Distributed behavior based anomaly detection
First Claim
Patent Images
1. A system for detecting anomalies, the system comprising:
- a memory and at least one processor operatively connected to at least one database, wherein the at least one processor is configured for;
receiving one or more behavioral vector parameters for each of a plurality of metrics from one or more users;
creating a plurality of individual and independent behavioral vectors, wherein each behavioral vector of the plurality of individual and independent behavioral vectors is for a respective metric of the plurality of metrics and is created based on the received one or more behavioral vector parameters for the respective metric of the plurality of metrics, and each behavioral vector of the plurality of individual and independent behavioral vectors comprises identifiers of a plurality of subject computing devices, the respective metric of the plurality of metrics, and an interval;
creating a plurality of baselines, wherein each baseline of the plurality of baselines is for a particular behavioral vector of the plurality of individual and independent behavioral vectors and comprises an expected value for the respective metric of the plurality of metrics collected over the interval, the expected value for the respective metric of the plurality of metrics being determined based on data associated with the particular behavioral vector of the plurality of individual and independent behavioral vectors;
transmitting the plurality of individual and independent behavioral vectors and the plurality of baselines to a plurality of sensors, wherein each sensor of the plurality of sensors is associated with a particular subject computing device of the plurality of subject computing devices, andwherein the particular subject computing device of the plurality of subject computing devices is associated with a user of the one or more users; and
receiving, from each sensor of the plurality of sensors, a result comprising an observed value for one or more metrics of the plurality of metrics collected over the interval at the particular subject computing device of the plurality of subject computing devices and a comparison, for each of the one or more metrics of the plurality of metrics collected over the interval, of the observed value and the expected value, wherein the comparison identifies a behavioral anomaly at the particular subject computing device of the plurality of subject computing devices.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for detecting behavior-based anomalies are described herein. In various embodiments, the system includes a context engine for creating behavioral vectors that are transmitted to a long term data store, to behavioral engines configured to create baselines based on historical data, and to sensors configured to observe system resources. According to particular embodiments, the system is configured to collect data regarding the system resources (e.g., via the sensors) and compare the collected data to baselines to determine whether anomalies have occurred.
78 Citations
64 Claims
-
1. A system for detecting anomalies, the system comprising:
-
a memory and at least one processor operatively connected to at least one database, wherein the at least one processor is configured for; receiving one or more behavioral vector parameters for each of a plurality of metrics from one or more users; creating a plurality of individual and independent behavioral vectors, wherein each behavioral vector of the plurality of individual and independent behavioral vectors is for a respective metric of the plurality of metrics and is created based on the received one or more behavioral vector parameters for the respective metric of the plurality of metrics, and each behavioral vector of the plurality of individual and independent behavioral vectors comprises identifiers of a plurality of subject computing devices, the respective metric of the plurality of metrics, and an interval; creating a plurality of baselines, wherein each baseline of the plurality of baselines is for a particular behavioral vector of the plurality of individual and independent behavioral vectors and comprises an expected value for the respective metric of the plurality of metrics collected over the interval, the expected value for the respective metric of the plurality of metrics being determined based on data associated with the particular behavioral vector of the plurality of individual and independent behavioral vectors; transmitting the plurality of individual and independent behavioral vectors and the plurality of baselines to a plurality of sensors, wherein each sensor of the plurality of sensors is associated with a particular subject computing device of the plurality of subject computing devices, and wherein the particular subject computing device of the plurality of subject computing devices is associated with a user of the one or more users; and receiving, from each sensor of the plurality of sensors, a result comprising an observed value for one or more metrics of the plurality of metrics collected over the interval at the particular subject computing device of the plurality of subject computing devices and a comparison, for each of the one or more metrics of the plurality of metrics collected over the interval, of the observed value and the expected value, wherein the comparison identifies a behavioral anomaly at the particular subject computing device of the plurality of subject computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented method for detecting anomalies by at least one processor and at least one database, the computer-implemented method comprising steps of:
-
receiving, via the at least one processor, one or more behavioral vector parameters for each of a plurality of metrics from one or more users; creating, via the at least one processor, a plurality of individual and independent behavioral vectors, wherein each behavioral vector of the plurality of individual and independent behavioral vectors is for a respective metric of the plurality of metrics and is created based on the received one or more behavioral vector parameters for the respective metric of the plurality of metrics, and each behavioral vector of the plurality of individual and independent behavioral vectors comprises identifiers of a plurality of subject computing devices, the respective metric of the plurality of metrics, and an interval; creating, via the at least one processor, a plurality of baselines, wherein each baseline of the plurality of baselines is for a particular behavioral vector of the plurality of individual and independent behavioral vectors and comprises an expected value for the respective metric of the plurality of metrics collected over the interval, the expected value for the respective metric of the plurality of metrics being determined based on data associated with the particular behavioral vector of the plurality of individual and independent behavioral vectors; transmitting, via the at least one processor, the plurality of individual and independent behavioral vectors and the plurality of baselines to a plurality of sensors, wherein each sensor of the plurality of sensors is associated with a particular subject computing device of the plurality of subject computing devices, and wherein the particular subject computing device of the plurality of subject computing devices is associated with a user of the one or more users; and receiving, from each sensor of the plurality of sensors, via the at least one processor, a result comprising an observed value for one or more metrics of the plurality of metrics collected over the interval at the particular subject computing device of the plurality of subject computing devices and a comparison, for each of the one or more metrics of the plurality of metrics collected over the interval, of the observed value and the expected value, wherein the comparison identifies a behavioral anomaly at the particular subject computing device of the plurality of subject computing devices. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A sensor for behavior-based anomaly detection comprising at least one hardware processor, the at least one hardware processor configured for:
-
receiving, at the hardware processor of the sensor, a plurality of individual and independent behavioral vectors and an indication of one or more computing resources of a plurality of computing resources to observe while additional sensors observe other computing resources of the plurality of computing resources; for each of the plurality of individual and independent behavioral vectors, collecting an observation comprising raw data from the one or more computing resources for a first time interval; receiving a baseline for each of the plurality of individual and independent behavioral vectors, wherein the baseline for each of the plurality of individual and independent behavioral vectors comprises an expected value of the collected observation and a standard deviation of the expected value; comparing, for each of the plurality of individual and independent behavioral vectors, the collected observation to the expected value; determining whether a behavioral anomaly has occurred based on the comparing, wherein the behavioral anomaly occurs when the collected observation for a particular behavioral vector of the plurality of individual and independent behavioral vectors is a predetermined amount more or less than the expected value for the particular behavioral vector of the plurality of individual and independent behavioral vectors; upon determining that the behavioral anomaly has occurred, forwarding information about the behavioral anomaly to a context engine to determine whether the behavioral anomaly is a true anomaly, wherein the context engine is configured to receive additional anomalies from the additional sensors in parallel to processing of the behavioral anomaly; and transmitting, to a user, an alert that identifies a particular computing resource from the one or more computing resources where the behavioral anomaly has occurred. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A computer-implemented method for behavior-based anomaly detection comprising:
-
providing a sensor for detecting anomalies in network traffic, the sensor comprising at least one processor, wherein the at least one processor is configured for performing steps of; receiving a plurality of individual and independent behavioral vectors and an indication of one or more computing resources of a plurality of computing resources to observe while additional sensors observe other computing resources of the plurality of computing resources; for each of the plurality of individual and independent behavioral vectors, collecting, at the sensor, an observation comprising raw data from the one or more computing resources for a first time interval; receiving, for each of the plurality of individual and independent behavioral vectors, a baseline comprising an expected value of the collected observation and a standard deviation of the expected value; comparing, for each of the plurality of individual and independent behavioral vectors, the collected observation to the expected value; determining whether a behavioral anomaly has occurred based on the comparing, wherein the behavioral anomaly occurs when the collected observation for a particular behavioral vector of the plurality of individual and independent behavioral vectors is a predetermined amount more or less than the expected value for the particular behavioral vector of the plurality of individual and independent behavioral vectors; upon determining that the behavioral anomaly has occurred, forwarding information about the behavioral anomaly to a context engine to determine whether the behavioral anomaly is a true anomaly, wherein the context engine is configured to receive additional anomalies from the additional sensors in parallel to processing of the behavioral anomaly; and transmitting, to a user, an alert that identifies a particular computing resource from the one or more computing resources where the behavioral anomaly has occurred. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A system for detecting behavior-based anomalies, the system comprising:
-
a context engine configured for creating a plurality of individual and independent behavioral vectors based on one or more behavioral vector parameters received from one or more users, each of the plurality of individual and independent behavioral vectors comprising identifiers of a plurality of subject computing devices, a metric indicating data to collect from the plurality of subject computing devices, and an interval indicating a duration during which the data is to be collected from the plurality of subject computing devices; a behavioral engine operatively connected to the context engine, the behavioral engine configured for creating a plurality of baselines based on the plurality of individual and independent behavioral vectors, wherein each baseline of the plurality of baselines is associated with one of the plurality of individual and independent behavioral vectors and comprises an expected value for respective data collected from the plurality of subject computing devices over the interval and a standard deviation of the expected value for the respective data; and a plurality of sensors, wherein each sensor of the plurality of sensors is associated with a particular subject computing device of the plurality of subject computing devices that is associated with a user of the one or more users and each sensor of the plurality of sensors is configured for collecting data from the particular subject computing device based on the plurality of individual and independent behavioral vectors and comparing data collected for a particular behavioral vector of the plurality of individual and independent behavioral vectors to a particular baseline of the plurality of baselines associated with the particular behavioral vector to identify a behavioral anomaly at the particular subject computing device. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. A computer-implemented method for detecting behavior-based anomalies, the method comprising:
-
providing a context engine configured for creating a plurality of individual and independent behavioral vectors based on one or more behavioral vector parameters received from one or more users, each of the plurality of individual and independent behavioral vectors comprising identifiers of a plurality of subject computing devices, a metric indicating data to collect from the plurality of subject computing devices, and an interval indicating a duration during which the data is to be collected from the plurality of subject computing devices; providing a behavioral engine operatively connected to the context engine, the behavioral engine configured for creating a plurality of baselines based on the plurality of individual and independent behavioral vectors, wherein each baseline of the plurality of baselines is associated with one of the plurality of individual and independent behavioral vectors and comprises an expected value for respective data collected from the plurality of subject computing devices over the interval and a standard deviation of the expected value for the respective data; and providing a plurality of sensors, wherein each sensor of the plurality of sensors is associated with a particular subject computing device of the plurality of subject computing devices that is associated with a user of the one or more users and each sensor of the plurality of sensors is configured for collecting data from the particular subject computing device based on the plurality of individual and independent behavioral vectors and comparing data collected for a particular behavioral vector of the plurality of individual and independent behavioral vectors to a particular baseline of the plurality of baselines associated with the particular behavioral vector to identify a behavioral anomaly at the particular subject computing device. - View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
-
-
63. A system for detecting behavior-based anomalies, the system comprising:
-
a context engine configured for creating a plurality of individual and independent behavioral vectors, each behavioral vector of the plurality of individual and independent behavioral vectors comprising an indication of a plurality of system network resources, a metric indicating data to collect from the plurality of system network resources, and an interval indicating a duration during which the data is to be collected from the plurality of system network resources; a behavioral engine operatively connected to the context engine, the behavioral engine configured for creating a baseline based on a particular behavioral vector of the plurality of individual and independent behavioral vectors, the baseline comprising an expected value for the data collected from the plurality of system network resources and a standard deviation of the expected value, wherein the expected value is based upon data received by the behavioral engine from a data store; and a plurality of sensors associated with the plurality of system network resources, each of the plurality of sensors is configured to receive two or more of the plurality of individual and independent behavioral vectors, and for each respective behavioral vector of the two or more behavioral vectors, each sensor of the plurality of sensors is configured to; collect data from a particular system network resource of the plurality of system network resources in accordance with the indication, the metric, and the interval in the respective behavioral vector; create an observation based on the data collected from the particular system network resource for the interval in the respective behavioral vector; and identify that an anomaly has occurred at the particular system network resource by determining whether the observation is a predetermined number of standard deviations from the expected value. - View Dependent Claims (64)
-
Specification