Systems and methods for detection of anomalous network behavior

US 9,565,203 B2
Filed: 11/13/2014
Issued: 02/07/2017
Est. Priority Date: 11/13/2014
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting anomalous behavior in a network, comprising:

receiving, using at least one hardware processor, data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities;

extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity;

retrieving plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes relevant diversity values, wherein each respective relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type;

calculating a first abnormality score using a first combination of relevant diversity values;

calculating a second abnormality score using a second combination of relevant diversity values;

wherein the first abnormality score and second abnormality score are different;

designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and

classifying at least one network activity comprises at least one member of the group consisting of;

classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; and

generating an alert when said at least one network activity is classified as anomalous.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a computer implemented method for detecting anomalous behavior in a network, comprising: receiving data representing at least one network activity, each network activity representing a certain data access event involving certain network entities; extracting from the data the certain network entities involved in the respective network activity; retrieving at least one relevant diversity value from a network behavior model based on the extracted certain network entities, wherein the network behavior model includes at least one diversity value, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type; calculating an abnormality score for the received network activity based on the retrieved relevant diversity values; and classifying the network activity as anomalous or normal based on the calculated abnormality score.

Citations

22 Claims

1. A computer implemented method for detecting anomalous behavior in a network, comprising:
- receiving, using at least one hardware processor, data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities;
  
  extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity;
  
  retrieving plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes relevant diversity values, wherein each respective relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type;
  
  calculating a first abnormality score using a first combination of relevant diversity values;
  
  calculating a second abnormality score using a second combination of relevant diversity values;
  
  wherein the first abnormality score and second abnormality score are different;
  
  designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and
  
  classifying at least one network activity comprises at least one member of the group consisting of;
  
  classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; and
  
  generating an alert when said at least one network activity is classified as anomalous.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein at least one relevant diversity value is retrieved based on matching at least one network entity extracted from said data of said network activity, to at least one relevant diversity value based on said at least one network entity.
  - 3. The method of claim 1, further comprising:
    - receiving data representing said at least one network activity over a period of time;
      
      retrieving, for each respective time slice of a plurality of time slices of said period of time, at least one relevant diversity value from said network behavior model;
      
      generating a diversity time series by organizing said at least one relevant diversity value based on chronological sequence of said plurality of respective time slices;
      
      receiving a new relevant diversity value representing a next relevant diversity value in said chronological sequence of said diversity time series, said new relevant diversity value calculated based on another received network activity; and
      
      analyzing said new relevant diversity value based on said diversity time series to identify said new relevant diversity value as anomalous or normal relevant diversity value.
  - 4. The method of claim 1, wherein said network behavior model includes respective weights assigned to each respective relevant diversity value and said abnormality score is calculated based on said respective weights assigned to each respective relevant diversity value.
  - 5. The method of claim 1, wherein said retrieving relevant diversity values dependent on a confidence score associated with said relevant diversity values, said confidence score included in said network behavior model.
  - 6. The method of claim 1, wherein calculating said abnormality score comprises calculating based on a member selected from a group consisting of:
    - average of said retrieved relevant diversity values, maximum value of said retrieved relevant diversity values, and a weighted average of said retrieved relevant diversity values.

7. A computer implemented method for generating a model for detecting anomalous behavior in a network, comprising:
- receiving, using at least one hardware processor, data representing a plurality of network activities, each network activity representing a certain data access event occurring between certain network entities;
  
  extracting from said data representing each respective network activity, the certain network entities involved in said respective network activity;
  
  calculating plurality of relevant diversity values from said plurality of network activities, wherein each relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type;
  
  generating a network behavior model based on said calculated plurality of relevant diversity values; and
  
  outputting said network behavior model;
  
  calculating a first abnormality score using a first combination of relevant diversity values;
  
  calculating a second abnormality score using a second combination of relevant diversity values;
  
  wherein the first abnormality score and second abnormality score are different;
  
  designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and
  
  classifying at least one network activity comprises at least one member of the group consisting of;
  
  classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; and
  
  generating an alert when said at least one network activity is classified as anomalous.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The method of claim 7, wherein said plurality of network activities is organized into a plurality of groups, each group including network activities having at least one shared network entity type, each group represented by a certain word.
  - 9. The method of claim 8, further comprising associating a certain context with each respective group.
  - 10. The method of claim 9, wherein said certain context is a member selected from a group consisting of:
    - a number of occurrences of activities within the respective group, a time of first occurrence of activities within the respective group, and a time of last occurrence of activities within the respective group.
  - 11. The method of claim 7, further comprising excluding certain network activities matching a predefined context from said network behavior model.
  - 12. The method of claim 11, wherein said predefined context includes a number of occurrences of said respective network activity within a predefined period of time.
  - 13. The method of claim 8, further comprising calculating a confidence score for each respective relevant diversity value, said confidence score calculated based on a number of activities of a certain network entity in the respective group, or a number of activities of a combination of certain network entities in the respective group, said confidence score included within network behavior model.
  - 14. The method of claim 7, further comprising iterating said extracting, said calculating, and said generating, to update said network behavior model, according to at least one of periodically and when new network activities are received.
  - 15. The method of claim 7, further comprising assigning a weight to each respective relevant diversity value, said weights designated based on a predefined logic defining the significance of each respective relevant diversity value based on interaction between network entities.
  - 16. The method of claim 7, wherein said plurality of network activities are received from at least one member of the group consisting of:
    - monitoring of a network, gathering data from network entities, and obtaining data from a source connected to the network.

17. A system for detecting anomalous behavior in a network, comprising:
- an anomaly detecting server in communication with said network, said anomaly detecting server implemented by at least one hardware processor configured to;
  
  receive data representing at least one network activity within said network, each network activity representing a certain data access event occurring between certain network entities in said network;
  
  calculate an abnormality score for said received at least one network activity based on a retrieved plurality of relevant diversity values, said plurality of relevant diversity values obtained by extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity, and retrieving said plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes plurality of relevant diversity values, wherein each respective diversity value represents a certain relationship between at least one network entity and at least one network entity type;
  
  wherein calculating said abnormality score comprises;
  
  calculating a first abnormality score using a first combination of relevant diversity values;
  
  calculating a second abnormality score using a second combination of relevant diversity values;
  
  wherein the first abnormality score and second abnormality score are different;
  
  designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and
  
  classifying at least one network activity comprises at least one member of the group consisting of;
  
  classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; and
  
  generating an alert when the at least one network activity is classified as anomalous.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein said anomaly detecting server further includes a trend analysis module configured to:
    - receive data representing said at least one network activity over a period of time;
      
      retrieve, for each respective time slice of a plurality of time slices of said period of time, at least one relevant diversity value from said network behavior model;
      
      generate a diversity time series by organizing said at least one relevant diversity value based on chronological sequence of said plurality of respective time slices;
      
      receive a new relevant diversity value representing a next relevant diversity value in said chronological sequence of said diversity time series, said new relevant diversity value calculated based on another received network activity; and
      
      analyze said new relevant diversity value based on said diversity time series to identify said new relevant diversity value as anomalous or normal relevant diversity value.

19. A system for generating a model for detecting anomalous behavior in a network, comprising:
- a learning server in communication with a network, said learning server implemented by at least one hardware processor configured to;
  
  receive data representing a plurality of network activities within said network, each network activity representing a certain data access event occurring between certain network entities connected to said network;
  
  generate a network behavior model based on plurality of relevant diversity values calculated from said plurality of network activities, wherein each relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type, the certain network entities involved in said respective network activity extracted from said data representing each respective network activity; and
  
  output said network behavior model;
  
  calculate a first abnormality score using a first combination of relevant diversity values;
  
  calculate a second abnormality score using a second combination of relevant diversity values;
  
  wherein the first abnormality score and second abnormality score are different;
  
  designate a lower of said first and said second abnormality scores as a minimum score, and designate a higher of said first and said second abnormality scores as maximum score; and
  
  classify at least one network activity comprises at least one member of the group consisting of;
  
  classify said at least one received network activity as normal when said maximum score is below a predefined threshold, classify said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classify said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classify said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; and
  
  generate an alert when said at least one network activity is classified as anomalous.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein said learning server is further configured to iterating said generating, to update said network behavior model, according to at least one of periodically and when new network activities are received.

21. A computer program product for detecting anomalous behavior in a network, comprising:
- one or more non-transitory computer-readable storage mediums, and program instructions stored on at least one of the one or more storage mediums, the program instructions comprising;
  
  program instructions to receive data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities;
  
  program instructions to extract from said data representing each respective network activity, the certain network entities involved in the respective network activity;
  
  program instructions to retrieve plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes plurality of relevant diversity values, wherein each respective relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type;
  
  program instructions to calculate a first abnormality score using a first combination of relevant diversity values;
  
  program instructions to calculate a second abnormality score using a second combination of relevant diversity values;
  
  wherein the first abnormality score and second abnormality score are different;
  
  program instructions to designate a lower of said first and said second abnormality scores as a minimum score, and designate a higher of said first and said second abnormality scores as maximum score; and
  
  program instructions to classify at least one network activity comprises at least one member of the group consisting of;
  
  classify said at least one received network activity as normal when said maximum score is below a predefined threshold, classify said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classify said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; and
  
  program instructions to generate an alert when the at least one network activity is classified as anomalous.
- View Dependent Claims (22)
- - 22. The computer program product of claim 21, further comprising:
    - program instructions to receive data representing a plurality of network activities, each network activity representing a certain data access event occurring between certain network entities;
      
      program instructions to extract from said data representing each respective network activity, the certain network entities involved in said respective network activity;
      
      program instructions to calculate plurality of relevant diversity values from said plurality of network activities, wherein each relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type;
      
      program instructions to generate said network behavior model based on said calculated plurality of relevant diversity values; and
      
      program instructions to output said network behavior model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Original Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Inventors
Bernstein, Ruth, Dulkin, Andrey
Primary Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US14/540,289
Publication Number

US 20160142435A1
Time in Patent Office

817 Days
Field of Search

726/1, 726/4, 726/5, 726/6, 726/7, 726/16, 726/22, 726/23, 726/24, 726/27, 380/247, 380/250
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1441 Countermeasures against mal...

Systems and methods for detection of anomalous network behavior

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detection of anomalous network behavior

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links