DETECTING AND MANAGING ABNORMAL DATA BEHAVIOR
First Claim
1. A method performed by one or more processors, the method comprising:
- identifying one or more data movements performed by a particular computing device over a network;
determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement attributes associated with the particular computing device;
identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation;
detecting a data movement associated with the particular computing device;
determining that the detected data movement represents a violation of the data movement rule; and
performing the one or more actions associated with the data movement rule upon determining that the detected data movement represents a violation of the data movement rule.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule.
43 Citations
20 Claims
-
1. A method performed by one or more processors, the method comprising:
-
identifying one or more data movements performed by a particular computing device over a network; determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement attributes associated with the particular computing device; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; detecting a data movement associated with the particular computing device; determining that the detected data movement represents a violation of the data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the detected data movement represents a violation of the data movement rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising:
-
identifying one or more data movements performed by a particular computing device over a network; determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement attributes associated with the particular computing device; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; detecting a data movement associated with the particular computing device; determining that the detected data movement represents a violation of the data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the detected data movement represents a violation of the data movement rule. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
memory for storing data; and one or more processors operable to perform operations comprising; identifying one or more data movements performed by a particular computing device over a network; determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement attributes associated with the particular computing device; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; detecting a data movement associated with the particular computing device; determining that the detected data movement represents a violation of the data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the detected data movement represents a violation of the data movement rule.
-
Specification