Network anomaly detection
First Claim
Patent Images
1. An anomaly-detection computer system to identify when an user of a network is a malicious actor, the anomaly-detection computer system comprising:
- one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and
one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the one or more software modules in order to cause the computer system to;
log, to the one or more computer readable storage devices, activity on the network by a plurality of users, the activity comprising indications of port numbers associated with the activity on the network;
calculate similarity scores by, in part, comparing port numbers associated with a first user of the plurality of users to port numbers associated with other users of the plurality of users, the similarity scores calculated based at least in part on the logged activity on the network;
sort the plurality of users into a plurality of cohorts based at least in part on which of the plurality of users have similarity scores that satisfy a similarity threshold;
store data into a memory, the data identifying which of the plurality of users were sorted into the plurality of cohorts;
detect a first port number indicated in a new network activity of the first user of the plurality of users, wherein the first user is associated with a first cohort of the plurality of cohorts; and
determine, based at least in part on a comparison performed by the one or more processors of the first port number to other port numbers associated with the first cohort, that the new network activity associated with the first user is anomalous.
8 Assignments
0 Petitions
Accused Products
Abstract
A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.
122 Citations
15 Claims
-
1. An anomaly-detection computer system to identify when an user of a network is a malicious actor, the anomaly-detection computer system comprising:
-
one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the one or more software modules in order to cause the computer system to; log, to the one or more computer readable storage devices, activity on the network by a plurality of users, the activity comprising indications of port numbers associated with the activity on the network; calculate similarity scores by, in part, comparing port numbers associated with a first user of the plurality of users to port numbers associated with other users of the plurality of users, the similarity scores calculated based at least in part on the logged activity on the network; sort the plurality of users into a plurality of cohorts based at least in part on which of the plurality of users have similarity scores that satisfy a similarity threshold; store data into a memory, the data identifying which of the plurality of users were sorted into the plurality of cohorts; detect a first port number indicated in a new network activity of the first user of the plurality of users, wherein the first user is associated with a first cohort of the plurality of cohorts; and determine, based at least in part on a comparison performed by the one or more processors of the first port number to other port numbers associated with the first cohort, that the new network activity associated with the first user is anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer readable, non-transitory storage medium having a computer program stored thereon executable by one or more processors of an anomaly detection system in a network to:
-
log resource accesses by a plurality of users during a first time period; calculate a plurality of similarity scores for the plurality of users, the plurality of similarity scores comprising a first similarity score between a first user of the plurality of users and a second user of the plurality of users; assign, based at least in part on the first similarity score exceeding a similarity threshold, the first user and the second user to a first cohort; log first data comprising port numbers used in accessing a first plurality of resource accesses by the first user during a second time period that is at least partially different from the first time period; log second data comprising port numbers used in accessing a second plurality of resource accesses by members of the first cohort; determine a probability score of the first plurality of resource accesses occurring based on the second data; and generate, based at least on the probability score, an indicator of a potential anomaly. - View Dependent Claims (13, 14, 15)
-
Specification