Behavioral detection of suspicious host activities in an enterprise
First Claim
1. A method comprising:
- processing log data derived from data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices, and wherein the data sources comprise at least a domain controller, a virtual private network server, a web proxy, and a dynamic host configuration protocol server;
creating a whitelist that is customized to the enterprise network, wherein said whitelist comprises multiple external destinations determined to have been contacted by a given number of the multiple host devices over a temporal training period, wherein the given number of the host devices is in excess of a predetermined threshold number of host devices;
filtering the identified external destinations of the whitelist from the processed log data;
extracting one or more network traffic features from said filtered log data on a per host device basis, wherein said extracting comprises;
determining a network traffic pattern associated with the multiple host devices based on said processing; and
identifying said one or more network traffic features representative of a host device based on the determined network traffic pattern;
clustering the multiple host devices into one or more groups based on said one or more network traffic features; and
identifying an anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices of the enterprise network;
wherein said processing, said creating, said filtering, said extracting, said clustering, and said identifying are carried out by at least one computing device.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus and articles of manufacture for behavioral detection of suspicious host activities in an enterprise are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices; extracting one or more features from said log data on a per host device basis, wherein said extracting comprises: determining a pattern of behavior associated with the multiple host devices based on said processing; and identifying said features representative of host device behavior based on the determined pattern of behavior; clustering the multiple host devices into one or more groups based on said one or more features; and identifying a behavioral anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices.
-
Citations
20 Claims
-
1. A method comprising:
-
processing log data derived from data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices, and wherein the data sources comprise at least a domain controller, a virtual private network server, a web proxy, and a dynamic host configuration protocol server; creating a whitelist that is customized to the enterprise network, wherein said whitelist comprises multiple external destinations determined to have been contacted by a given number of the multiple host devices over a temporal training period, wherein the given number of the host devices is in excess of a predetermined threshold number of host devices; filtering the identified external destinations of the whitelist from the processed log data; extracting one or more network traffic features from said filtered log data on a per host device basis, wherein said extracting comprises; determining a network traffic pattern associated with the multiple host devices based on said processing; and identifying said one or more network traffic features representative of a host device based on the determined network traffic pattern; clustering the multiple host devices into one or more groups based on said one or more network traffic features; and identifying an anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices of the enterprise network; wherein said processing, said creating, said filtering, said extracting, said clustering, and said identifying are carried out by at least one computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus comprising:
-
a memory; and at least one processor coupled to the memory and configured to; process log data derived from data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices, and wherein the data sources comprise at least a domain controller, a virtual private network server, a web proxy, and a dynamic host configuration protocol server; create a whitelist that is customized to the enterprise network, wherein said whitelist comprises multiple external destinations determined to have been contacted by a given number of the multiple host devices over a temporal training period, wherein the given number of the host devices is in excess of a predetermined threshold number of host devices; filter the identified external destinations of the whitelist from the processed log data; extract one or more network traffic features from said filtered log data on a per host device basis, wherein said extracting comprises; determining a network traffic pattern associated with the multiple host devices based on said processing; and identifying said one or more network traffic features representative of a host device based on the determined network traffic pattern; cluster the multiple host devices into one or more groups based on said one or more network traffic features; and identify an anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices of the enterprise network. - View Dependent Claims (19, 20)
-
-
14. A method comprising:
-
normalizing multiple items of log data (i) associated with multiple user devices within an enterprise network and (ii) derived from data sources associated with the enterprise network, wherein the data sources comprise at least a domain controller, a virtual private network server, a web proxy, and a dynamic host configuration protocol server; creating a whitelist that is customized to the enterprise network, wherein said whitelist comprises multiple external destinations determined to have been contacted by a given number of the multiple host devices over a temporal training period, wherein the given number of the host devices is in excess of a predetermined threshold number of host devices; filtering the identified external destinations of the whitelist from the processed log data; extracting one or more network traffic features from said filtered log data; clustering said filtered log data into one or more groups, wherein said one or more groups are based on categories associated with each of the multiple devices; identifying outlying network traffic associated with one or more of the multiple devices based a comparison of device network traffic within each of the one or more groups to said one or more network traffic features; generating an alert based on said identified outlying network traffic; and outputting the alert. - View Dependent Claims (15, 16, 17, 18)
-
Specification