Detecting anomalous behavior patterns in an electronic environment
First Claim
1. A system for providing access to at least one host machine in a multi-tenant environment, comprising:
- a plurality of host machines, each host machine including at least one processor and memory for storing instructions executable by the at least one processor;
at least one interface component enabling a user device to obtain access to at least one of the plurality of host machines; and
a monitoring component in communication with the plurality of host machines, the monitoring component configured to;
detect a change with respect to at least one of the host machines;
compare information for the change to a behavior baseline to determine whether the change matches an expected behavior;
monitor related changes for at least a period of time, when the change does not match an expected behavior, to determine a rate or a prevalence of a type of the change;
compare information for the rate or prevalence to at least one corresponding parameter value for baseline to determine whether the rate or prevalence falls within an expected parameter value range;
automatically add behavior information for the change to the baseline in response to the rate or prevalence falling within the expected parameter value range; and
generate a notification when the rate or prevalence falls outside the expected parameter value range,wherein the expected behavior is one of a plurality of expected behaviors, at least a portion of the expected behaviors being determined based at least in part upon data for purposeful behaviors observed within the plurality of host machines, andwherein at least a portion of the purposeful behaviors are specified by at least one user associated with the plurality of host machines.
1 Assignment
0 Petitions
Accused Products
Abstract
The behavior of a group of resources, such as a fleet of servers, can be monitored to attempt to determine a baseline of acceptable behaviors. When a behavior is observed, the baseline can be consulted to determine whether the behavior is indicated to be acceptable. If not, the rate or extent at which the newly observed behavior is observed on groupings of similar resources can be monitored. This information can be used to determine whether the behavior is acceptable in which case information for the observed behavior can be used to automatically update the baseline such that the baseline is representative of current acceptable behavior within the group of resources.
71 Citations
22 Claims
-
1. A system for providing access to at least one host machine in a multi-tenant environment, comprising:
-
a plurality of host machines, each host machine including at least one processor and memory for storing instructions executable by the at least one processor; at least one interface component enabling a user device to obtain access to at least one of the plurality of host machines; and a monitoring component in communication with the plurality of host machines, the monitoring component configured to; detect a change with respect to at least one of the host machines; compare information for the change to a behavior baseline to determine whether the change matches an expected behavior; monitor related changes for at least a period of time, when the change does not match an expected behavior, to determine a rate or a prevalence of a type of the change; compare information for the rate or prevalence to at least one corresponding parameter value for baseline to determine whether the rate or prevalence falls within an expected parameter value range; automatically add behavior information for the change to the baseline in response to the rate or prevalence falling within the expected parameter value range; and generate a notification when the rate or prevalence falls outside the expected parameter value range, wherein the expected behavior is one of a plurality of expected behaviors, at least a portion of the expected behaviors being determined based at least in part upon data for purposeful behaviors observed within the plurality of host machines, and wherein at least a portion of the purposeful behaviors are specified by at least one user associated with the plurality of host machines. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
detecting a change in behavior affecting at least one resource in a plurality of electronic resources; comparing information for the change in behavior to a behavior baseline, the behavior baseline reflecting acceptable behaviors for a substantially current state of the plurality of electronic resources; detecting related changes reflecting a prevalence of the change in behavior for at least a portion of the plurality of electronic resources; determining whether the prevalence falls within parameter value ranges for one or more acceptable behaviors of the behavior baseline; and adding information for the change in behavior to the behavior baseline when the prevalence falls within the parameter value ranges for the one or more acceptable behaviors, wherein at least a portion of the acceptable behaviors are based at least in part upon data for purposeful behaviors observed within the plurality of electronic resources, at least a portion of the purposeful behaviors specified by at least one user associated with the plurality of electronic resources. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a processor; and a memory device including instructions that, when executed by the processor, cause the processor to; monitor behavior of a plurality of electronic resources; detect a change in behavior affecting at least one resource in the plurality of electronic resources; determine whether the change in behavior is an acceptable behavior according to a behavior baseline; if the change in behavior is not indicated as an acceptable behavior according to the behavior baseline; determine a rate of related changes in behavior for at least a portion of the plurality of electronic resources; compare information for the rate of related changes in behavior to parameter values for acceptable behaviors of the behavior baseline; and automatically add information for the change in behavior to the baseline as corresponding to an acceptable behavior in response to the rate of related changes in behavior falling within acceptable parameter value ranges for one or more acceptable behaviors of the behavior baseline, wherein the acceptable behavior is one of a plurality of acceptable behaviors, at least a portion of the acceptable behaviors being determined based at least in part upon data for purposeful behaviors observed within the plurality of electronic resources, at least a portion of the purposeful behaviors specified by at least one user associated with the plurality of electronic resources. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
-
detect a change affecting at least one resource in a plurality of electronic resources; determine whether the change in behavior is an acceptable behavior according to a behavior baseline; if the change in behavior is not indicated as an acceptable behavior according to the behavior baseline; determine a prevalence of related changes in behavior for at least a portion of the plurality of electronic resources; compare information for the prevalence of related changes in behavior to parameter values for acceptable behaviors of the behavior baseline; and automatically add information for the change in behavior to the baseline as corresponding to an acceptable behavior in response to the prevalence of related changes in behavior falling within an acceptable parameter value range for one or more acceptable behaviors of the behavior baseline, wherein the acceptable behavior is one of a plurality of acceptable behaviors, at least a portion of the acceptable behaviors being determined based at least in part upon data for purposeful behaviors observed within the plurality of electronic resources, at least a portion of the purposeful behaviors specified by at least one user associated with the plurality of electronic resources. - View Dependent Claims (21, 22)
-
Specification