Behavioral profiling of service access using intent to access in discovery protocols

US 20200137094A1
Filed: 10/31/2018
Published: 04/30/2020
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

correlating a network address of a user to a domain name in a domain name system of a computing network, based at least in part on a service log;

identifying a user group based at least in part on the domain name;

generating a watch list of servers from the user group that control access to a new resource from the user, based at least in part on the domain name;

establishing a baseline behaviour for a client device based at least in part on a first access and a last access to at least one server in the watch list of servers during a time to live period associated with the user group;

when the service log includes a true network address, adding the true network address and a correlated domain name to the baseline behaviour;

retrieving a timestamp of an access by the client device to the network address; and

flagging, as a violation, the access by the client device to the network address in response to the access being outside of a legitimate window around the baseline behaviour.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method including correlating a network address of a user to a domain name in a domain name system of a computing network, based on a service log, is provided. The method includes identifying a user group, generating a watch list of servers that control access to a new resource, and establishing a baseline behaviour for a client device based on a first access and a last access to one server in the watch list of servers during a time to live period. The method also includes adding the true network address and a correlated domain name to the baseline behaviour, retrieving a timestamp of an access by the client device to the network address, and flagging, as a violation, the access by the client device to the network address when the access is outside of a legitimate window around the baseline behaviour.

Citations

20 Claims

1. A computer-implemented method, comprising:
- correlating a network address of a user to a domain name in a domain name system of a computing network, based at least in part on a service log;
  
  identifying a user group based at least in part on the domain name;
  
  generating a watch list of servers from the user group that control access to a new resource from the user, based at least in part on the domain name;
  
  establishing a baseline behaviour for a client device based at least in part on a first access and a last access to at least one server in the watch list of servers during a time to live period associated with the user group;
  
  when the service log includes a true network address, adding the true network address and a correlated domain name to the baseline behaviour;
  
  retrieving a timestamp of an access by the client device to the network address; and
  
  flagging, as a violation, the access by the client device to the network address in response to the access being outside of a legitimate window around the baseline behaviour.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein correlating a network address of a user to a domain name in a domain name system of a computer network comprises applying a machine learning algorithm to the service log to compare a sequence of text characters in the domain name to a sequence of digits in the network address.
  - 3. The computer-implemented method of claim 1, further comprising updating the user group based on a request-response packet captured by a packet processor at a tap point in the computer network.
  - 4. The computer-implemented method of claim 1, further comprising updating the watch list of servers by removing a domain name that is unresolved after a last access to at least one server in the computer network.
  - 5. The computer-implemented method of claim 1, further comprising filtering the watch list of servers to form a historical baseline of resources accessed by a user.
  - 6. The computer-implemented method of claim 1, wherein establishing a baseline behaviour for the client device comprises establishing a window of the baseline behaviour based on a maximum and a minimum behaviour tolerance in the service log.
  - 7. The computer-implemented method of claim 1, wherein the time to live period associated with the user group is the time to live period for a most recent domain name resolution associated with the user group, and establishing a baseline behaviour comprises selecting the last access as the time to live period.
  - 8. The computer-implemented method of claim 1, wherein establishing a baseline behaviour for the client device comprises updating the baseline behaviour.
  - 9. The computer-implemented method of claim 1, wherein retrieving a timestamp of an access by the client device to the network address comprises inspecting a domain name system transaction to identify an entity accessing the new resource and a time of access.
  - 10. The computer-implemented method of claim 1, wherein retrieving a timestamp of an access by the client device to the network address comprises identifying a time of access deviation from a timestamp of a network transaction to resolve the server by a user, based on a baseline for the user.

11. A system, comprising:
- a memory storing instructions; and
  
  one or more processors configured to execute the instructions to cause the system to;
  
  correlate a network address of a user to a domain name in a domain name system of a computing network, based at least in part on a service log;
  
  identify a user group based at least in part on the domain name;
  
  generate a watch list of servers from the user group that control access to a new resource from the user, based at least in part on the domain name;
  
  establish a baseline behaviour for a client device based at least in part on a first access and a last access to at least one server in the watch list of servers during a time to live period associated with the user group;
  
  when the service log includes a true network address, add the true network address and a correlated domain name to the baseline behaviour;
  
  retrieve a timestamp of an access by the client device to the network address; and
  
  flag, as a violation, the access by the client device to the network address in response to the access being outside of a legitimate window around the baseline behaviour.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein to correlate a network address of a user to a domain name in a domain name system of a computer network the one or more processors are configured to apply a machine learning algorithm to the service log to compare a sequence of text characters in the domain name to a sequence of digits in the network address.
  - 13. The system of claim 11, wherein the one or more processors are further configured to update the user group based on a request-response packet captured by a packet processor at a tap point in the computer network.
  - 14. The system of claim 11, wherein to establish a baseline behaviour for the client device the one or more processors are configured to establish a window of the baseline behaviour based on a maximum and a minimum behaviour tolerance in the service log.
  - 15. The system of claim 11, wherein to establish a baseline behaviour for the client device the one or more processors are configured to update the baseline behaviour.
  - 16. The system of claim 11, wherein to retrieve a timestamp of an access by the client device to the network address comprises identifying a time of access deviation from a timestamp of a network transaction to resolve the server by a user, based on a baseline for the user.

17. A non-transitory, computer readable medium storing instructions which, when executed by a processor, cause a computer to perform a method, the method comprising:
- correlating a network address of a user to a domain name in a domain name system of a computing network, based at least in part on a service log;
  
  identifying a user group based at least in part on the domain name;
  
  generating a watch list of servers from the user group that control access to a new resource from the user, based at least in part on the domain name;
  
  establishing a baseline behaviour for a client device based at least in part on a first access and a last access to at least one server in the watch list of servers during a time to live period associated with the user group;
  
  when the service log includes a true network address, adding the true network address and a correlated domain name to the baseline behaviour;
  
  retrieving a timestamp of an access by the client device to the network address; and
  
  flagging, as a violation, the access by the client device to the network address in response to the access being outside of a legitimate window around the baseline behaviour.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory, computer-readable medium of claim 17, wherein, in the method, correlating a network address of a user to a domain name in a domain name system of a computer network comprises applying a machine learning algorithm to the service log to compare a sequence of text characters in the domain name to a sequence of digits in the network address.
  - 19. The non-transitory, computer-readable medium of claim 17, wherein the method further comprises updating the user group based on a request-response packet captured by a packet processor at a tap point in the computer network.
  - 20. The non-transitory, computer-readable medium of claim 17, wherein, in the method, establishing a baseline behaviour for the client device comprises establishing a window of the baseline behaviour based on a maximum and a minimum behaviour tolerance in the service log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Janakiraman, Ramsundar

Granted Patent

US 11,201,881 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 61/4511   using domain name system [DNS]

H04L 61/5014   using dynamic host configur...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/108   when the policy decisions a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

Behavioral profiling of service access using intent to access in discovery protocols

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral profiling of service access using intent to access in discovery protocols

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links