Detecting anomalous web proxy activity
First Claim
Patent Images
1. A method of detecting anomalous web proxy activity comprising:
- extracting a plurality of records from a proxy log for a specified time period using a detection module implemented by a server;
filtering the plurality of records extracted from the proxy log by the detection module to exclude records that do not include identified information, the identified information being at least an Internet Protocol (IP) address at a beginning of a uniform resource locator (URL) field and a connect instruction;
determining, with the detection module, whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on a number of distinct destination hosts to which a source connects; and
generating an alert in response to the determination by the detection module.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system and apparatus for detecting anomalous web proxy activity by end-users are disclosed. The techniques include analyzing records from a web proxy log and determining whether the records contain anomalous end-user activity by inspecting a uniform resource locator and a connect instruction included therein. The techniques also include generating an alert in response to the analysis.
-
Citations
20 Claims
-
1. A method of detecting anomalous web proxy activity comprising:
-
extracting a plurality of records from a proxy log for a specified time period using a detection module implemented by a server; filtering the plurality of records extracted from the proxy log by the detection module to exclude records that do not include identified information, the identified information being at least an Internet Protocol (IP) address at a beginning of a uniform resource locator (URL) field and a connect instruction; determining, with the detection module, whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on a number of distinct destination hosts to which a source connects; and generating an alert in response to the determination by the detection module. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An article comprising a machine-readable medium storing machine-readable instructions that, when applied to a machine, cause the machine to:
-
extract a plurality of records from a proxy log for a specified time period; filter the plurality of records extracted from the proxy log to exclude records that do not include identified information, the identified information being at least an Internet Protocol (IP) address at a beginning of a uniform resource locator (URL) field and a connect instruction; determine whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on a number of distinct destination hosts to which a source connects; and generate an alert in response to the determination. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising a service delivery device coupled to a network, the service delivery device including a processor and memory storing instructions that, in response to receiving a request for access to a service, cause the processor to:
-
extract a plurality of records from a proxy log for a specified time period; filter the plurality of records extracted from the proxy log to exclude records that do not include identified information, the identified information being at least an Internet Protocol (IP) address at a beginning of a uniform resource locator (URL) field and a connect instruction; determine whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on a number of distinct destination hosts to which a source connects; and generate an alert in response to the determination. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification