Behavior-based traffic profiling based on access control information
First Claim
Patent Images
1. A method comprising:
- determining, by a device, a plurality of traffic behavior patterns,the plurality of traffic behavior patterns being associated with a respective plurality of user roles associated with a user;
monitoring, by the device, a traffic flow on a network,the monitoring of the traffic flow including;
determining a user role, of the plurality of user roles, associated with the traffic flow,identifying, based on the determined user role, a traffic behavior pattern of the plurality of traffic behavior patterns, andidentifying a traffic behavior associated with the traffic flow;
comparing, by the device, the traffic behavior, associated with the traffic flow, and the traffic behavior pattern to form comparison results;
determining, by the device and based on the comparison results, whether an anomaly is associated with the traffic flow,determining whether the anomaly is associated with the traffic flow including;
determining that the anomaly is associated with the traffic flow when the traffic flow is associated with a first network protocol that differs from a second network protocol associated with the traffic behavior pattern;
performing, by the device and when the anomaly is associated with the traffic flow, a security response; and
updating, when the anomaly is not associated with the traffic flow, the traffic behavior pattern based on monitoring the traffic flow,the traffic behavior pattern not being updated based on monitoring the traffic flow when the anomaly is associated with the traffic flow.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.
39 Citations
16 Claims
-
1. A method comprising:
-
determining, by a device, a plurality of traffic behavior patterns, the plurality of traffic behavior patterns being associated with a respective plurality of user roles associated with a user; monitoring, by the device, a traffic flow on a network, the monitoring of the traffic flow including; determining a user role, of the plurality of user roles, associated with the traffic flow, identifying, based on the determined user role, a traffic behavior pattern of the plurality of traffic behavior patterns, and identifying a traffic behavior associated with the traffic flow; comparing, by the device, the traffic behavior, associated with the traffic flow, and the traffic behavior pattern to form comparison results; determining, by the device and based on the comparison results, whether an anomaly is associated with the traffic flow, determining whether the anomaly is associated with the traffic flow including; determining that the anomaly is associated with the traffic flow when the traffic flow is associated with a first network protocol that differs from a second network protocol associated with the traffic behavior pattern; performing, by the device and when the anomaly is associated with the traffic flow, a security response; and updating, when the anomaly is not associated with the traffic flow, the traffic behavior pattern based on monitoring the traffic flow, the traffic behavior pattern not being updated based on monitoring the traffic flow when the anomaly is associated with the traffic flow. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A network device, comprising:
a processor to; determine a plurality of traffic behavior patterns, the plurality of traffic behavior patterns being associated with a respective plurality of user roles associated with a user; determine, from the plurality of user roles, a user role associated with a traffic flow; identify, based on the determined user role, a traffic behavior pattern, of the plurality of traffic behavior patterns, associated with the traffic flow; compare traffic flow information, associated with the traffic flow, to the identified traffic behavior pattern; detect an anomaly of traffic behavior associated with the traffic flow based on comparing the traffic flow information to the identified traffic behavior pattern, the processor, when detecting the anomaly, being further to; detect the anomaly of traffic behavior associated with the traffic flow based on determining that the traffic flow is associated with a first network protocol that differs from a second network protocol associated with the traffic behavior pattern; perform, when the anomaly is detected, a security response; and update, when the anomaly is not associated with the traffic flow, the traffic behavior pattern based on monitoring the traffic flow, the processor not updating the traffic behavior pattern, based on monitoring the traffic flow, when the anomaly is associated with the traffic flow. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A non-transitory computer-readable medium storing instructions, the instructions comprising:
-
one or more instructions which, when executed by a processor, cause the processor to acquire data associated with activities of a user on a network; one or more instructions which, when executed by the processor, cause the processor to determine, based on the acquired data, a plurality of traffic behavior patterns associated with the user, the plurality of traffic behavior patterns being associated with a respective plurality of user roles of the user; one or more instructions which, when executed by the processor, cause the processor to monitor a traffic flow to produce monitoring results; one or more instructions which, when executed by the processor, cause the processor to determine a user role, of the plurality of user roles, associated with the traffic flow; one or more instructions which, when executed by the processor, cause the processor to identify, based on the determined user role, a traffic behavior pattern, of the plurality of traffic behavior patterns, associated with the traffic flow; one or more instructions which, when executed by the processor, cause the processor to compare the monitoring results with the traffic behavior pattern to form comparison results; one or more instructions which, when executed by the processor, cause the processor to determine, based on the comparison results, whether the traffic flow is associated with an anomaly of traffic behavior, the one or more instructions to determine whether the traffic flow is associated with the anomaly of traffic behavior further including; one or more instructions to determine that the traffic flow is associated with the anomaly of traffic behavior when the traffic flow is associated with a first network protocol that differs from a second network protocol associated with the traffic behavior pattern; one or more instructions which, when executed by the processor, cause the processor to perform a security response when the traffic flow is associated with the anomaly; and one or more instructions to update, when the traffic flow is not associated with the anomaly, the traffic behavior pattern based on information associated with the traffic flow, the traffic behavior pattern not being updated based on the information associated with the traffic flow when the traffic flow is associated with the anomaly. - View Dependent Claims (16)
-
Specification