Network anomaly detection

US 9,628,500 B1
Filed: 07/29/2016
Issued: 04/18/2017
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and

one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to;

receive information indicative of an access to a network by a user, wherein the information comprises at least;

an identity associated with the user;

a hostname of a machine associated with the user;

a time associated with the access to the network; and

location information associated with the identity;

determine, based at least on the information, a host score indicative of a first likelihood that the user access to the network was malicious, wherein the host score is determined based, at least in part, on a number of unique machines associated with the user;

determine, based on the information, a speed score indicative of a second likelihood that the user access to the network was malicious, wherein the speed score is determined based, at least in part, on a calculated travel speed for the user;

determine, based on the information, a location score indicative of a third likelihood that the user access to the network was malicious, wherein the location score is determined based, at least in part, on attack origin distribution data; and

determine an aggregate score based at least in part on the host score, the speed score, and the location score.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

120 Citations

20 Claims

1. A computer system comprising:
- one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and
  
  one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to;
  
  receive information indicative of an access to a network by a user, wherein the information comprises at least;
  
  an identity associated with the user;
  
  a hostname of a machine associated with the user;
  
  a time associated with the access to the network; and
  
  location information associated with the identity;
  
  determine, based at least on the information, a host score indicative of a first likelihood that the user access to the network was malicious, wherein the host score is determined based, at least in part, on a number of unique machines associated with the user;
  
  determine, based on the information, a speed score indicative of a second likelihood that the user access to the network was malicious, wherein the speed score is determined based, at least in part, on a calculated travel speed for the user;
  
  determine, based on the information, a location score indicative of a third likelihood that the user access to the network was malicious, wherein the location score is determined based, at least in part, on attack origin distribution data; and
  
  determine an aggregate score based at least in part on the host score, the speed score, and the location score.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer system of claim 1, wherein:
    - the location information comprises an internet protocol (IP) address; and
      
      the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to;
      
      perform an IP lookup to determine geographical coordinates associated with the IP address; and
      
      calculate the travel speed for the user to arrive at the geographical coordinates.
  - 3. The computer system of claim 1, wherein:
    - the location information comprises an IP address; and
      
      the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to;
      
      perform an IP lookup to determine a country associated with the IP address; and
      
      determine the location score by multiplying a probability that the country is the source of an attack times a probability of an attack on the network and dividing by the probability of activity coming from the country.
  - 4. The computer system of claim 1, wherein:
    - the host score indicates increasingly higher likelihoods of malicious activity for each additional unique machine associated with the identity in accessing the network until a threshold number of unique machines is logged;
      
      the host score indicates a highest likelihood of malicious activity when the threshold number of unique machines is logged;
      
      the host score indicates a likelihood of malicious activity that is lower than the highest likelihood of malicious activity when more than the threshold number of unique machines is logged; and
      
      the host score indicates a low likelihood of malicious activity when the machine associated with an access the network by the user is also associated with a previous access the network by the user.
  - 5. The computer system of claim 1, wherein the information is indicative of a plurality of accesses to the network by the user, and wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - calculate a plurality of aggregate scores based, at least in part, on the information indicative of the plurality of accesses to the network;
      
      perform a mathematical convolution based, at least in part, on the aggregate score and the plurality of aggregate scores to determine a convoluted score.
  - 6. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - sort the user into a cohort;
      
      determine the host score based, at least in part, on host machine usage by other members of the cohort; and
      
      determine the location score based, at least in part, on the locations associated with network activity by other members of the cohort.

7. A computer system comprising:
- one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and
  
  one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to;
  
  receive information associated with a plurality of accesses of a network by a user, wherein the information includes, for each of the accesses of the network, at least;
  
  an identity, provided by the user, associated with the access of the network;
  
  a respective hostname of a machine used by the user to access the network;
  
  a respective time associated with the access to the network; and
  
  respective location information associated with the access to the network by the user;
  
  determine respective host scores for each of the accesses of the network, wherein the host scores indicate respective likelihoods of malicious activity based, at least in part, on a number of unique machines used to access the network;
  
  determine respective speed scores for each of the accesses of the network, wherein the speed scores indicate respective likelihoods of malicious activity based, at least in part, on calculated travel speeds;
  
  determine respective location scores for each of the accesses of the network, wherein the locations scores indicate respective likelihoods of malicious activity based, at least in part, on attack origin distribution data;
  
  determine respective aggregate scores for each of the accesses of the network, wherein the respective aggregate scores are based, at least in part, on the respective host scores, speed scores, and location scores; and
  
  generate one or more user interfaces including;
  
  a list of users including the user;
  
  respective anomaly scores associated with users of the list of users, wherein the respective anomaly scores are based, at least in part, on the aggregate scores associated with each respective user of the list of users.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The computer system of claim 7, wherein the one or more user interfaces further include the list of users in an ordered list according to at least one of anomaly scores of the users, host scores of the users, speed scores of the users, location scores of the users, or aggregate scores of the users.
  - 9. The computer system of claim 7, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - generate a warning when at least one of the anomaly scores associated with the list of users, host scores of the users, speed scores of the users, location scores of the users, or aggregate scores of the users exceeds a threshold.
  - 10. The computer system of claim 7, wherein:
    - the location information comprises an internet protocol (IP) address; and
      
      the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to;
      
      perform an IP lookup to determine geographical coordinates associated with the IP address; and
      
      calculate the travel speed for the user to arrive at the geographical coordinates.
  - 11. The computer system of claim 7, wherein:
    - the location information comprises an internet protocol (IP) address; and
      
      the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to;
      
      perform an IP lookup to determine a country associated with the IP address; and
      
      determine the location score by multiplying a probability that the country is the source of an attack times a probability of an attack on the network and dividing by the probability of activity coming from the country.
  - 12. The computer system of claim 7, wherein:
    - the host score indicates increasingly higher likelihoods of malicious activity for each additional unique machine used by the user to access the network until a threshold number of unique machines are logged;
      
      the host score indicates a highest likelihood of malicious activity when the threshold number of unique machines is logged;
      
      the host score indicates a likelihood of malicious activity that is lower than the highest likelihood of malicious activity when more than the threshold number of unique machines is logged; and
      
      the host score indicates a low likelihood of malicious activity when the machine used by the user to access the network has been previously used by the user to access the network.
  - 13. The computer system of claim 7, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to perform a mathematical convolution based, at least in part, on the respective aggregate scores for each of the accesses of the network to determine a convoluted score, and wherein an anomaly score for the user is based, at least in part, on the convoluted score.
  - 14. The computer system of claim 7, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - sort the user into a cohort;
      
      determine the host score based, at least in part, on network activity of other members of the cohort; and
      
      determine the location score based, at least in part, on the network activity of other members of the cohort.

15. A computer system comprising:
- one or more computer readable storage devices configured to store computer executable instructions; and
  
  one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to;
  
  receive information associated with an access to the network by a user via a computer, the information comprising an identity provided by the user and an identification of the computer, wherein the user has not previously accessed the network via the computer;
  
  determine a first host score based, at least in part, on the identification of the user and an identification of the computer, wherein the first host score indicates a likelihood that the access to the network was malicious;
  
  after receiving the information, receiving second information associated with a later access to the network by the user via a new computer, the second information comprising the identity provided by the user and an identification of the new computer, wherein the user has not previous accessed the network via the new computer;
  
  determine a second host score based, at least in part, on the user accessing the network via the new computer, wherein the second host score indicates a lower likelihood that the access to the network was malicious compared to the first host score.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - receive, as part of the information, a first internet protocol (IP) address associated with the access to the network;
      
      determine a first location associated with the first IP address;
      
      receive third information associated with a third access to the network by the user, the third information comprising the identification of the user, a different IP address, and a different time associated with the third access;
      
      determine a different location associated with the different IP address; and
      
      calculate a speed score based at least in part on a speed of travel from the first location at the first time to the different location at the different time, wherein the speed score indicates a likelihood that the third access to the network was malicious.
  - 17. The computer system of claim 15, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - receive, as part of the information, a first internet protocol (IP) address and a first time associated with the access to the network;
      
      calculate, based on attack origin distribution data, a probability that the network access from the first location is malicious by multiplying a probability that the first location is the source of an attack times a probability of an attack on the network and dividing by the probability of activity coming from the first location, wherein the first location is a country; and
      
      determine a location score based, at least in part, on the probability, wherein the location score indicates a likelihood that the access to the network was malicious.
  - 18. The computer system of claim 15, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - receive, as part of the second information, an IP address and a time associated with the later access to the network;
      
      determine a location score for the later access to the network, the location score being indicative of a likelihood that the later access to the network was malicious based, at least in part, on attack origin distribution data;
      
      determine a speed score for the for the later access to the network, the speed score being indicative of a likelihood that the later access to the network was malicious based, at least in part, on a calculated travel speed for the user; and
      
      determine an aggregate score for the later access to the network, wherein the aggregate score is based, at least in part, on the second host score, the location score, and the speed score.
  - 19. The computer system of claim 18, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - determine an aggregate score for the access to the network;
      
      perform a mathematical convolution of a plurality of aggregate scores comprising the aggregate score for the later access to the network.
  - 20. The computer system of claim 15, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - sort the user into a cohort;
      
      determine the first host score based, at least in part, on the behavior of other members of the cohort; and
      
      determine the second host score based, at least in part, on the behavior of other members of the cohort.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Kesin, Maxim, Jones, Samuel
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US15/224,443
Publication Number

US 20170099311A1
Time in Patent Office

263 Days
Field of Search
US Class Current
CPC Class Codes

G06N 7/01   Probabilistic graphical mod...

H04L 2463/143   Denial of service attacks i...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/083   using passwords cryptograph...

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/535   Tracking the activity of th...

Network anomaly detection

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

120 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network anomaly detection

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links