Context aware network security monitoring for threat detection
First Claim
1. A method for context aware network security monitoring for threat detection, the method comprising:
- monitoring, by at least one processor, behavior of each of at least one node, associated with at least one user, in a network to generate a behavior profile for each of the at least one user,wherein the behavior of each of the at least one node is based on traffic flow through each of the at least one node,wherein the traffic flow is monitored by analyzing an Internet Protocol (IP) packet header of at least one data packet that has traveled through each of the at least one node, andwherein the IP packet header contains a security signature portion, the security signature portion includes geolocation information for at least one of the nodes that the data packet has passed or routed;
comparing, by the at least one processor, the behavior profile for the at least one user with a baseline behavior profile for the at least one user;
determining, by the at least one processor, when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user;
flagging an event associated with the difference, by the at least one processor, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and
classifying the event, by the at least one processor, to an event classification.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed method involves monitoring behavior of at least one node, associated with at least one user, in a network to generate a behavior profile for the user(s). The method further involves comparing the behavior profile for at least one user with a baseline behavior profile for the user(s). Also, the method involves determining when there is a difference between the behavior profile for at least one user and the baseline behavior profile for the user(s). Further, the method involves flagging an event associated with the difference: when the difference exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and/or does not meet at least one criterion. Additionally, the method involves classifying the event to an event classification. Further, the method involves transmitting the event to at least one other node in the network and/or a network operations center.
61 Citations
37 Claims
-
1. A method for context aware network security monitoring for threat detection, the method comprising:
-
monitoring, by at least one processor, behavior of each of at least one node, associated with at least one user, in a network to generate a behavior profile for each of the at least one user, wherein the behavior of each of the at least one node is based on traffic flow through each of the at least one node, wherein the traffic flow is monitored by analyzing an Internet Protocol (IP) packet header of at least one data packet that has traveled through each of the at least one node, and wherein the IP packet header contains a security signature portion, the security signature portion includes geolocation information for at least one of the nodes that the data packet has passed or routed; comparing, by the at least one processor, the behavior profile for the at least one user with a baseline behavior profile for the at least one user; determining, by the at least one processor, when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user; flagging an event associated with the difference, by the at least one processor, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and classifying the event, by the at least one processor, to an event classification. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for context aware network security monitoring for threat detection, the system comprising:
-
at least one processor to monitor behavior of each of at least one node associated with at least one user in a network to generate a behavior profile for each of the at least one user, wherein the behavior of each of the at least one node is based on traffic flow through each of the at least one node, and wherein the traffic flow is monitored by analyzing an Internet Protocol (IP) packet header of at least one data packet that has traveled through each of the at least one node, wherein the IP packet header contains a security signature portion, the security signature portion includes geolocation information for at least one of the nodes that the data packet has passed or routed; compare the behavior profile for the at least one user with a baseline behavior profile for the at least one user; determine when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user; flag an event associated with the difference, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and
classify the event to an event classification; andat least one transmitter, associated with the at least one node associated with the at least one user, to transmit the event to at least one of at least one other node in the network and a network operations center. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
Specification