Method and system for identifying a threatening network
First Claim
1. A method for identifying a threatening network, the method being implemented by a computer system and comprising:
- providing a dataset comprising network transaction data of a plurality of networks;
performing an AT-SIG algorithm on the dataset; and
displaying a graphic output of the AT-SIG algorithm for each of the plurality of networks, wherein the AT-SIG algorithm comprises providing a network movement before/after algorithm that provides a graphical plot of changes in network transaction activity from before to after a specified time, wherein the network movement before/after algorithm, after accepting the specified time, accepting a selection of one or more metrics of interest, and accepting a selection of a time interval duration, performs the steps of;
1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of transactions between the pairs of nodes as the pairs of nodes appear in the time interval duration;
2) randomly sampling from Poisson distribution of the edges to create a sample of each of the networks, and computing a plurality of metrics for the networks to generate a matrix that is N×
M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of the metrics of interest; and
3) repeating steps
1) to
2) multiple times to generate multiple samples for the metrics of interest for each network,wherein the network movement before/after algorithm generates a set of samples of metrics of interest for each network before the specified time and a set of samples of metrics of interest for each network after the specified time;
wherein the AT-SIG algorithm further comprises one or more of the following;
providing a network progression algorithm that provides a graphical plot of analyze behavior in small increments of time without specification or emphasis upon a particular time or event;
providing a statistical network anomaly ranking algorithm that provides as output a ranked list of the network; and
providing an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for identifying a threatening network comprises an asymmetric threat signature (AT-SIG) algorithm comprising a network movement before/after algorithm that provides a graphical plot of changes in network transaction activity from before to after a specified time and further comprising one or more of: a network progression algorithm that provides a graphical plot to analyze behavior in small increments of time without specification or emphasis upon a particular time or event; a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks; and an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time. Also disclosed are an AT-SIG system and a software program product.
-
Citations
20 Claims
-
1. A method for identifying a threatening network, the method being implemented by a computer system and comprising:
-
providing a dataset comprising network transaction data of a plurality of networks; performing an AT-SIG algorithm on the dataset; and displaying a graphic output of the AT-SIG algorithm for each of the plurality of networks, wherein the AT-SIG algorithm comprises providing a network movement before/after algorithm that provides a graphical plot of changes in network transaction activity from before to after a specified time, wherein the network movement before/after algorithm, after accepting the specified time, accepting a selection of one or more metrics of interest, and accepting a selection of a time interval duration, performs the steps of; 1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of transactions between the pairs of nodes as the pairs of nodes appear in the time interval duration; 2) randomly sampling from Poisson distribution of the edges to create a sample of each of the networks, and computing a plurality of metrics for the networks to generate a matrix that is N×
M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of the metrics of interest; and3) repeating steps
1) to
2) multiple times to generate multiple samples for the metrics of interest for each network,wherein the network movement before/after algorithm generates a set of samples of metrics of interest for each network before the specified time and a set of samples of metrics of interest for each network after the specified time; wherein the AT-SIG algorithm further comprises one or more of the following; providing a network progression algorithm that provides a graphical plot of analyze behavior in small increments of time without specification or emphasis upon a particular time or event; providing a statistical network anomaly ranking algorithm that provides as output a ranked list of the network; and providing an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An asymmetric threat signature (AT-SIG) system comprising:
-
one or more processing units; a display device; non-transitory memory media, the memory media comprising a dataset comprising network transaction data of a plurality of networks; and instructions which when loaded into the memory media and executed by the one or more processing units perform an AT-SIG algorithm on the dataset and display on the display device a graphic output of the AT-SIG algorithm for each of the plurality of networks, wherein the AT-SIG algorithm comprises a network movement before/after algorithm that provides a graphical plot of changes in network transaction activity from before to after a specified time, wherein the network movement before/after algorithm, after accepting the specified time, accepting a selection of one or more metrics of interest, and accepting a selection of a time interval duration, performs the steps of; 1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of transactions between the pairs of nodes as the pairs of nodes appear in the time interval duration; 2) randomly sampling from Poisson distributions of the edges to create a sample of each of the networks, and computing a plurality of metrics for the networks to generate a matrix that is N×
M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of the metrics of interest; and3) repeating steps
1) to
2) multiple times to generate multiple samples for the metrics of interest for each network,wherein the network movement before/after algorithm generates a set of metric samples for each network before the specified time and a set of metric samples for each network after the specified time; wherein the AT-SIG algorithm further comprises one or more of the following; a network progression algorithm that provides a graphical plot of analyze behavior in small increments of time without specification or emphasis upon a particular time or event; a statistical network anomaly ranking algorithm that provides as output a ranked list of the network; and an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time.
-
-
20. A software program product, comprising:
-
non-transitory computer readable memory media; program instructions on the computer readable memory media that when executed provide the functions of an AT-SIG algorithm on a dataset comprising network transaction data, wherein the AT-SIG algorithm comprises; a network movement before/after algorithm that provides a graphical plot of changes in network transaction activity from before to after a specified time, wherein the network movement before/after algorithm, after accepting the specified time, accepting a selection of one or more metrics of interest, and accepting a selection of a time interval duration, performs the steps of; 1) assigning weights to edges between pairs of nodes in a network equal to the average frequency of transactions between the pairs of nodes as the pairs of nodes appear in the time interval duration; 2) randomly sampling from Poisson distributions of the edges to create a sample of each of the networks, and computing a plurality of metrics for the networks to generate a matrix that is N×
M in size, wherein N is the cardinality of the plurality of networks and M is the cardinality of the plurality of the metrics of interest; and3) repeating steps
1) to
2) multiple times to generate multiple samples for the metrics of interest for each network,wherein the network movement before/after algorithm generates a set of samples of metrics of interest for each network before the specified time and a set of samples of interest for each network after the specified time; and wherein the AT-SIG algorithm further comprises one or more of the following; a network progression algorithm that provides a graphical plot of analyze behavior in small increments of time without specification or emphasis upon a particular time or event; a statistical network anomaly ranking algorithm that provides as output a ranked list of the network; and an anomaly trend graphs algorithm that analyzes and visualizes the networks'"'"' anomaly scores over time.
-
Specification