Behavioral profiling of service access using intent to access in discovery protocols
First Claim
1. A computer-implemented method, comprising:
- correlating a network address of a user to a domain name in a domain name system of a computing network, based at least in part on a service log;
identifying a user group based at least in part on the domain name;
generating a watch list of servers from the user group that control access to a new resource from the user, based at least in part on the domain name;
establishing a baseline behaviour for a client device based at least in part on a first access and a last access to at least one server in the watch list of servers during a time to live period associated with the user group;
when the service log includes a true network address, adding the true network address and a correlated domain name to the baseline behaviour;
retrieving a timestamp of an access by the client device to the network address; and
flagging, as a violation, the access by the client device to the network address in response to the access being outside of a legitimate window around the baseline behaviour.
1 Assignment
0 Petitions
Accused Products
Abstract
A method including correlating a network address of a user to a domain name in a domain name system of a computing network, based on a service log, is provided. The method includes identifying a user group, generating a watch list of servers that control access to a new resource, and establishing a baseline behaviour for a client device based on a first access and a last access to one server in the watch list of servers during a time to live period. The method also includes adding the true network address and a correlated domain name to the baseline behaviour, retrieving a timestamp of an access by the client device to the network address, and flagging, as a violation, the access by the client device to the network address when the access is outside of a legitimate window around the baseline behaviour.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
correlating a network address of a user to a domain name in a domain name system of a computing network, based at least in part on a service log; identifying a user group based at least in part on the domain name; generating a watch list of servers from the user group that control access to a new resource from the user, based at least in part on the domain name; establishing a baseline behaviour for a client device based at least in part on a first access and a last access to at least one server in the watch list of servers during a time to live period associated with the user group; when the service log includes a true network address, adding the true network address and a correlated domain name to the baseline behaviour; retrieving a timestamp of an access by the client device to the network address; and flagging, as a violation, the access by the client device to the network address in response to the access being outside of a legitimate window around the baseline behaviour. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system, comprising:
-
a memory storing instructions; and one or more processors configured to execute the instructions to cause the system to; correlate a network address of a user to a domain name in a domain name system of a computing network, based at least in part on a service log; identify a user group based at least in part on the domain name; generate a watch list of servers from the user group that control access to a new resource from the user, based at least in part on the domain name; establish a baseline behaviour for a client device based at least in part on a first access and a last access to at least one server in the watch list of servers during a time to live period associated with the user group; when the service log includes a true network address, add the true network address and a correlated domain name to the baseline behaviour; retrieve a timestamp of an access by the client device to the network address; and flag, as a violation, the access by the client device to the network address in response to the access being outside of a legitimate window around the baseline behaviour. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-transitory, computer readable medium storing instructions which, when executed by a processor, cause a computer to perform a method, the method comprising:
-
correlating a network address of a user to a domain name in a domain name system of a computing network, based at least in part on a service log; identifying a user group based at least in part on the domain name; generating a watch list of servers from the user group that control access to a new resource from the user, based at least in part on the domain name; establishing a baseline behaviour for a client device based at least in part on a first access and a last access to at least one server in the watch list of servers during a time to live period associated with the user group; when the service log includes a true network address, adding the true network address and a correlated domain name to the baseline behaviour; retrieving a timestamp of an access by the client device to the network address; and flagging, as a violation, the access by the client device to the network address in response to the access being outside of a legitimate window around the baseline behaviour. - View Dependent Claims (18, 19, 20)
-
Specification