Detecting anomalies in behavioral network with contextual side information
First Claim
1. A method of detecting security threats in a computing network, the method executed by at least one processor of a computing device, the method comprising:
- receiving, from the computing network, behavioral information over a time period for a set of users in the computing network, the behavioral information over the time period comprises identities of the users and identities of computing devices in the computing network respectively utilized by the users;
for the time period, constructing contexts and assigning respective context membership scores to the users by performing label propagation to combine the behavioral information over the time period and contextual side information, the contextual side information comprises at least one of attributes of the users or attributes of the computing devices, the contexts being constructed and the respective context membership scores being assigned to the users based on previous contexts and previous respective context membership scores assigned to the users for a prior time period, each context is a respective subset of the users, and a context membership score for a particular context assigned to a given user being indicative of the given user belonging to the particular context;
computing respective contextual anomaly scores for the users for the time period based on the respective context membership scores assigned to the users and the contextual side information;
detecting a security threat in the computing network for the time period based on the contextual anomaly scores; and
causing the computing device to output information specifying the security threat in the computing network for the time period.
2 Assignments
0 Petitions
Accused Products
Abstract
Various technologies described herein pertain to detecting contextual anomalies in a behavioral network. Label propagation can be performed to construct contexts and assign respective context membership scores to users. Each context can be a respective subset of the users expected to have similar resource usages. The contexts can be constructed and the context membership scores can be assigned by combining behavioral information and contextual side information. The behavioral information can specify respective resource usages by the users within the behavioral network. Moreover, respective contextual anomaly scores for the users can be computed based on the respective context membership scores assigned to the users and the contextual side information. Further, the contextual anomalies can be detected from the contextual anomaly scores.
22 Citations
20 Claims
-
1. A method of detecting security threats in a computing network, the method executed by at least one processor of a computing device, the method comprising:
-
receiving, from the computing network, behavioral information over a time period for a set of users in the computing network, the behavioral information over the time period comprises identities of the users and identities of computing devices in the computing network respectively utilized by the users; for the time period, constructing contexts and assigning respective context membership scores to the users by performing label propagation to combine the behavioral information over the time period and contextual side information, the contextual side information comprises at least one of attributes of the users or attributes of the computing devices, the contexts being constructed and the respective context membership scores being assigned to the users based on previous contexts and previous respective context membership scores assigned to the users for a prior time period, each context is a respective subset of the users, and a context membership score for a particular context assigned to a given user being indicative of the given user belonging to the particular context; computing respective contextual anomaly scores for the users for the time period based on the respective context membership scores assigned to the users and the contextual side information; detecting a security threat in the computing network for the time period based on the contextual anomaly scores; and causing the computing device to output information specifying the security threat in the computing network for the time period. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system that detects security threats in a computing network, comprising:
-
at least one processor; and a memory that comprises computer-executable instructions that, when executed by the at least one processor, cause the at least one processor to perform acts including; for a time period, constructing contexts and assigning respective context membership scores to a set of users by performing label propagation to combine behavioral information over the time period for the set of users in the computing network and contextual side information, the behavioral information over the time period comprises identities of the users and identities of the computing devices in the computing network respectively utilized by the users, the contexts being constructed and the respective context membership scores being assigned to the users based on previous contexts and previous respective context membership scores assigned to the users for a prior time period, each context is a respective subset of the users, and a context membership score for a particular context assigned to a given user being indicative of the given user belonging to the particular context; computing respective contextual anomaly scores for the users for the time period based on the respective context membership scores assigned to the users and the contextual side information; detecting a security threat in the computing network for the time period based on the contextual anomaly scores; and causing information specifying the security threat in the computing network for the time period to be outputted. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer-readable storage device including computer-executable instructions that, when executed by a processor, cause the processor to perform acts including:
-
for a time period, constructing contexts and assigning respective context membership scores to users in a computing network by performing label propagation to combine behavioral information over the time period and contextual side information, the behavioral information over the time period comprises identities of the users and identities of computing devices in the computing network respectively utilized by the users, the contextual side information comprises at least one of attributes of the users or attributes of the computing devices, the label propagation being performed based on previous contexts and previous respective context membership scores assigned to the users for a prior time period, each context is a respective subset of the users, and a context membership score for a particular context assigned to a given user being indicative of the given user belonging to the particular context; computing respective contextual anomaly scores for the users for the time period based on the respective context membership scores assigned to the users and the contextual side information; detecting a security threat in the computing network for the time period based on the contextual anomaly scores; and causing information specifying the security threat in the computing network for the time period to be outputted.
-
Specification