Detecting and managing abnormal data behavior
First Claim
1. A method performed by one or more processors, the method comprising:
- determining a normal data movement profile for a particular computing device representing observed data transfer behavior over a network by the particular computing device during a particular time period, the observed data transfer behavior including messages sent and received by the particular computing device over the network monitored by a computing device different than the particular computing device, the normal data movement profile including one or more normal data movement attributes associated with the particular computing device, wherein the normal data movement attributes include values representing observed amounts of data sent and received by the computing device over the network during the particular time period;
identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal movement attribute including a normal data movement profile for the particular computing device that represents a violation of the data movement rule, and one or more actions to take when the particular computing device deviates from the normal data movement profile by more than the deviation amount;
detecting a data movement associated with the particular computing device;
determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the particular computing device; and
performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule, wherein the one or more actions include at least one of quarantining the particular computing device, generating an alert indicating that the particular computing device has violated the data movement rule, severing one or more outbound network connections associated with the particular computing device, or disabling the particular computing device for an amount of time.
6 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule.
-
Citations
19 Claims
-
1. A method performed by one or more processors, the method comprising:
-
determining a normal data movement profile for a particular computing device representing observed data transfer behavior over a network by the particular computing device during a particular time period, the observed data transfer behavior including messages sent and received by the particular computing device over the network monitored by a computing device different than the particular computing device, the normal data movement profile including one or more normal data movement attributes associated with the particular computing device, wherein the normal data movement attributes include values representing observed amounts of data sent and received by the computing device over the network during the particular time period; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal movement attribute including a normal data movement profile for the particular computing device that represents a violation of the data movement rule, and one or more actions to take when the particular computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the particular computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the particular computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule, wherein the one or more actions include at least one of quarantining the particular computing device, generating an alert indicating that the particular computing device has violated the data movement rule, severing one or more outbound network connections associated with the particular computing device, or disabling the particular computing device for an amount of time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19)
-
-
12. A system comprising:
-
memory for storing data; and one or more processors operable to perform operations comprising; determining a normal data movement profile for a particular computing device representing observed data transfer behavior over a network by the particular computing device during a particular time period, the observed data transfer behavior including messages sent and received by the particular computing device over the network monitored by a computing device different than the particular computing device, the normal data movement profile including one or more normal data movement attributes associated with the particular computing device, wherein the normal data movement attributes include values representing observed amounts of data sent and received by the computing device over the network during the particular time period; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal movement attribute including a normal data movement profile for the particular computing device that represents a violation of the data movement rule, and one or more actions to take when the particular computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the particular computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the particular computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule, wherein the one or more actions include at least one of quarantining the particular computing device, generating an alert indicating that the particular computing device has violated the data movement rule, severing one or more outbound network connections associated with the particular computing device, or disabling the particular computing device for an amount of time. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising:
-
determining a normal data movement profile for a particular computing device representing observed data transfer behavior over a network by the particular computing device during a particular time period, the observed data transfer behavior including messages sent and received by the particular computing device over the network monitored by a computing device different than the particular computing device, the normal data movement profile including one or more normal data movement attributes associated with the particular computing device, wherein the normal data movement attributes include values representing observed amounts of data sent and received by the computing device over the network during the particular time period; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal movement attribute including a normal data movement profile for the particular computing device that represents a violation of the data movement rule, and one or more actions to take when the particular computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the particular computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the particular computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule, wherein the one or more actions include at least one of quarantining the particular computing device, generating an alert indicating that the particular computing device has violated the data movement rule, severing one or more outbound network connections associated with the particular computing device, or disabling the particular computing device for an amount of time.
-
Specification