Detecting anomalous behavior patterns in an electronic environment

US 8,959,633 B1
Filed: 03/14/2013
Issued: 02/17/2015
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A system for providing access to at least one host machine in a multi-tenant environment, comprising:

a plurality of host machines, each host machine including at least one processor and memory for storing instructions executable by the at least one processor;

at least one interface component enabling a user device to obtain access to at least one of the plurality of host machines; and

a monitoring component in communication with the plurality of host machines, the monitoring component configured to;

detect a change with respect to at least one of the host machines;

compare information for the change to a behavior baseline to determine whether the change matches an expected behavior;

monitor related changes for at least a period of time, when the change does not match an expected behavior, to determine a rate or a prevalence of a type of the change;

compare information for the rate or prevalence to at least one corresponding parameter value for baseline to determine whether the rate or prevalence falls within an expected parameter value range;

automatically add behavior information for the change to the baseline in response to the rate or prevalence falling within the expected parameter value range; and

generate a notification when the rate or prevalence falls outside the expected parameter value range,wherein the expected behavior is one of a plurality of expected behaviors, at least a portion of the expected behaviors being determined based at least in part upon data for purposeful behaviors observed within the plurality of host machines, andwherein at least a portion of the purposeful behaviors are specified by at least one user associated with the plurality of host machines.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The behavior of a group of resources, such as a fleet of servers, can be monitored to attempt to determine a baseline of acceptable behaviors. When a behavior is observed, the baseline can be consulted to determine whether the behavior is indicated to be acceptable. If not, the rate or extent at which the newly observed behavior is observed on groupings of similar resources can be monitored. This information can be used to determine whether the behavior is acceptable in which case information for the observed behavior can be used to automatically update the baseline such that the baseline is representative of current acceptable behavior within the group of resources.

71 Citations

View as Search Results

22 Claims

1. A system for providing access to at least one host machine in a multi-tenant environment, comprising:
- a plurality of host machines, each host machine including at least one processor and memory for storing instructions executable by the at least one processor;
  
  at least one interface component enabling a user device to obtain access to at least one of the plurality of host machines; and
  
  a monitoring component in communication with the plurality of host machines, the monitoring component configured to;
  
  detect a change with respect to at least one of the host machines;
  
  compare information for the change to a behavior baseline to determine whether the change matches an expected behavior;
  
  monitor related changes for at least a period of time, when the change does not match an expected behavior, to determine a rate or a prevalence of a type of the change;
  
  compare information for the rate or prevalence to at least one corresponding parameter value for baseline to determine whether the rate or prevalence falls within an expected parameter value range;
  
  automatically add behavior information for the change to the baseline in response to the rate or prevalence falling within the expected parameter value range; and
  
  generate a notification when the rate or prevalence falls outside the expected parameter value range,wherein the expected behavior is one of a plurality of expected behaviors, at least a portion of the expected behaviors being determined based at least in part upon data for purposeful behaviors observed within the plurality of host machines, andwherein at least a portion of the purposeful behaviors are specified by at least one user associated with the plurality of host machines.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, further comprising:
    - a management component configured to collect the information for the rate or prevalence and update the expected parameter range using the information.
  - 3. The system of claim 1, wherein the change includes at least one of a change in software, a change in configuration, or a change in communication flow.
  - 4. The system of claim 1, wherein the prevalence includes at least one of a number, a percentage, or a type of host machine to which the change occurs.

5. A computer-implemented method, comprising:
- detecting a change in behavior affecting at least one resource in a plurality of electronic resources;
  
  comparing information for the change in behavior to a behavior baseline, the behavior baseline reflecting acceptable behaviors for a substantially current state of the plurality of electronic resources;
  
  detecting related changes reflecting a prevalence of the change in behavior for at least a portion of the plurality of electronic resources;
  
  determining whether the prevalence falls within parameter value ranges for one or more acceptable behaviors of the behavior baseline; and
  
  adding information for the change in behavior to the behavior baseline when the prevalence falls within the parameter value ranges for the one or more acceptable behaviors,wherein at least a portion of the acceptable behaviors are based at least in part upon data for purposeful behaviors observed within the plurality of electronic resources, at least a portion of the purposeful behaviors specified by at least one user associated with the plurality of electronic resources.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The computer-implemented method of claim 5, further comprising:
    - determining a type of the change in behavior, wherein the type of the change in behavior is selected from a group of behaviors includes at least one of a change in software version, a deployment of a new software package, a change in device configuration, a change in software configuration, a change in observed control plane traffic, a change in network data flow, a change in communication pattern, or a new communication pattern.
  - 7. The computer-implemented method of claim 5, further comprising:
    - performing an action when the prevalence falls outside the parameter value ranges.
  - 8. The computer-implemented method of claim 7, wherein the action includes at least one of generating a notification for at least one user associated with the plurality of electronic resources, generating an alarm, throttling communication between two or more of the resources, or suspending operation of at least one operation on at least one of the resources.
  - 9. The computer-implemented method of claim 7, wherein the prevalence includes at least one of a rate of occurrence of the behavior, a number of occurrences of the behavior, a type of electronic resource exhibiting the behavior, or a frequency of occurrences of the behavior.
  - 10. The computer-implemented method of claim 5, wherein at least a portion of the purposeful behaviors are determined based at least in part upon a pervasiveness of behaviors among the plurality of electronic resources.
  - 11. The computer-implemented method of claim 5, further comprising:
    - computing a velocity for the change in behavior, wherein the prevalence of the change in behavior falling outside the parameter value ranges for the one or more acceptable behaviors corresponds to the velocity for the change deviating by more than an allowable amount with respect for an average velocity for a type of the change as determined using the behavior baseline.
  - 12. The computer-implemented method of claim 5, further comprising:
    - receiving information for the change affecting the at least one resource from an activity monitor operating on at least one of the at least one resource.
  - 13. The computer-implemented method of claim 5, further comprising:
    - determining that a minimum percentage of the plurality of resources exhibits the change in behavior before updating the behavior baseline.
  - 14. The computer-implemented method of claim 5, further comprising:
    - generating the behavior baseline by training a baseline model using initial behavior data and observed behavior data from the plurality of resources.

15. A system, comprising:
- a processor; and
  
  a memory device including instructions that, when executed by the processor, cause the processor to;
  
  monitor behavior of a plurality of electronic resources;
  
  detect a change in behavior affecting at least one resource in the plurality of electronic resources;
  
  determine whether the change in behavior is an acceptable behavior according to a behavior baseline;
  
  if the change in behavior is not indicated as an acceptable behavior according to the behavior baseline;
  
  determine a rate of related changes in behavior for at least a portion of the plurality of electronic resources;
  
  compare information for the rate of related changes in behavior to parameter values for acceptable behaviors of the behavior baseline; and
  
  automatically add information for the change in behavior to the baseline as corresponding to an acceptable behavior in response to the rate of related changes in behavior falling within acceptable parameter value ranges for one or more acceptable behaviors of the behavior baseline,wherein the acceptable behavior is one of a plurality of acceptable behaviors, at least a portion of the acceptable behaviors being determined based at least in part upon data for purposeful behaviors observed within the plurality of electronic resources, at least a portion of the purposeful behaviors specified by at least one user associated with the plurality of electronic resources.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the instructions when executed further cause the processor to:
    - perform an action when the rate of related changes in behavior falls outside the acceptable parameter value ranges.
  - 17. The system of claim 16, wherein the instructions when executed further cause the processor to:
    - determine a type of the change in behavior; and
      
      determine the action to perform based at least in part upon the type of the change in behavior.
  - 18. The system of claim 15, further comprising:
    - at least one monitoring component configured to monitor the behavior of a plurality of electronic resources.
  - 19. The system of claim 15, further comprising:
    - at least one baseline determining component configured to automatically update the behavior baseline.

20. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
- detect a change affecting at least one resource in a plurality of electronic resources;
  
  determine whether the change in behavior is an acceptable behavior according to a behavior baseline;
  
  if the change in behavior is not indicated as an acceptable behavior according to the behavior baseline;
  
  determine a prevalence of related changes in behavior for at least a portion of the plurality of electronic resources;
  
  compare information for the prevalence of related changes in behavior to parameter values for acceptable behaviors of the behavior baseline; and
  
  automatically add information for the change in behavior to the baseline as corresponding to an acceptable behavior in response to the prevalence of related changes in behavior falling within an acceptable parameter value range for one or more acceptable behaviors of the behavior baseline,wherein the acceptable behavior is one of a plurality of acceptable behaviors, at least a portion of the acceptable behaviors being determined based at least in part upon data for purposeful behaviors observed within the plurality of electronic resources, at least a portion of the purposeful behaviors specified by at least one user associated with the plurality of electronic resources.
- View Dependent Claims (21, 22)
- - 21. The non-transitory computer-readable storage medium of claim 20, wherein the prevalence includes at least one of a rate of occurrence of the behavior, a number of occurrences of the behavior, a type of electronic resource exhibiting the behavior, or a frequency of occurrences of the behavior.
  - 22. The non-transitory computer-readable storage medium of claim 20, wherein the action includes at least one of generating a notification for at least one user associated with the plurality of electronic resources, generating an alarm, throttling communication between two or more of the resources, or suspending operation of at least one operation on at least one of the resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Dokey, Aaron Douglas, Searle, Ian Roger
Primary Examiner(s)
Perungavoor, Venkat
Assistant Examiner(s)
Mehrmanesh, Amir

Application Number

US13/828,265
Time in Patent Office

705 Days
Field of Search

726 1- 7, 726 22- 25, 705/30, 705 38- 41, 709/224
US Class Current

726/22
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/554   involving event detection a...

H04L 63/1408   by monitoring network traff...

Detecting anomalous behavior patterns in an electronic environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

71 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting anomalous behavior patterns in an electronic environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links