Network segmentation
First Claim
1. A system for automatically generating segments in a medical provider network, the system comprising:
- a plurality of hosts configured to generate network activity information, at least a portion of the hosts belonging to a medical provider organization and connected via the medical provider network; and
an analyzer server configured to analyze the network activity information, the analyzer server comprising;
memory that stores computer-executable instructions; and
at least one processor configured to access the memory and execute the computer-executable instructions to at least;
receive a portion of the network activity information collected during an observation period, the portion of the network activity information describing interactions of the plurality of hosts of a first medical system and a second medical system on the medical provider network during the observation period;
identify one or more metrics based in part on at least the portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts;
determine a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and representing individual hosts of the plurality of hosts;
generate a plurality of clusters based at least in part on the plurality of observation vectors, a particular cluster of the plurality of clusters comprising a particular set of observation vectors representing a first set of hosts of the first medical system and a second set of hosts of the second medical system,at least some hosts of the first set of hosts and the second set of hosts dissimilar from each other with respect to network interactions performable by the respective hosts the medical provider network;
in response to generating the plurality of clusters, identify a cluster profile for the particular cluster of the plurality of clusters;
determine a system type to which both of the first medical system and the second medical system belong based at least in part on characteristics of the identified cluster profile;
verify the system type using outside information, the outside information comprising information other than the network activity information and being associated with at least a portion of the plurality of hosts;
determine at least one segment within the medical provider network based at least in part on the system type and verifying the system type, the at least one segment being specific to the system type and comprising a plurality of sub-segments that create a plurality of barriers within the at least one segment that affect network communications between;
other hosts of the medical provider network outside the at least one segment; and
the first set of hosts in a first sub-segment of the plurality of sub-segments and the second set of hosts in a second sub-segment of the plurality of sub-segment; and
exclude or include, based on the at least one segment, a portion of the network communications between the other hosts and the first set of hosts and the second set of hosts on the medical provider network.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system for segmenting a network including a plurality of hosts is disclosed. In an example embodiment, the network is a provider network. The method receives network activity information describing network traffic between hosts of the plurality. The method generates observations from the network activity information and organizes the observations into clusters. The method determines a profile for each cluster that corresponds to a potential system type implemented by one or more of the hosts of the medical provider network. The method determines segments within the provider network based on the profiled system types.
-
Citations
18 Claims
-
1. A system for automatically generating segments in a medical provider network, the system comprising:
-
a plurality of hosts configured to generate network activity information, at least a portion of the hosts belonging to a medical provider organization and connected via the medical provider network; and an analyzer server configured to analyze the network activity information, the analyzer server comprising; memory that stores computer-executable instructions; and at least one processor configured to access the memory and execute the computer-executable instructions to at least; receive a portion of the network activity information collected during an observation period, the portion of the network activity information describing interactions of the plurality of hosts of a first medical system and a second medical system on the medical provider network during the observation period; identify one or more metrics based in part on at least the portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts; determine a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and representing individual hosts of the plurality of hosts; generate a plurality of clusters based at least in part on the plurality of observation vectors, a particular cluster of the plurality of clusters comprising a particular set of observation vectors representing a first set of hosts of the first medical system and a second set of hosts of the second medical system, at least some hosts of the first set of hosts and the second set of hosts dissimilar from each other with respect to network interactions performable by the respective hosts the medical provider network; in response to generating the plurality of clusters, identify a cluster profile for the particular cluster of the plurality of clusters; determine a system type to which both of the first medical system and the second medical system belong based at least in part on characteristics of the identified cluster profile; verify the system type using outside information, the outside information comprising information other than the network activity information and being associated with at least a portion of the plurality of hosts; determine at least one segment within the medical provider network based at least in part on the system type and verifying the system type, the at least one segment being specific to the system type and comprising a plurality of sub-segments that create a plurality of barriers within the at least one segment that affect network communications between; other hosts of the medical provider network outside the at least one segment; and the first set of hosts in a first sub-segment of the plurality of sub-segments and the second set of hosts in a second sub-segment of the plurality of sub-segment; and exclude or include, based on the at least one segment, a portion of the network communications between the other hosts and the first set of hosts and the second set of hosts on the medical provider network. - View Dependent Claims (2, 3)
-
-
4. A computer-implemented method for automatically generating segments in a medical provider network, the method comprising:
-
receiving, by a computer system, network activity information collected during an observation period, the network activity information describing interactions of a plurality of hosts of a first medical system and a second medical system on the medical provider network during the observation period; identifying one or more metrics based in part on at least a portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts; determining a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and representing individual hosts of the plurality of hosts; generating, by the computer system, a plurality of clusters based in part on the plurality of observation vectors, a particular cluster of the plurality of clusters comprising a particular set of observation vectors representing a first set of hosts of the first medical system and a second set of hosts of the second medical system at least some hosts of the first set of hosts and the second set of hosts dissimilar from each other with respect to network interactions performable by the respective hosts on the medical provider network; in response to generating the plurality of clusters, identifying a cluster profile for the particular cluster of the plurality of clusters; determine a system type to which both of the first medical system and the second medical system belong based at least in part on characteristics of the identified cluster profile; verifying the system type using outside information, the outside information comprising information other than the network activity information and being associated with at least a portion of the plurality of hosts; determining, by the computer system, a segment within the medical provider network based at least in part on the system type and verifying the system type, the segment being specific to the system type and comprising a plurality of sub-segments that create a plurality of barriers within the segment that affect network communications between; other hosts of the medical provider network outside the at least one segment; and the first set of hosts in a first sub-segment of the plurality of sub-segments and the second set of hosts in a second sub-segment of the plurality of sub-segments; and exclude or include, based on the segment, a portion of the network communications between the other hosts and the first set of hosts and the second set of hosts on the medical provider network. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 18)
-
-
15. A computer-implemented method for identifying compromised profiles using probability profiles, the method comprising:
-
receiving, by a computer system, network activity information collected during an observation period, the network activity information describing interactions of a user with a plurality of hosts on a medical provider network during the observation period, each of the plurality of hosts associated with at least one sub-segment of a plurality of segments of the medical provider network; determining a client profile based at least in part on the network activity information corresponding to the interactions of the user with at least a portion of the plurality of hosts on the medical provider network, the client profile comprising an identified state path for the user that identifies the portion of the plurality of hosts and an order according to which the user has previously accessed the plurality of hosts; determining, by the computer system and based on the client profile, a probability profile for the user, the probability profile including a prediction that the user will use a client device to interact with a next host of the plurality of hosts given a current host selected from the portion of the plurality of hosts, individual hosts of the plurality of hosts dissimilar from each other with respect to network interactions performable by the plurality of hosts on the medical provider network; verifying the probability profile using outside information, the outside information comprising information other than the network activity information and being associated with at least the portion of the plurality of hosts; determining, based on the probability profile and a first host with which the client device has interacted, that a particular interaction of the client device with a second host of the plurality of hosts falls outside the probability profile of the user; providing an indication about the particular interaction to an authorized user, the indication including the probability profile; and excluding future network communications of the client device on the medical provider network based on the particular interaction falling outside the probability profile for the user. - View Dependent Claims (16, 17)
-
Specification