Anomaly detection based on communication between entities over a network
First Claim
1. A method comprising:
- receiving, by a computer system, event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network, the event data including an identifier associated with a particular entity, wherein the particular entity is the internal entity or the external entity;
analyzing, by the computer system, a plurality of characters in the identifier by processing the event data;
assigning, by the computer system, a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the identifier is machine generated and a level of randomness in a sequence of characters in the identifier;
determining, by the computer system, that the level of randomness satisfies a specified criterion; and
detecting, by the computer system, an anomaly based on the feature score, wherein the anomaly is detected in response to determining that the level of randomness satisfies the specified criterion.
1 Assignment
0 Petitions
Accused Products
Abstract
A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
98 Citations
29 Claims
-
1. A method comprising:
-
receiving, by a computer system, event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network, the event data including an identifier associated with a particular entity, wherein the particular entity is the internal entity or the external entity; analyzing, by the computer system, a plurality of characters in the identifier by processing the event data; assigning, by the computer system, a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the identifier is machine generated and a level of randomness in a sequence of characters in the identifier; determining, by the computer system, that the level of randomness satisfies a specified criterion; and detecting, by the computer system, an anomaly based on the feature score, wherein the anomaly is detected in response to determining that the level of randomness satisfies the specified criterion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system comprising:
-
a processor; and a memory unit having instructions stored thereon, which when executed by the processor cause the system to; receive event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network, the event data including an identifier associated with a particular entity, wherein the particular entity is the internal entity or the external entity; analyze a plurality of characters in the identifier by processing the event data; assign a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the identifier is machine generated and a level of randomness in a sequence of characters in the identifier; determine that the level of randomness satisfies a specified criterion; and detect an anomaly based on the feature score, wherein the anomaly is detected in response to determining that the level of randomness satisfies the specified criterion.
-
-
29. A non-transient computer readable medium containing instructions, execution of which by a computer system cause the computer system to:
-
receive event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network, the event data including an identifier associated with a particular entity, wherein the particular entity is the internal entity or the external entity; analyze a plurality of characters in the identifier by processing the event data; assign a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the identifier is machine generated and a level of randomness in a sequence of characters in the identifier; determine that the level of randomness satisfies a specified criterion; and detect an anomaly based on the feature score, wherein the anomaly is detected in response to determining that the level of randomness satisfies the specified criterion.
-
Specification