Method and apparatus for identifying a threatening network
First Claim
1. A method for identifying a threatening network, the method comprising:
- providing a dataset comprising communications activity of a plurality of networks;
performing an AT-SIG algorithm on the dataset;
displaying a graphic output of the AT-SIG algorithm for each of the plurality of networks; and
identifying a network having anomalous communications activity by a visual comparison of the graphic output of the AT-SIG algorithm for each of the plurality of networks;
wherein the AT-SIG algorithm comprises providing a network movement before/after algorithm that provides a graphical plot of changes in networks'"'"' communications activity from before to after a key event occurs, wherein the network movement before/after algorithm, after accepting a date of the key event known to be of interest, accepting a selection of a social network analysis (SNA) metrics of interest, and accepting a selection of a time interval duration, performs the steps of;
1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of communications between the pairs of nodes as the pairs of nodes appear in the time interval duration;
2) randomly sampling from Poisson distributions of the edges to create a sample of each of the networks, and computing a plurality of SNA metrics for the networks to generate a matrix that is N×
M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of SNA metrics; and
3) repeating steps
1) to
2) multiple times to generate multiple SNA metric samples for each network,wherein the network movement before/after algorithm generates a set of SNA metric samples for each network before the date of the key event and a set of SNA metric samples for each network after the date of the key event;
wherein the AT-SIG algorithm further comprises one or more of the following;
providing a network progression algorithm that provides a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular event;
providing a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks; and
providing an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for identifying a threatening network is provided. The system comprises a network movement before/after algorithm that provides a graphical plot of changes in networks'"'"' communications activity from before to after a key event occurs, so that an analyst is able to identify anomalous behavior; a network progression algorithm that provides a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular event, so that the analyst is able to see a trend in behavioral changes; a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks; and an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time, so that the analyst is able to see which networks are consistently suspicious, which networks accumulate more suspiciousness in response to an event, and which networks are trending toward more suspiciousness.
-
Citations
15 Claims
-
1. A method for identifying a threatening network, the method comprising:
-
providing a dataset comprising communications activity of a plurality of networks; performing an AT-SIG algorithm on the dataset; displaying a graphic output of the AT-SIG algorithm for each of the plurality of networks; and identifying a network having anomalous communications activity by a visual comparison of the graphic output of the AT-SIG algorithm for each of the plurality of networks; wherein the AT-SIG algorithm comprises providing a network movement before/after algorithm that provides a graphical plot of changes in networks'"'"' communications activity from before to after a key event occurs, wherein the network movement before/after algorithm, after accepting a date of the key event known to be of interest, accepting a selection of a social network analysis (SNA) metrics of interest, and accepting a selection of a time interval duration, performs the steps of; 1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of communications between the pairs of nodes as the pairs of nodes appear in the time interval duration; 2) randomly sampling from Poisson distributions of the edges to create a sample of each of the networks, and computing a plurality of SNA metrics for the networks to generate a matrix that is N×
M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of SNA metrics; and3) repeating steps
1) to
2) multiple times to generate multiple SNA metric samples for each network,wherein the network movement before/after algorithm generates a set of SNA metric samples for each network before the date of the key event and a set of SNA metric samples for each network after the date of the key event; wherein the AT-SIG algorithm further comprises one or more of the following; providing a network progression algorithm that provides a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular event; providing a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks; and providing an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An asymmetric threat signatures (AT-SIG) system comprising:
-
one or more processing units; a display device; memory media, the memory media comprising a dataset comprising communications activity of a plurality of networks; and instructions which when loaded into the memory media and executed by the one or more processing units cause the AT-SIG device to perform an AT-SIG algorithm on the dataset and to display on the display device a graphic output of the AT-SIG algorithm for each of the plurality of networks; wherein the AT-SIG algorithm comprises a network movement before/after algorithm that provides a graphical plot of changes in networks'"'"' communications activity from before to after a key event occurs, wherein the network movement before/after algorithm, after accepting a date of the key event known to be of interest, accepting a selection of a social network analysis (SNA) metrics of interest, and accepting a selection of a time interval duration, performs the steps of; 1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of communications between the pairs of nodes as the pairs of nodes appear in the time interval duration; 2) randomly sampling from Poisson distributions of the edges to create a sample of each of the networks, and computing a plurality of SNA metrics for the networks to generate a matrix that is N×
M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of SNA metrics; and3) repeating steps
1) to
2) multiple times to generate multiple SNA metric samples for each network,wherein the network movement before/after algorithm generates a set of SNA metric samples for each network before the date of the key event and a set of SNA metric samples for each network after the date of the key event; wherein the AT-SIG algorithm further comprises one or more of the following; a network progression algorithm that provides a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular event; a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks; and an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An asymmetric threat signatures (AT-SIG) device including one or more processors that execute instructions for identifying a threatening network, the instructions comprising:
-
executing a network movement before/after algorithm to provide a graphical plot of changes in communications activity of a plurality of networks from before to after a key event occurs, wherein the network movement before/after algorithm, after accepting a date of the key event known to be of interest, accepting a selection of a social network analysis (SNA) metrics of interest, and accepting a selection of a time interval duration, performs the steps of; 1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of communications between the pairs of nodes as the pairs of nodes appear in the time interval duration; 2) randomly sampling from Poisson distributions of the edges to create a sample of each of the networks, and computing a plurality of SNA metrics for the networks to generate a matrix that is N×
M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of SNA metrics; and3) repeating steps
1) to
2) multiple times to generate multiple SNA metric samples for each network,wherein the network movement before/after algorithm generates a set of SNA metric samples for each network before the date of the key event and a set of SNA metric samples for each network after the date of the key event; executing a network progression algorithm to provide a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular event; executing a statistical network anomaly ranking algorithm to provide as output a ranked list of the networks; and executing an anomaly trend graphs algorithm to analyze and visualize the networks'"'"' anomaly scores over time.
-
Specification