Method of detecting anomalous behaviour in a computer network
First Claim
Patent Images
1. Method of detecting anomalous behavior in a computer network comprising the steps of:
- monitoring network traffic flowing in a computer network system,authenticating users to which network packets of the network traffic are associated, comprising receiving kernel events requesting a connection, modifying the kernel events, transmitting the modified kernel events to a kernel of the operating system, generating connection and authentication information in the kernel, and sending authentication packets containing the authentication information and connection request information to an anomaly detection system in the computer network,extracting parameters associated to authentication packets for each user, said parameters including at least a type (T) of network services, and a network internet protocol group (N) being addressed,forming symbols based on a combination of one or more of said parameters, wherein at least some said symbols are based on a combination of a plurality of said parameters, andmodeling and analyzing individual user behavior based on sequences of occurrence of said symbols (S).
1 Assignment
0 Petitions
Accused Products
Abstract
Method of detecting anomalous behavior in a computer network comprising the steps of—monitoring network traffic flowing in a computer network system,—authenticating users to which network packets of the network traffic are associated,—extracting parameters associated to the network packets for each user, said parameters including at least the type (T) of network services,—forming symbols based on a combination of one or more of said parameters, and—modeling and analyzing individual user behavior based on sequences of occurrence of said symbols (S).
-
Citations
15 Claims
-
1. Method of detecting anomalous behavior in a computer network comprising the steps of:
-
monitoring network traffic flowing in a computer network system, authenticating users to which network packets of the network traffic are associated, comprising receiving kernel events requesting a connection, modifying the kernel events, transmitting the modified kernel events to a kernel of the operating system, generating connection and authentication information in the kernel, and sending authentication packets containing the authentication information and connection request information to an anomaly detection system in the computer network, extracting parameters associated to authentication packets for each user, said parameters including at least a type (T) of network services, and a network internet protocol group (N) being addressed, forming symbols based on a combination of one or more of said parameters, wherein at least some said symbols are based on a combination of a plurality of said parameters, and modeling and analyzing individual user behavior based on sequences of occurrence of said symbols (S). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. Anomaly detection system comprising an authentication module and anomaly detection system platform installed and deployed in a protected computer network system and configured to
monitor, with a computer, network traffic flowing in a computer network system, authenticate, with a computer, users to which network packets of the network traffic are associated by means of the authentication module, comprising receiving kernel events requesting a connection, modifying the kernel events, transmitting the modified kernel events to a kernel of the operating system, generating connection and authentication information in the kernel, and sending authentication packets containing the authentication information and connection request information to the anomaly detection system platform, extract, with a computer, parameters associated to authentication packets for each user, said parameters including at least a type (T) of network services, and a network internet protocol group (N) being addressed, form, with a computer, symbols based on a combination of one or more of said parameters, wherein at least some said symbols are based on a combination of a plurality of said parameters, and model and analyze, with a computer individual user behavior based on sequences of occurrence of said symbols (S).
Specification