Privileged analytics system
First Claim
1. A computer implemented method for managing a parallel profiling paradigm for a common network entity in a network, comprising:
- using at least one hardware processor of at least one server for;
building, based on analysis of actions documented in an input data and associated with a network entity in a computer network, a first entity behavioral profile for said network entity, said first entity behavioral profile reflects first metrics associated with behavioral characteristics of said network entity;
monitoring additional actions in additional input data to identify one or more anomalies from said first entity behavioral profile;
using said one or more anomalies as a regular sample for building at least one second entity behavioral profile for said network entity;
wherein said first entity behavioral profile and said at least one second entity behavior profile are representations of expected behaviors of the network entity, said at least one second entity behavioral profile reflects second metrics associated with said behavioral characteristics of said network entity, wherein said first metrics and said second metrics are different from one another and said behavioral characteristics comprise at least two members of a group consisting of;
time of day or time of week of network events of by said network entity,access distribution of said network entity,distribution of originating internet protocol (IP) addresses of said network entity,a rate of access to a target by said network entity,a rate of input by of said network entity,a geographical location of said network entity, andtype of network events initiated by of said network entity;
managing said first entity behavioral profile and said at least one second entity behavioral profile in parallel for analysis of further additional actions of said network entity in said computer network;
calculating, according to at least one of;
said first entity behavioral profile and said second entity behavioral profile, a leading entity behavioral profile for said network entity; and
using said leading entity behavioral profile for a detection of further anomalies in said further additional actions of said network entity in said computer network.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network. The computer-implemented method comprises identifying a behavioral anomaly of an entity on the computer network, classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold, updating an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly, updating a system status based on at least the incident, and assigning a system status score to the system status, and, determining whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.
78 Citations
16 Claims
-
1. A computer implemented method for managing a parallel profiling paradigm for a common network entity in a network, comprising:
-
using at least one hardware processor of at least one server for; building, based on analysis of actions documented in an input data and associated with a network entity in a computer network, a first entity behavioral profile for said network entity, said first entity behavioral profile reflects first metrics associated with behavioral characteristics of said network entity; monitoring additional actions in additional input data to identify one or more anomalies from said first entity behavioral profile; using said one or more anomalies as a regular sample for building at least one second entity behavioral profile for said network entity;
wherein said first entity behavioral profile and said at least one second entity behavior profile are representations of expected behaviors of the network entity, said at least one second entity behavioral profile reflects second metrics associated with said behavioral characteristics of said network entity, wherein said first metrics and said second metrics are different from one another and said behavioral characteristics comprise at least two members of a group consisting of;time of day or time of week of network events of by said network entity, access distribution of said network entity, distribution of originating internet protocol (IP) addresses of said network entity, a rate of access to a target by said network entity, a rate of input by of said network entity, a geographical location of said network entity, and type of network events initiated by of said network entity; managing said first entity behavioral profile and said at least one second entity behavioral profile in parallel for analysis of further additional actions of said network entity in said computer network; calculating, according to at least one of;
said first entity behavioral profile and said second entity behavioral profile, a leading entity behavioral profile for said network entity; andusing said leading entity behavioral profile for a detection of further anomalies in said further additional actions of said network entity in said computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system for managing a parallel profiling paradigm for a common network entity comprising:
-
at least one non-transitory computer readable storage medium having program instructions embodied therewith; at least a processor configured to execute said program instructions, said program instructions comprising; code instructions for building, based on analysis of actions documented in an input data and associated with a network entity in a computer network, a first entity behavioral profile for said network entity, said first entity behavioral profile reflects first metrics associated with behavioral characteristics of said network entity; code instructions for monitoring additional actions in additional input data to identify one or more anomalies from said first entity behavioral profile; code instructions for using said one or more anomalies as a regular sample for building at least one second entity behavioral profile for said network entity, said at least one second entity behavioral profile reflects second metrics associated with said behavioral characteristics of said network entity, wherein said first metrics and said second metrics are different from one another and said behavioral characteristics comprise at least two members of a group consisting of; time of day or time of week of network events of by said network entity, access distribution of said network entity, distribution of originating internet protocol (IP) addresses of said network entity, a rate of access to a target by said network entity, a rate of input by of said network entity, a geographical location of said network entity, and type of network events initiated by of said network entity; code instructions for managing said first entity behavioral profile and said at least one second entity behavioral profile in parallel for detection of one or more further anomalies in further additional actions of said network entity in said computer network; and code instructions for calculating, according to at least one of;
said first entity behavioral profile and said second entity behavioral profile, a leading entity behavioral profile for said network entity; andcode instructions for using said leading entity behavioral profile for a detection of further anomalies in said further additional actions of said network entity in said computer network; wherein said first entity behavioral profile and said at least one second entity behavior profile are representation of expected behaviors of the network entity.
-
-
13. A computer program product for managing a parallel profiling paradigm for a common network entity, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause one or more servers to:
-
building, based on analysis of actions documented in an input data and associated with a network entity in a computer network, a first entity behavioral profile for said network entity, said first entity behavioral profile reflects first metrics associated with behavioral characteristics of said network entity; monitor additional actions in additional input data to identify one or more anomalies from said first entity behavioral profile; use said one or more anomalies as a regular sample for building at least one second entity behavioral profile for said network entity, said at least one second entity behavioral profile reflects second metrics associated with said behavioral characteristics of said network entity, wherein said first metrics and said second metrics are different from one another and said behavioral characteristics comprise at least two members of a group consisting of; time of day or time of week of network events of by said network entity, access distribution of said network entity, distribution of originating internet protocol (IP) addresses of said network entity, a rate of access to a target by said network entity, a rate of input by of said network entity, a geographical location of said network entity, and type of network events initiated by of said network entity; manage said first entity behavioral profile and said at least one second entity behavioral profile in parallel for detection of one or more further anomalies in further additional actions of said network entity in said computer network; and calculate, according to at least one of;
said first entity behavioral profile and said second entity behavioral profile a leading entity behavioral profile for said network entity; anduse said leading entity behavioral profile for a detection of further anomalies in said further additional actions of said network entity in said computer network; wherein said first entity behavioral profile and said at least one second entity behavior profile are representation of expected behaviors of the network entity. - View Dependent Claims (14, 15, 16)
-
Specification