Identifying suspicious user logins in enterprise networks
First Claim
Patent Images
1. A method comprising steps of:
- processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts;
generating a set of profiles, wherein the set comprises profiles corresponding to respective ones of multiple users and profiles corresponding to respective ones of the multiple hosts, wherein each profile comprises historical login information derived from said log data;
creating a graph based on said set of profiles, wherein said graph comprises (i) nodes representing said multiple users and said multiple hosts within the enterprise network, (ii) edges representing login instances linking together user-host pairs, and (iii) one or more communities identified among the nodes, wherein each community corresponds to a group of one or more users and one or more hosts that exhibit at least a specified level of interaction;
analyzing a login instance within the enterprise network against the graph;
identifying the login instance as inconsistent with the historical login information based on said graph; and
outputting said identification of the inconsistent login instance;
wherein said steps are carried out by at least one computing device.
9 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus and articles of manufacture for identifying suspicious user logins in enterprise networks are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts; generating a set of profiles, wherein the set comprises a profile corresponding to each of multiple users and a profile corresponding to each of the multiple hosts, wherein each profile comprises one or more login patterns based on historical login information derived from said log data; and analyzing a login instance within the enterprise network against the set of profiles.
77 Citations
20 Claims
-
1. A method comprising steps of:
-
processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts; generating a set of profiles, wherein the set comprises profiles corresponding to respective ones of multiple users and profiles corresponding to respective ones of the multiple hosts, wherein each profile comprises historical login information derived from said log data; creating a graph based on said set of profiles, wherein said graph comprises (i) nodes representing said multiple users and said multiple hosts within the enterprise network, (ii) edges representing login instances linking together user-host pairs, and (iii) one or more communities identified among the nodes, wherein each community corresponds to a group of one or more users and one or more hosts that exhibit at least a specified level of interaction; analyzing a login instance within the enterprise network against the graph; identifying the login instance as inconsistent with the historical login information based on said graph; and outputting said identification of the inconsistent login instance; wherein said steps are carried out by at least one computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry out steps comprising:
-
processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts; generating a set of profiles, wherein the set comprises profiles corresponding to respective ones of multiple users and profiles corresponding to respective ones of the multiple hosts, wherein each profile comprises historical login information derived from said log data; creating a graph based on said set of profiles, wherein said graph comprises (i) nodes representing said multiple users and said multiple hosts within the enterprise network, (ii) edges representing login instances linking together user-host pairs, and (iii) one or more communities identified among the nodes, wherein each community corresponds to a group of one or more users and one or more hosts that exhibit at least a specified level of interaction; analyzing a login instance within the enterprise network against the graph; identifying the login instance as inconsistent with the historical login information based on said graph; and outputting said identification of the inconsistent login instance. - View Dependent Claims (18, 19)
-
-
20. An apparatus comprising:
-
a memory; and at least one processor coupled to the memory; and a plurality of modules executing on the at least one processor, wherein the plurality of modules comprise; a normalization module configured to process log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts; a behavioral profiler module configured to generate a set of profiles, wherein the set comprises profiles corresponding to respective ones of multiple users and profiles corresponding to respective ones of the multiple hosts, wherein each profile comprises historical login information derived from said log data; an analysis module configured to; create a graph based on said set of profiles, wherein said graph comprises (i) nodes representing said multiple users and said multiple hosts within the enterprise network, (ii) edges representing login instances linking together user-host pairs, and (iii) one or more communities identified among the nodes, wherein each community corresponds to a group of one or more users and one or more hosts that exhibit at least a specified level of interaction; analyze a login instance within the enterprise network against the graph; identify the login instance as inconsistent with the historical login information based on said graph; and output said identification of the inconsistent login instance.
-
Specification