Detecting emergent behavior in communications networks
First Claim
1. A method, comprising:
- performing, by a computer system;
decomposing a plurality of data packets into a plurality of component data types, the plurality of data packets associated with a candidate alert representing a potential security threat in a communications network;
retrieving, from a database, a count for each of a plurality of historical data types, the plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the communications network in a given time period;
calculating a score that indicates an aggregate discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding one of the historical data types for a particular hour of day, a particular day of the week, the particular day within the month, and the particular day within a year for the given time period; and
handling the candidate alert based, at least in part, upon the score, wherein handling the candidate alert further comprises issuing the candidate alert in response to the score meeting a threshold value, and suppressing the candidate alert in response to the score not meeting the threshold value.
13 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods of detecting emergent behaviors in communications networks are disclosed. In some embodiments, a method may include decomposing a plurality of data packets into a plurality of component data types associated with a candidate alert representing a potential security threat in a network. The method may also include retrieving, from a database, a count for each of a plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the network in a given time period. The method may further include calculating a score that indicates a discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding historical data type in the same time period, and handling the candidate alert based upon the score.
22 Citations
18 Claims
-
1. A method, comprising:
-
performing, by a computer system; decomposing a plurality of data packets into a plurality of component data types, the plurality of data packets associated with a candidate alert representing a potential security threat in a communications network; retrieving, from a database, a count for each of a plurality of historical data types, the plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the communications network in a given time period; calculating a score that indicates an aggregate discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding one of the historical data types for a particular hour of day, a particular day of the week, the particular day within the month, and the particular day within a year for the given time period; and handling the candidate alert based, at least in part, upon the score, wherein handling the candidate alert further comprises issuing the candidate alert in response to the score meeting a threshold value, and suppressing the candidate alert in response to the score not meeting the threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system, comprising:
-
at least one processor; and a memory coupled to the at least one processor, the memory configured to store instructions executable by the at least one processor to cause the computer system to; decompose a plurality of data packets into a plurality of component data types, the plurality of data packets associated with a candidate alert representing a potential security threat in a network, at least one of the plurality of data types including a combination of two or more of; a protocol, a source address, a destination address, a source port, or a destination port; for each of the plurality of data types, determining one or more counts selected from the group consisting of; a number of packets entering the network, a number of packets leaving the network, an amount of data entering the network, or an amount of data leaving the network; update, in a database, one or more historical counts for each of a plurality of historical data types corresponding to the plurality of data types for a particular hour of day, a particular day of the week, the particular day within the month, and the particular day within a year for a given time period based upon the one or more counts; and perform at least one of;
(i) issue a candidate alert in response to a score meeting a threshold value, or (ii) suppress the candidate alert in response to the score not meeting the threshold value. - View Dependent Claims (13, 14)
-
-
15. A non-transitory computer-readable storage medium having program instructions stored thereon that, upon execution by a computer system, cause the computer system to:
-
decompose a plurality of data packets into a plurality of component data types, the plurality of data packets associated with a candidate alert representing a potential security threat in a computer network, at least one of the plurality of data types including a combination of at least two elements selected from the group consisting of; a protocol, a source address, a destination address, a source port, a destination port, an alert type, and a service type; retrieve, from a database, a count for each of a plurality of historical data types, the plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the computer network in a given time period, the counts including at least one of; a number of packets entering the computer network, a number of packets leaving the computer network, an amount of data entering the computer network, or an amount of data leaving the computer network; calculate a score that indicates an aggregate discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding one of the historical data types for a particular hour of day, a particular day of the week, the particular day within the month, and the particular day within a year for the given time period, at least in part, by applying a weight to a discrepancy involving a data type having a combination of fewer of the elements that is less than another weight applied to another discrepancy involving another data type having another combination of more of the elements, and calculating a weighted average of each discrepancy and corresponding weight, wherein the given time period includes a combination of two or more of;
a time interval, a day of the week, a day of the month, a week of the month, a day of the year, or a month of the year; andperform at least one of;
(i) issue the candidate alert in response to the score meeting a threshold value, or (ii) suppress the candidate alert in response to the score not meeting the threshold value. - View Dependent Claims (16, 17, 18)
-
Specification