; wherein the analysis module is used to test the user interaction events to identify abnormal and/or malicious user interactions. - View Dependent Claims (36, 37, 38, 39)
-
-
42. A method for identifying abnormal user interactions within one or more monitored computer networks, comprising the steps of:
-
receiving metadata from one or more devices within the one or more monitored computer networks; identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer networks; storing user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks; updating a probabilistic model of expected user interactions from said stored user interaction event data; and testing each of said plurality of user interactions with the monitored computer networks against said probabilistic model to identify abnormal user interactions. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
-
-
73. A method for normalising metadata having a plurality of content schemata from one or more devices, within one or more monitored computer networks, comprising the steps of:
-
receiving metadata from the one or more devices within the one or more monitored computer networks; extracting relevant parameters from the metadata and mapping said relevant parameters to a common data schema in order to identify events corresponding to a plurality of user interactions with the monitored computer networks; and storing user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks. - View Dependent Claims (74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 97, 98)
-
-
93. Apparatus for normalising metadata having a plurality of content schemata from one or more devices, within one or more monitored computer networks, comprising:
-
a metadata-ingesting module configured to receive and aggregate metadata from one or more devices within the one or more monitored computer networks; a data pipeline module configured to extract relevant parameters from the metadata and map said relevant parameters to a common data schema in order to identify from the metadata events corresponding to a plurality of user interactions with the monitored computer networks; and a data store configured to store user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks. - View Dependent Claims (94, 95, 96)
-
-
99. A method substantially as herein described and/or as illustrated with reference to the accompanying figures.
-
100. Apparatus substantially as herein described and/or as illustrated with reference to the accompanying figures.
Specification