Network anomaly detection
First Claim
Patent Images
1. A computer system comprising:
- one or more hardware computer processors configured to execute computer executable instructions in order to cause the computer system to;
track a number of a plurality of unique machines that a user has used to access a network, wherein the number of the plurality of unique machines is incremented when the user accesses the network from a machine that has not been previously used by the user to access the network;
receive information indicative of an access to a network by a user from a new unique machine that the user has not previously used by the user to access the network, wherein the information comprises at least an identifier of the new unique machine; and
determine, in response to receiving the information, a host score indicative of a first likelihood that the access to the network was malicious, wherein the host score is based, at least in part, on the number of the plurality of unique machines that the user has used to access the network.
8 Assignments
0 Petitions
Accused Products
Abstract
A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.
154 Citations
20 Claims
-
1. A computer system comprising:
one or more hardware computer processors configured to execute computer executable instructions in order to cause the computer system to; track a number of a plurality of unique machines that a user has used to access a network, wherein the number of the plurality of unique machines is incremented when the user accesses the network from a machine that has not been previously used by the user to access the network; receive information indicative of an access to a network by a user from a new unique machine that the user has not previously used by the user to access the network, wherein the information comprises at least an identifier of the new unique machine; and determine, in response to receiving the information, a host score indicative of a first likelihood that the access to the network was malicious, wherein the host score is based, at least in part, on the number of the plurality of unique machines that the user has used to access the network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A computer system comprising:
-
one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions in order to cause the computer system to; track a number of a plurality of unique machines that a user has used to access a network, wherein the number of the plurality of unique machines is incremented when the user accesses the network from a machine that has not been previously used by the user to access the network; generate a user interface including; a list of authorized users including the user; and respective anomaly scores associated with respective authorized users, the respective anomaly scores including an anomaly score for the user; wherein the anomaly score is determined based at least in part on a host score associated with an access by the user to the network from a new unique machine that has not been previously used by the user the access the network; and wherein the host score indicates a likelihood of malicious activity based, at least in part, on a number of the plurality of unique machines previously used by the user to access the network. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
tracking a number of a plurality of unique machines that a user has used to access a network, wherein the number of the plurality of unique machines is incremented when the user accesses the network from a machine that has not been previously used by the user to access the network; receiving information indicative of an access to a network by a user from a new unique machine that the user has not previously used by the user to access the network, wherein the information comprises at least an identifier of the new unique machine; and determining, in response to receiving the information, a host score indicative of a first likelihood that the access to the network was malicious, wherein the host score is based, at least in part, on the number of the plurality of unique machines that the user has used to access the network. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification