Method and apparatus to detect unauthorized information disclosure via content anomaly detection
First Claim
Patent Images
1. A method of performing an application layer semantic analysis to detect information access anomalies, comprising:
- a) capturing data packets;
b) filtering the captured data packets to detect information content;
c) processing packets based on semantics of an application or protocol;
d) generating a quantitative representation;
e) deriving a content signature from the quantitative representation;
f) deriving a prototypical model that includes a frequency view of a set of content signatures accessed by a given user, where the set of content signatures are indicative of content that is changing over time; and
g) detecting an application layer information access anomaly by using a semantic analysis to detect a given deviation from the prototypical model.
11 Assignments
0 Petitions
Accused Products
Abstract
Method and apparatus to monitor and detect anomalies of information content flows, the method comprising the steps of capturing information access packets, filtering packets to extract information, decoding packets to determine information content, deriving content signatures, trending prototypical behavior, and detecting anomalies of information access, and said apparatus comprising a computing device comprising a network based device that captures the information and produces anomaly information.
-
Citations
38 Claims
-
1. A method of performing an application layer semantic analysis to detect information access anomalies, comprising:
-
a) capturing data packets; b) filtering the captured data packets to detect information content; c) processing packets based on semantics of an application or protocol; d) generating a quantitative representation; e) deriving a content signature from the quantitative representation; f) deriving a prototypical model that includes a frequency view of a set of content signatures accessed by a given user, where the set of content signatures are indicative of content that is changing over time; and g) detecting an application layer information access anomaly by using a semantic analysis to detect a given deviation from the prototypical model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. Apparatus, comprising:
-
a processor; and a computer memory storing program instructions that when executed by the processor perform a method of detecting an information access anomaly, the method comprising; monitoring data packets indicative of changing content over time; generating a prototypical model; and performing a semantic analysis against the prototypical model to identify an application level information access anomaly. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
-
Specification