Network anomaly detection

US 10,075,464 B2
Filed: 03/17/2017
Issued: 09/11/2018
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more hardware computer processors configured to execute computer executable instructions in order to cause the computer system to;

track a number of a plurality of unique machines that a user has used to access a network, wherein the number of the plurality of unique machines is incremented when the user accesses the network from a machine that has not been previously used by the user to access the network;

receive information indicative of an access to a network by a user from a new unique machine that the user has not previously used by the user to access the network, wherein the information comprises at least an identifier of the new unique machine; and

determine, in response to receiving the information, a host score indicative of a first likelihood that the access to the network was malicious, wherein the host score is based, at least in part, on the number of the plurality of unique machines that the user has used to access the network.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

154 Citations

20 Claims

1. A computer system comprising:
- one or more hardware computer processors configured to execute computer executable instructions in order to cause the computer system to;
  
  track a number of a plurality of unique machines that a user has used to access a network, wherein the number of the plurality of unique machines is incremented when the user accesses the network from a machine that has not been previously used by the user to access the network;
  
  receive information indicative of an access to a network by a user from a new unique machine that the user has not previously used by the user to access the network, wherein the information comprises at least an identifier of the new unique machine; and
  
  determine, in response to receiving the information, a host score indicative of a first likelihood that the access to the network was malicious, wherein the host score is based, at least in part, on the number of the plurality of unique machines that the user has used to access the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer system of claim 1, wherein:
    - the host score indicates a lower likelihood that the access to the network was malicious as compared to an earlier score that was previously determined when the user previously used one of the plurality of unique machine to access the network.
  - 3. The computer system of claim 1, wherein:
    - the host score indicates increasingly higher likelihoods of malicious activity for each additional unique machine used by the user to access the network until a threshold number of unique machines is logged;
      
      the host score indicates a highest likelihood of malicious activity when the threshold number of unique machines is logged as used by the user to access the network;
      
      the host score indicates a likelihood of malicious activity that is lower than the highest likelihood of malicious activity when more than the threshold number of unique machines is logged as used by the user to access the network; and
      
      the host score indicates a low likelihood of malicious activity when the machine used by the user to access the network has been previously used by the user to access the network.
  - 4. The computer system of claim 1, wherein:
    - the information comprises an internet protocol (IP) address; and
      
      the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to;
      
      perform an IP lookup to determine geographical coordinates associated with the IP address;
      
      calculate the travel speed for the user to arrive at the geographical coordinates;
      
      determine a speed score based at least on the travel speed; and
      
      determine an aggregate score based at least in part on the host score and the speed score.
  - 5. The computer system of claim 1, wherein:
    - the information comprises an IP address; and
      
      the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to;
      
      perform an IP lookup to determine a country associated with the IP address;
      
      determine the location score based at least in part on a probability that the country is the source of an attack, a probability of an attack on the network, and a probability of activity coming from the country; and
      
      determine an aggregate score based at least in part on the host score and the location score.
  - 6. The computer system of claim 1, wherein the information is indicative of a plurality of accesses to the network by the user, and wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - calculate a plurality of aggregate scores based, at least in part, on the information indicative of the plurality of accesses to the network;
      
      perform a mathematical convolution based, at least in part, on the aggregate score and the plurality of aggregate scores to determine a convolution score.
  - 7. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - sort the user into a cohort; and
      
      determine the first score based, at least in part, on host machine usage by other members of the cohort.

8. A computer system comprising:
- one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and
  
  one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to;
  
  track a number of a plurality of unique machines that a user has used to access a network, wherein the number of the plurality of unique machines is incremented when the user accesses the network from a machine that has not been previously used by the user to access the network;
  
  generate a user interface including;
  
  a list of authorized users including the user; and
  
  respective anomaly scores associated with respective authorized users, the respective anomaly scores including an anomaly score for the user;
  
  wherein the anomaly score is determined based at least in part on a host score associated with an access by the user to the network from a new unique machine that has not been previously used by the user the access the network; and
  
  wherein the host score indicates a likelihood of malicious activity based, at least in part, on a number of the plurality of unique machines previously used by the user to access the network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein the user interface lists the users in an ordered list according to at least one of:
    - anomaly scores of the authorized users or host scores of the authorized users.
  - 10. The computer system of claim 8, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to generate a warning when any of the anomaly scores exceeds a threshold.
  - 11. The computer system of claim 8, wherein:
    - the anomaly scores are based at least in part on speed scores;
      
      the user interface includes the speed scores; and
      
      the speed scores indicate respective likelihoods of malicious activity based, at least in part, on travel times to locations associated with IP addresses used to access the network.
  - 12. The computer system of claim 8, wherein:
    - the anomaly scores are based at least in part on location scores;
      
      the user interface includes the location scores;
      
      the location scores indicate respective likelihoods of malicious activity based, at least in part, on attack origin distribution data and countries associated with IP addresses used to access the network.
  - 13. The computer system of claim 8, wherein:
    - the host score indicates increasingly higher likelihoods of malicious activity for each additional unique machine used by the user to access the network until a threshold number of unique machines are logged;
      
      the host score indicates a highest likelihood of malicious activity when the threshold number of unique machines is logged;
      
      the host score indicates a likelihood of malicious activity that is lower than the highest likelihood of malicious activity when more than the threshold number of unique machines is logged; and
      
      the host score indicates a low likelihood of malicious activity when the machine used by the user to access the network has been previously used by the user to access the network.
  - 14. The computer system of claim 8, wherein the one or more hardware computer processors are further configured to execute the computer executable instructions in order to cause the computer system to:
    - sort the user into a cohort; and
      
      determine the host score based, at least in part, on network activity of other members of the cohort.

15. A method comprising:
- tracking a number of a plurality of unique machines that a user has used to access a network, wherein the number of the plurality of unique machines is incremented when the user accesses the network from a machine that has not been previously used by the user to access the network;
  
  receiving information indicative of an access to a network by a user from a new unique machine that the user has not previously used by the user to access the network, wherein the information comprises at least an identifier of the new unique machine; and
  
  determining, in response to receiving the information, a host score indicative of a first likelihood that the access to the network was malicious, wherein the host score is based, at least in part, on the number of the plurality of unique machines that the user has used to access the network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein:
    - the host score indicates a lower likelihood that the access to the network was malicious as compared to an earlier score that was previously determined when the user previously used one of the plurality of unique machine to access the network.
  - 17. The method of claim 15, wherein:
    - the host score indicates increasingly higher likelihoods of malicious activity for each additional unique machine used by the user to access the network until a threshold number of unique machines is logged;
      
      the host score indicates a highest likelihood of malicious activity when the threshold number of unique machines is logged as used by the user to access the network;
      
      the host score indicates a likelihood of malicious activity that is lower than the highest likelihood of malicious activity when more than the threshold number of unique machines is logged as used by the user to access the network; and
      
      the host score indicates a low likelihood of malicious activity when the machine used by the user to access the network has been previously used by the user to access the network.
  - 18. The method of claim 15, wherein:
    - the information comprises an internet protocol (IP) address; and
      
      the method further comprises;
      
      performing an IP lookup to determine geographical coordinates associated with the IP address;
      
      calculating the travel speed for the user to arrive at the geographical coordinates;
      
      determining a speed score based at least on the travel speed; and
      
      determining an aggregate score based at least in part on the host score and the speed score.
  - 19. The method of claim 15, wherein:
    - the information comprises an IP address; and
      
      the method further comprises;
      
      performing an IP lookup to determine a country associated with the IP address;
      
      determining the location score based at least in part on a probability that the country is the source of an attack, a probability of an attack on the network, and a probability of activity coming from the country; and
      
      determining an aggregate score based at least in part on the host score and the location score.
  - 20. The method of claim 15, wherein the information is indicative of a plurality of accesses to the network by the user, and wherein the method further comprises:
    - calculating a plurality of aggregate scores based, at least in part, on the information indicative of the plurality of accesses to the network; and
      
      performing a mathematical convolution based, at least in part, on the aggregate score and the plurality of aggregate scores to determine a convolution score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Kesin, Maxim, Jones, Samuel
Primary Examiner(s)
Tran, Ellen

Application Number

US15/462,540
Publication Number

US 20170195354A1
Time in Patent Office

543 Days
Field of Search
US Class Current
CPC Class Codes

G06N 7/01   Probabilistic graphical mod...

H04L 2463/143   Denial of service attacks i...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/083   using passwords cryptograph...

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/535   Tracking the activity of th...

Network anomaly detection

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

154 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network anomaly detection

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

154 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links