Behavior-based traffic profiling based on access control information
First Claim
Patent Images
1. A device comprising:
- one or more processors to;
obtain, from a security device, traffic flow information associated with a user accessing a resource via a network,the traffic flow information being generated based on monitoring network traffic associated with the user accessing the resource, andthe traffic flow information including information indicating a user role associated with the user and information identifying a source address and a destination address associated with the user accessing the resource;
determine, based on the information identifying the source address and the destination address, a user device and a destination device associated with the user accessing the resource;
determine whether a traffic behavior pattern, associated with the user role, exists;
when the traffic behavior pattern exists, the one or more processors are to;
update the traffic behavior pattern based on the traffic flow information, the user device, and the destination device to form an updated traffic behavior pattern;
when the traffic behavior pattern does not exist, the one or more processors are to;
determine, based on the traffic flow information, a quantity of sessions associated with the user accessing the resource is greater than a threshold quantity of sessions;
generate, based on the quantity of sessions being greater than the threshold quantity of sessions, the traffic behavior pattern based on the traffic flow information and information associated with the user device and the destination device; and
provide one of the updated traffic behavior pattern or the generated traffic behavior pattern to the security device,the one of the updated traffic behavior pattern or the created traffic behavior pattern permitting the security device to control access, by the user, to the resource.
0 Assignments
0 Petitions
Accused Products
Abstract
A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.
-
Citations
20 Claims
-
1. A device comprising:
one or more processors to; obtain, from a security device, traffic flow information associated with a user accessing a resource via a network, the traffic flow information being generated based on monitoring network traffic associated with the user accessing the resource, and the traffic flow information including information indicating a user role associated with the user and information identifying a source address and a destination address associated with the user accessing the resource; determine, based on the information identifying the source address and the destination address, a user device and a destination device associated with the user accessing the resource; determine whether a traffic behavior pattern, associated with the user role, exists; when the traffic behavior pattern exists, the one or more processors are to; update the traffic behavior pattern based on the traffic flow information, the user device, and the destination device to form an updated traffic behavior pattern; when the traffic behavior pattern does not exist, the one or more processors are to; determine, based on the traffic flow information, a quantity of sessions associated with the user accessing the resource is greater than a threshold quantity of sessions; generate, based on the quantity of sessions being greater than the threshold quantity of sessions, the traffic behavior pattern based on the traffic flow information and information associated with the user device and the destination device; and provide one of the updated traffic behavior pattern or the generated traffic behavior pattern to the security device, the one of the updated traffic behavior pattern or the created traffic behavior pattern permitting the security device to control access, by the user, to the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; obtain, from a security device, traffic flow information associated with a user accessing a resource via a network, the traffic flow information being generated based on monitoring network traffic associated with the user accessing the resource, and the traffic flow information including information indicating a user role associated with the user and information identifying a source address and a destination address associated with the user accessing the resource; determine, based on the information identifying the source address and the destination address, a user device and a destination device associated with the user accessing the resource; determine whether a traffic pattern, associated with the user role, exists; update, when the traffic pattern exists, the traffic pattern based on the traffic flow information, the user device, and the destination device; when the traffic pattern does not exist; determine, based on the traffic flow information, that a quantity of sessions associated with the user accessing the resource is greater than a threshold quantity of sessions; generate, based on the quantity of sessions being greater than the threshold quantity of sessions, the traffic pattern based on the traffic flow information and information associated with the user device and the destination device; and provide one of the updated traffic pattern or the generated traffic pattern to the security device, the one of the updated traffic pattern or the generated traffic pattern permitting the security device to control access, by the user, to the resource. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method comprising:
-
obtaining, by a network device and from a security device, traffic flow information associated with a user accessing a resource via a network, the traffic flow information being generated based on monitoring network traffic associated with the user accessing the resource, and the traffic flow information including information indicating a user role associated with the user and information identifying a source address and a destination address associated with the user accessing the resource; determining, by the network device and based on the information identifying the source address and the destination address, a user device and a destination device associated with the user accessing the resource; determining, by the network device, whether a traffic behavior pattern, associated with the user role, exists; updating, by the network device and when the traffic behavior pattern exists, the traffic behavior pattern based on the traffic flow information, the user device, and the destination device to form an updated traffic behavior pattern; when the traffic behavior pattern does not exist; determining, by the network device and based on the traffic flow information, that a quantity of sessions associated with the user accessing the resource is greater than a threshold quantity of sessions; and generating, by the network device and based on the quantity of sessions being greater than the threshold quantity of sessions, the traffic behavior pattern based on the traffic flow information and information associated with the user device and the destination device; and providing, by the network device, one of the updated traffic behavior pattern or the generated traffic behavior pattern to a security device, the one of the updated traffic behavior pattern or the generated traffic behavior pattern permitting the security device to control access, by the user, to the resource. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification