Method for the detection and visualization of anomalous behaviors in a computer network

US 20070118909A1
Filed: 11/17/2006
Published: 05/24/2007
Est. Priority Date: 11/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method for the detection of anomalous behaviors in a computer network, comprising the steps of:

collecting data relating to connections initiated by components in the network, said components selected from any one or more of a group including users, nodes and applications, sending said data to an anomaly detection system (ADS) platform, computing from said data an anomaly level of each component or of each of a group of said components, and computing a multidimensional chart for visualizing the behavior of said components or groups of components in said network in which said anomaly level of said components or groups of components is represented on a dimension in said chart.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for the detection of anomalous behaviors in a computer network, comprising the steps of: collecting data relating to connections in a plurality of nodes in a network, sending the data from said nodes to an ADS platform, computing from said data at least one value representative of the anomaly level of the connections of each said node and/or of applications initiating said connections and/or of users, computing a multidimensional chart for visualizing the behavior of a plurality of nodes, applications and/or users in said network, wherein said value representative of the anomaly level is used as a dimension in said chart.

164 Citations

20 Claims

1. A method for the detection of anomalous behaviors in a computer network, comprising the steps of:
- collecting data relating to connections initiated by components in the network, said components selected from any one or more of a group including users, nodes and applications, sending said data to an anomaly detection system (ADS) platform, computing from said data an anomaly level of each component or of each of a group of said components, and computing a multidimensional chart for visualizing the behavior of said components or groups of components in said network in which said anomaly level of said components or groups of components is represented on a dimension in said chart.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein time is represented on another dimension in said chart.
  - 3. The method of claim 2, wherein the numbers of connections initiated by each component or group of components over time are represented on said chart.
  - 4. The method of claim 1, further comprising the step of computing a criticality level of said components or groups of components, and including said criticality level as another dimension in said chart.
  - 5. The method of claim 1, further comprising the step of computing a network activity level of said components or groups of components from the number of connections of each component, and including said network activity level as another dimension in said chart.
  - 6. The method of claim 1, comprising the step of forming groups of components by clustering nodes, applications and/or users with similar expected or determined behaviors.
  - 7. The method of claim 1, wherein said chart is displayed on a visualization platform distinct from said ADS platform.
  - 8. The method of claim 1, wherein said data are sent in real time to said ADS platform and comprise, for at least some of the connections, following parameters:
    - start time of the connection, end time of the connection and/or duration of the connection, identification of the node, identification of the user, identification of the application, port used by the connection.
  - 9. The method of claim 8, further comprising a step of manually selecting a specific connection on said chart for initiating the display of at least some of said parameters.
  - 10. The method of claim 1, further comprising a step of defining at least one set of conditions for connections, anomaly levels and/or components to be displayed, and a step of displaying on said chart only past connections, anomaly levels and/or components that fulfill said conditions.
  - 11. The method of claim 1, further comprising a step of defining at least one set of conditions for connections, anomaly levels and/or components, and a step of alerting said administrator as soon as said at least one set of conditions is fulfilled.
  - 12. The method of claim 1, wherein said data are collected in said nodes by drivers installed in said nodes for intercepting and/or detecting said connections.

13. A system for detecting anomalous behaviors in a computer network, comprising:
- an ADS platform for collecting data relating to connections initiated by components in the network, said components selected from any one or more of a group including users, nodes and applications and for computing from said data an anomaly level of each component or of each of a group of said components, and a visualization platform for displaying a multidimensional chart for visualizing the behavior of said components or groups of components in said network in which said anomaly level of said components or groups of components is represented on a dimension in said chart.

14. A method for the detection of anomalous behaviors in a computer network, comprising the steps of:
- collecting data relating to connections initiated by components in the network, said components selected from any one or more of a group including users, nodes and applications, said data including data identifying components, applications and destination ports, sending said data to an anomaly detection system (ADS) platform, computing from said data a multidimensional chart displaying said components, applications, and destination ports in the form of icons along separate and essentially parallel axes, where the related components, applications and destination ports are interlinked between adjacent axes with lines to visualize the connections.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the numbers of connections initiated by each component or group of components over time are computed and represented on said chart.
  - 16. The method of claim 15 wherein the lines have thicknesses proportional to the number of connections following the same path.
  - 17. The method of claim 14 wherein said components, applications, and destination ports are each represented by icons that can be grouped with others of the same type on the same axis, respectively ungrouped.
  - 18. The method of claim 14 wherein anomaly levels of connections are computed and represented on the chart.
  - 19. The method of claim 18 wherein said anomaly levels of the connections are represented by colors or hues of said icons and/or lines, dependant on the anomaly
  - 20. The method of claim 14 wherein the chart further includes destination nodes in the form of icons along a further separate and essentially parallel axis interlinked with lines to destination ports to visualize the connections.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nexthink SA
Original Assignee
Nexthink SA
Inventors
Hertzog, Patrick, Aguilar, Pedro

Granted Patent

US 7,930,752 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1425 Traffic logging, e.g. anoma...

Method for the detection and visualization of anomalous behaviors in a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

164 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the detection and visualization of anomalous behaviors in a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links