System and method for real-time detection of anomalies in database usage
First Claim
1. A computerized system for real-time detection of anomalies occurring in an enterprise computer network, comprising:
- at least one processor; and
at least one memory including program code that, when executed by the at least one processor, causes the system to;
receive a plurality of heterogeneous data streams from sources in the network, the sources including two levels, first level sources and second level sources,wherein the first level sources include one or more selected from a group consisting of agents located at databases;
agents located at applications;
audit programs located at user workstations;
sensors located in the network; and
sensors located at access points to the network;
wherein the second level sources include one or more selected from a group consisting of data access, user behavior, computer activity and network activity; and
wherein the first level sources monitor event streams of the second level sources and generate data streams indicative of corresponding second level source activity in a uniform format;
process the heterogeneous data streams obtained by combining at least two of the first level sources to identify events therein, each event being identified by at least a unique ID, a timestamp, and an event type, wherein the processing of the heterogeneous data streams includes combining at least two of the first level sources into a single data stream;
correlate the processed heterogeneous data streams to form an integrated data stream comprising a plurality of identified events;
detect the existence and at least one characteristic of an anomaly in the computer network by application of a predetermined model of normalcy and one or more anomaly rules to the integrated data stream comprising the plurality of identified events; and
issue an alert based on the at least one characteristic of the anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for real-time detection of anomalies in database or application usage is disclosed. Embodiments provide a mechanism to detect anomalies in database or application usage, such as data exfiltration attempts, first by identifying correlations (e.g., patterns of normalcy) in events across different heterogeneous data streams (such as those associated with ordinary, authorized and benign database usage, workstation usage, user behavior or application usage) and second by identifying deviations/anomalies from these patterns of normalcy across data streams in real-time as data is being accessed. An alert is issued upon detection of an anomaly, wherein a type of alert is determined based on a characteristic of the detected anomaly.
-
Citations
38 Claims
-
1. A computerized system for real-time detection of anomalies occurring in an enterprise computer network, comprising:
at least one processor; and at least one memory including program code that, when executed by the at least one processor, causes the system to; receive a plurality of heterogeneous data streams from sources in the network, the sources including two levels, first level sources and second level sources, wherein the first level sources include one or more selected from a group consisting of agents located at databases;
agents located at applications;
audit programs located at user workstations;
sensors located in the network; and
sensors located at access points to the network;wherein the second level sources include one or more selected from a group consisting of data access, user behavior, computer activity and network activity; and wherein the first level sources monitor event streams of the second level sources and generate data streams indicative of corresponding second level source activity in a uniform format; process the heterogeneous data streams obtained by combining at least two of the first level sources to identify events therein, each event being identified by at least a unique ID, a timestamp, and an event type, wherein the processing of the heterogeneous data streams includes combining at least two of the first level sources into a single data stream; correlate the processed heterogeneous data streams to form an integrated data stream comprising a plurality of identified events; detect the existence and at least one characteristic of an anomaly in the computer network by application of a predetermined model of normalcy and one or more anomaly rules to the integrated data stream comprising the plurality of identified events; and issue an alert based on the at least one characteristic of the anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. A computerized system for real-time detection of anomalies occurring in an enterprise computer network, comprising:
at least one processor; and at least one memory including program code that, when executed by the at least one processor, causes the system to; receive a plurality of heterogeneous data streams from sources in the network, the sources including two levels, first level sources and second level sources, wherein the first level sources include the following;
agents located at databases;
agents located at applications;
audit programs located at user workstations;
sensors located in the network; and
sensors located at access points to the network; andwherein the second level sources include the following;
email exchanges;
instant messages;
voice mails;
documents;
database content; and
user interactions and database queries;process the heterogeneous data streams obtained by combining at least one of the first level sources with at least one of the second level sources to identify events therein, each event being identified by at least a unique ID, a timestamp, and an event type; correlate the processed heterogeneous data streams to form an integrated data stream comprising a plurality of identified events; detect the existence and at least one characteristic of an anomaly in the computer network by application of a predetermined model of normalcy and one or more anomaly rules to the integrated data stream comprising the plurality of identified events; and
issue an alert based on the at least one characteristic of the anomaly, wherein the executed program code causes the system to correlate the processed data streams by;estimating the number or frequency of one or more event types in the processed data stream without searching the entire processed data stream; and determining one or more temporal, spatial, or generalized associations between a plurality of events in the processed data stream.
-
18. A non-transitory, computer-readable medium comprising a set of instructions for real-time detection of anomalies occurring in an enterprise computer network, wherein execution of said instructions by a system comprising at least one processor cause the system to:
-
receive a plurality of heterogeneous data streams from sources in the network, the sources including two levels, first level sources and second level sources, wherein the first level sources include one or more selected from a group consisting of agents located at databases;
agents located at applications;
audit programs located at user workstations;
sensors located in the network; and
sensors located at access points to the network;wherein the second level sources include one or more selected from a group consisting of data access, user behavior, computer activity and network activity; and wherein the first level sources monitor event streams of the second level sources and generate data streams indicative of corresponding second level source activity in a uniform format; process the heterogeneous data streams obtained by combining at least two of the first level sources to identify events therein, each event being identified by at least a unique ID, a timestamp, and an event type, wherein the processing of the heterogeneous data streams includes combining at least two of the first level sources into a single data stream; correlate the processed heterogeneous data streams to form an integrated data stream comprising a plurality of identified events; detect the existence and at least one characteristic of an anomaly in the computer network by application of a predetermined model of normalcy and one or more anomaly rules to the integrated data stream comprising the plurality of identified events; and issue an alert based on the at least one characteristic of the anomaly. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A non-transitory, computer-readable medium comprising a set of instructions for real-time detection of anomalies occurring in an enterprise computer network, wherein execution of said instructions by a system comprising at least one processor cause the system to:
-
receive a plurality of heterogeneous data streams from sources in the network, the sources including two levels, first level sources and second level sources, wherein the first level sources include the following;
agents located at databases;
agents located at applications;
audit programs located at user workstations;
sensors located in the network; and
sensors located at access points to the network; andwherein the second level sources include the following;
email exchanges;
instant messages;
voice mails;
documents;
database content; and
user interactions and database queries;process the heterogeneous data streams obtained by combining at least one of the first level sources with at least one of the second level sources to identify events therein, each event being identified by at least a unique ID, a timestamp, and an event type; correlate the processed heterogeneous data streams to form an integrated data stream comprising a plurality of identified events; detect the existence and at least one characteristic of an anomaly in the computer network by application of a predetermined model of normalcy and one or more anomaly rules to the integrated data stream comprising the plurality of identified events; and issue an alert based on the at least one characteristic of the anomaly, wherein the executed instructions cause the system to correlate the processed data streams by; estimating the number or frequency of one or more event types in the processed data stream without searching the entire processed data stream; and determining one or more temporal, spatial, or generalized associations between a plurality of events in the processed data stream.
-
-
35. A computerized system for real-time detection of anomalies occurring in an enterprise computer network, comprising:
at least one processor; and at least one memory including program code that, when executed by the at least one processor, causes the system to; receive a plurality of heterogeneous data streams from sources in the network, the sources including two levels, first level sources and second level sources, wherein the first level sources include one or more selected from a group consisting of agents located at databases;
agents located at applications;
audit programs located at user workstations;
sensors located in the network; and
sensors located at access points to the network;wherein the second level sources include one or more selected from a group consisting of data access, user behavior, computer activity and network activity; and wherein the first level sources monitor event streams of the second level sources and generate data streams indicative of corresponding second level source activity in a uniform format; process the heterogeneous data streams obtained by combining at least two of the first level sources to identify events therein, each event being identified by at least a unique ID, a timestamp, and an event type, wherein the processing of the heterogeneous data streams includes; combining at least two of the first level sources into a single data stream; and operating on the single data stream using an algorithm that identifies spatiotemporal relationships; correlate the processed heterogeneous data streams to form an integrated data stream comprising a plurality of identified events; detect the existence and at least one characteristic of an anomaly in the computer network by application of a predetermined model of normalcy and one or more anomaly rules to the integrated data stream comprising the plurality of identified events; and issue an alert based on the at least one characteristic of the anomaly.
-
36. A non-transitory, computer-readable medium comprising a set of instructions for real-time detection of anomalies occurring in an enterprise computer network, wherein execution of said instructions by a system comprising at least one processor cause the system to:
-
receive a plurality of heterogeneous data streams from sources in the network, the sources including two levels, first level sources and second level sources, wherein the first level sources include one or more selected from a group consisting of agents located at databases;
agents located at applications;
audit programs located at user workstations;
sensors located in the network; and
sensors located at access points to the network;wherein the second level sources include one or more selected from a group consisting of data access, user behavior, computer activity and network activity; and wherein the first level sources monitor event streams of the second level sources and generate data streams indicative of corresponding second level source activity in a uniform format; process the heterogeneous data streams obtained by combining at least two of the first level sources to identify events therein, each event being identified by at least a unique ID, a timestamp, and an event type, wherein the processing of the heterogeneous data streams includes; combining at least two of the first level sources into a single data stream; and operating on the single data stream using an algorithm that identifies spatiotemporal relationships; correlate the processed heterogeneous data streams to form an integrated data stream comprising a plurality of identified events; detect the existence and at least one characteristic of an anomaly in the computer network by application of a predetermined model of normalcy and one or more anomaly rules to the integrated data stream comprising the plurality of identified events; and issue an alert based on the at least one characteristic of the anomaly.
-
-
37. A system for real-time detection of anomalies occurring in a computer network, comprising:
-
at least one processor; and at least one memory including program code that, when executed by the at least one processor, causes the system to; receive a plurality of heterogeneous data streams from sources in the network, the sources including first level sources and second level sources, wherein the first level sources include one or more selected from a group consisting of agents located at databases, agents located at applications, audit programs located at user workstations, sensors located in the network, and sensors located at access points to the network; wherein the second level sources include event streams to be analyzed; wherein the first level sources monitor the event streams of the second level sources and generate data streams indicative of corresponding second level source activity in a uniform format; and wherein each of the heterogeneous data streams is obtained by combining at least two of the first level sources into a data stream; process the heterogeneous data streams to identify events therein, each event being identified by at least a unique ID, a timestamp, and an event type; correlate the processed heterogeneous data streams to form an integrated data stream comprising a plurality of identified events; detect the existence and at least one characteristic of an anomaly in the computer network by application of a predetermined model of normalcy and one or more anomaly rules to the integrated data stream comprising the plurality of identified events; and issue an alert based on the at least one characteristic of the anomaly. - View Dependent Claims (38)
-
Specification