Systems and methods for detection of anomalous network behavior
First Claim
1. A computer implemented method for detecting anomalous behavior in a network, comprising:
- receiving, using at least one hardware processor, data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities;
extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity;
retrieving plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes relevant diversity values, wherein each respective relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type;
calculating a first abnormality score using a first combination of relevant diversity values;
calculating a second abnormality score using a second combination of relevant diversity values;
wherein the first abnormality score and second abnormality score are different;
designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and
classifying at least one network activity comprises at least one member of the group consisting of;
classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; and
generating an alert when said at least one network activity is classified as anomalous.
1 Assignment
0 Petitions
Accused Products
Abstract
There is provided a computer implemented method for detecting anomalous behavior in a network, comprising: receiving data representing at least one network activity, each network activity representing a certain data access event involving certain network entities; extracting from the data the certain network entities involved in the respective network activity; retrieving at least one relevant diversity value from a network behavior model based on the extracted certain network entities, wherein the network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; calculating an abnormality score for the received network activity based on the retrieved relevant diversity values; and classifying the network activity as anomalous or normal based on the calculated abnormality score.
-
Citations
22 Claims
-
1. A computer implemented method for detecting anomalous behavior in a network, comprising:
-
receiving, using at least one hardware processor, data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities; extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity; retrieving plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes relevant diversity values, wherein each respective relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type; calculating a first abnormality score using a first combination of relevant diversity values; calculating a second abnormality score using a second combination of relevant diversity values; wherein the first abnormality score and second abnormality score are different; designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and classifying at least one network activity comprises at least one member of the group consisting of;
classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; andgenerating an alert when said at least one network activity is classified as anomalous. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method for generating a model for detecting anomalous behavior in a network, comprising:
-
receiving, using at least one hardware processor, data representing a plurality of network activities, each network activity representing a certain data access event occurring between certain network entities; extracting from said data representing each respective network activity, the certain network entities involved in said respective network activity; calculating plurality of relevant diversity values from said plurality of network activities, wherein each relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type; generating a network behavior model based on said calculated plurality of relevant diversity values; and
outputting said network behavior model;calculating a first abnormality score using a first combination of relevant diversity values; calculating a second abnormality score using a second combination of relevant diversity values; wherein the first abnormality score and second abnormality score are different; designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and classifying at least one network activity comprises at least one member of the group consisting of;
classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; andgenerating an alert when said at least one network activity is classified as anomalous. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for detecting anomalous behavior in a network, comprising:
-
an anomaly detecting server in communication with said network, said anomaly detecting server implemented by at least one hardware processor configured to; receive data representing at least one network activity within said network, each network activity representing a certain data access event occurring between certain network entities in said network; calculate an abnormality score for said received at least one network activity based on a retrieved plurality of relevant diversity values, said plurality of relevant diversity values obtained by extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity, and retrieving said plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes plurality of relevant diversity values, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; wherein calculating said abnormality score comprises; calculating a first abnormality score using a first combination of relevant diversity values; calculating a second abnormality score using a second combination of relevant diversity values; wherein the first abnormality score and second abnormality score are different; designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and classifying at least one network activity comprises at least one member of the group consisting of;
classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; andgenerating an alert when the at least one network activity is classified as anomalous. - View Dependent Claims (18)
-
-
19. A system for generating a model for detecting anomalous behavior in a network, comprising:
-
a learning server in communication with a network, said learning server implemented by at least one hardware processor configured to; receive data representing a plurality of network activities within said network, each network activity representing a certain data access event occurring between certain network entities connected to said network; generate a network behavior model based on plurality of relevant diversity values calculated from said plurality of network activities, wherein each relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type, the certain network entities involved in said respective network activity extracted from said data representing each respective network activity; and
output said network behavior model;calculate a first abnormality score using a first combination of relevant diversity values; calculate a second abnormality score using a second combination of relevant diversity values; wherein the first abnormality score and second abnormality score are different; designate a lower of said first and said second abnormality scores as a minimum score, and designate a higher of said first and said second abnormality scores as maximum score; and classify at least one network activity comprises at least one member of the group consisting of;
classify said at least one received network activity as normal when said maximum score is below a predefined threshold, classify said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classify said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classify said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; andgenerate an alert when said at least one network activity is classified as anomalous. - View Dependent Claims (20)
-
-
21. A computer program product for detecting anomalous behavior in a network, comprising:
-
one or more non-transitory computer-readable storage mediums, and program instructions stored on at least one of the one or more storage mediums, the program instructions comprising; program instructions to receive data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities; program instructions to extract from said data representing each respective network activity, the certain network entities involved in the respective network activity; program instructions to retrieve plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes plurality of relevant diversity values, wherein each respective relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type; program instructions to calculate a first abnormality score using a first combination of relevant diversity values; program instructions to calculate a second abnormality score using a second combination of relevant diversity values; wherein the first abnormality score and second abnormality score are different; program instructions to designate a lower of said first and said second abnormality scores as a minimum score, and designate a higher of said first and said second abnormality scores as maximum score; and program instructions to classify at least one network activity comprises at least one member of the group consisting of;
classify said at least one received network activity as normal when said maximum score is below a predefined threshold, classify said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classify said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; andprogram instructions to generate an alert when the at least one network activity is classified as anomalous. - View Dependent Claims (22)
-
Specification