Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network
First Claim
Patent Images
1. A system, comprising:
- a memory that stores instructions; and
a processor that executes the instructions to perform operations, the operations comprising;
determining an overlap between subsets of a set of users that entities of a plurality of entities communicated with, respectively, wherein the plurality of entities comprise domain names;
identifying, based on the overlap and based on a similarity metric between pairs of the entities of the plurality of entities, a cluster of the entities of the plurality of entities; and
determining whether communication between the cluster of the entities and the set of users is anomalous based on the overlap, wherein determining whether the communication between the cluster of the entities and the set of users is anomalous comprises;
determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each of the domain names in the cluster of the entities resolves to over a time period; and
determining whether the communication associated with the cluster of entities is anomalous based on a sequence in which users of the set of users communicate with the cluster of the entities.
4 Assignments
0 Petitions
Accused Products
Abstract
Anomalies are detected in a network by detecting communication between a plurality of entities and a set of users in the network, determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, and determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap.
25 Citations
20 Claims
-
1. A system, comprising:
-
a memory that stores instructions; and a processor that executes the instructions to perform operations, the operations comprising; determining an overlap between subsets of a set of users that entities of a plurality of entities communicated with, respectively, wherein the plurality of entities comprise domain names; identifying, based on the overlap and based on a similarity metric between pairs of the entities of the plurality of entities, a cluster of the entities of the plurality of entities; and determining whether communication between the cluster of the entities and the set of users is anomalous based on the overlap, wherein determining whether the communication between the cluster of the entities and the set of users is anomalous comprises; determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each of the domain names in the cluster of the entities resolves to over a time period; and determining whether the communication associated with the cluster of entities is anomalous based on a sequence in which users of the set of users communicate with the cluster of the entities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method, comprising:
-
determining, by utilizing instructions from a memory that are executed by a processor, an overlap between subsets of a set of users that entities of a plurality of entities communicated with, respectively, wherein the plurality of entities comprise domain names; identifying, based on the overlap and based on a similarity metric between pairs of the entities of the plurality of entities, a cluster of the entities of the plurality of entities; and determining whether communication between the cluster of the entities and the set of users is anomalous based on the overlap, wherein determining whether the communication between the cluster of the entities and the set of users is anomalous comprises; determining whether the communication associated with the cluster of the entities is anomalous based on an operating system type of a device utilized to communicate with the cluster of the entities; and determining whether the communication associated with the cluster of entities is anomalous based on a sequence in which users of the set of users communicate with the cluster of the entities. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising instructions, which when loaded and executed by a processor, cause the processor to perform operations, the operations comprising:
-
determining an overlap between subsets of a set of users that entities of a plurality of entities communicated with, respectively, wherein the plurality of entities comprise domain names; identifying, based on the overlap and based on a similarity metric between pairs of the entities of the plurality of entities, a cluster of the entities of the plurality of entities; and determining whether communication between the cluster of the entities and the set of users is anomalous based on the overlap, wherein determining whether the communication between the cluster of the entities and the set of users is anomalous comprises; determining whether the communication associated with the cluster of the entities is anomalous based on an operating system type of a device utilized to communicate with the cluster of the entities; and determining whether the communication associated with the cluster of entities is anomalous based on a stability of the cluster of the entities over time.
-
Specification