Detecting anomalous web proxy activity
First Claim
Patent Images
1. A method of detecting anomalous web proxy activity comprising:
- filtering a plurality of records from a proxy log by a detection module to exclude records that do not include identified information, the plurality of records representing proxy connections made by a proxy server, the records including connection-specific transaction information comprising one or more of a source internet protocol address, a destination internet protocol address and a uniform resource locator field, the identified information comprising an internet protocol address at a beginning of the uniform resource locator field of the plurality of records;
calculating a number of distinct destination internet protocol addresses to which a source internet protocol address is connected from the plurality of records not excluded by the filtering;
comparing the calculated number of distinct destination internet protocol addresses to a threshold number established for the source internet protocol address; and
determining, based on the comparing, whether a first one of the records extracted from the web proxy log, and not excluded by the filtering, comprises suspicious web activity.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system and apparatus for detecting anomalous web proxy activity by end-users are disclosed. The techniques include analyzing records from a web proxy log and determining whether the records contain anomalous end-user activity by inspecting a uniform resource locator and a connect instruction included therein. The techniques also include generating an alert in response to the analysis.
-
Citations
17 Claims
-
1. A method of detecting anomalous web proxy activity comprising:
-
filtering a plurality of records from a proxy log by a detection module to exclude records that do not include identified information, the plurality of records representing proxy connections made by a proxy server, the records including connection-specific transaction information comprising one or more of a source internet protocol address, a destination internet protocol address and a uniform resource locator field, the identified information comprising an internet protocol address at a beginning of the uniform resource locator field of the plurality of records; calculating a number of distinct destination internet protocol addresses to which a source internet protocol address is connected from the plurality of records not excluded by the filtering; comparing the calculated number of distinct destination internet protocol addresses to a threshold number established for the source internet protocol address; and determining, based on the comparing, whether a first one of the records extracted from the web proxy log, and not excluded by the filtering, comprises suspicious web activity. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable medium storing computer-readable instructions that, when executed by a computing device, cause the computing device to:
-
filter a plurality of records from a proxy log to exclude records that do not include identified information, the plurality of records representing proxy connections made by a proxy server, the records including connection-specific transaction information comprising one or more of a source internet protocol address, a destination internet protocol address and a uniform resource locator field, the identified information comprising an internet protocol address at a beginning of the uniform resource locator field of the plurality of records; calculate a number of distinct destination internet protocol addresses to which a source internet protocol address is connected from the plurality of records not excluded by the filtering; compare the calculated number of distinct destination internet protocol addresses to a threshold number associated with the source internet protocol address; and determine whether a first one of the records extracted from the web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparison. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
a service delivery device coupled to a network, the service delivery device including a processor and memory storing instructions that, in response to receiving a request for access to a service, cause the processor to; filter a plurality of records from a proxy log to exclude records that do not include identified information, the plurality of records representing proxy connections made by a proxy server, the records including connection-specific transaction information comprising one or more of a source internet protocol address, a destination internet protocol address and a uniform resource locator field, the identified information comprising an internet protocol address at a beginning of the uniform resource locator field of the plurality of records; calculate a number of distinct destination internet protocol addresses to which a source internet protocol address is connected; compare the number of distinct destination internet protocol addresses to a threshold number established for the source internet protocol address; and determine whether a first one of the records extracted from the web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparison. - View Dependent Claims (14, 15, 16, 17)
Specification