DETECTING ANOMALOUS WEB PROXY ACTIVITY

US 20110093944A1
Filed: 12/14/2009
Published: 04/21/2011
Est. Priority Date: 12/13/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting anomalous web proxy activity comprising:

filtering the plurality of records extracted from the proxy log by the detection module to exclude records that do not include identified information;

calculating a number of distinct destination addresses to which a source address is connecting;

comparing the number of distinct destination addresses to a threshold number established for the source IP address; and

determining, with the detection module, whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and apparatus for detecting anomalous web proxy activity by end-users are disclosed. The techniques include analyzing records from a web proxy log and determining whether the records contain anomalous end-user activity by inspecting a uniform resource locator and a connect instruction included therein. The techniques also include generating an alert in response to the analysis.

Citations

20 Claims

1. A method of detecting anomalous web proxy activity comprising:
- filtering the plurality of records extracted from the proxy log by the detection module to exclude records that do not include identified information;
  
  calculating a number of distinct destination addresses to which a source address is connecting;
  
  comparing the number of distinct destination addresses to a threshold number established for the source IP address; and
  
  determining, with the detection module, whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparing.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein filtering the plurality of records comprises filtering the plurality of records to exclude records that do not include an Internet protocol (IP) address at a beginning of a uniform resource locator (URL) field.
  - 3. The method of claim 2, wherein filtering the plurality of records comprises filtering the plurality of records to exclude records that do not include a connect instruction.
  - 4. The method of claim 1, further comprising parsing the record by comparing a time entry of the record to a configurable time period.
  - 5. The method of claim 1, wherein the connect instruction is a Hyper Text Transfer Protocol connect method.
  - 6. The method of claim 1 comprising parsing the uniform resource locator field for the destination Internet Protocol address;
  - 7. The method of claim 1 comprising generating the alert based on the comparison.

8. An article comprising a machine-readable medium storing machine-readable instructions that, when applied to a machine, cause the machine to:
- filter the plurality of records extracted from the proxy log to exclude records that do not include identified information;
  
  calculate a number of distinct destination addresses to which a source address is connecting;
  
  compare the number of distinct destination addresses to a threshold number established for the source IP address; and
  
  determine whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparison.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The article of claim 8 including instructions that, when applied to the machine, cause the machine to compare a time entry of the record to a configurable time period.
  - 10. The article of claim 8 including instructions that, when applied to the machine, cause the machine to parse the numeric uniform resource locator field for the Internet Protocol address.
  - 11. The article of claim 10 including instructions that, when applied to the machine, cause the machine to filter the plurality of records to exclude records that do not include an Internet protocol (IP) address at a beginning of a uniform resource locator (URL) field.
  - 12. The article of claim 11 including instructions that, when applied to the machine, cause the machine to filter the plurality of records to exclude records that do not include a connect instruction.
  - 13. The article of claim 8 including instructions that, when applied to the machine, cause the machine to generate the alert based on the comparison.
  - 14. The article of claim 13 including instructions that, when applied to the machine, cause the machine to transmit the alert to a system administrator.

15. A system comprising a service delivery device coupled to a network, the service delivery device including a processor and memory storing instructions that, in response to receiving a request for access to a service, cause the processor to:
- filter the plurality of records extracted from the proxy log to exclude records that do not include identified information;
  
  calculate a number of distinct destination addresses to which a source address is connecting;
  
  compare the number of distinct destination addresses to a threshold number established for the source IP address; and
  
  determine whether a first one of the records extracted from a web proxy log, and not excluded by the filtering, comprises suspicious web activity based on the comparison.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the memory stores instructions that, in response to receiving the request over the network, cause the processor to filter the plurality of records to exclude records that do not include an Internet protocol (IP) address at a beginning of a uniform resource locator (URL) field.
  - 17. The system of claim 16, wherein the memory stores instructions that, in response to receiving the request over the network, cause the processor to filter the plurality of records to exclude records that do not include a connect instruction.
  - 18. The system of claim 15, wherein the memory stores instructions that, in response to receiving the request over the network, cause the processor to compare a time entry of the record to a configurable time period.
  - 19. The system of claim 15, wherein the memory stores instructions that, in response to receiving the request over the network, cause the processor to parse the numeric uniform resource locator for the Internet Protocol address.
  - 20. The system of claim 15, wherein the memory stores instructions that, in response to receiving the request over the network, cause the processor to generate the alert based on the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Spielman, Chaim

Granted Patent

US 8,117,655 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 43/00   Arrangements for monitoring...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

DETECTING ANOMALOUS WEB PROXY ACTIVITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING ANOMALOUS WEB PROXY ACTIVITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links