Behavioral detection of suspicious host activities in an enterprise

US 9,516,039 B1
Filed: 12/23/2013
Issued: 12/06/2016
Est. Priority Date: 11/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

processing log data derived from data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices, and wherein the data sources comprise at least a domain controller, a virtual private network server, a web proxy, and a dynamic host configuration protocol server;

creating a whitelist that is customized to the enterprise network, wherein said whitelist comprises multiple external destinations determined to have been contacted by a given number of the multiple host devices over a temporal training period, wherein the given number of the host devices is in excess of a predetermined threshold number of host devices;

filtering the identified external destinations of the whitelist from the processed log data;

extracting one or more network traffic features from said filtered log data on a per host device basis, wherein said extracting comprises;

determining a network traffic pattern associated with the multiple host devices based on said processing; and

identifying said one or more network traffic features representative of a host device based on the determined network traffic pattern;

clustering the multiple host devices into one or more groups based on said one or more network traffic features; and

identifying an anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices of the enterprise network;

wherein said processing, said creating, said filtering, said extracting, said clustering, and said identifying are carried out by at least one computing device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and articles of manufacture for behavioral detection of suspicious host activities in an enterprise are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices; extracting one or more features from said log data on a per host device basis, wherein said extracting comprises: determining a pattern of behavior associated with the multiple host devices based on said processing; and identifying said features representative of host device behavior based on the determined pattern of behavior; clustering the multiple host devices into one or more groups based on said one or more features; and identifying a behavioral anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices.

109 Citations

View as Search Results

20 Claims

1. A method comprising:
- processing log data derived from data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices, and wherein the data sources comprise at least a domain controller, a virtual private network server, a web proxy, and a dynamic host configuration protocol server;
  
  creating a whitelist that is customized to the enterprise network, wherein said whitelist comprises multiple external destinations determined to have been contacted by a given number of the multiple host devices over a temporal training period, wherein the given number of the host devices is in excess of a predetermined threshold number of host devices;
  
  filtering the identified external destinations of the whitelist from the processed log data;
  
  extracting one or more network traffic features from said filtered log data on a per host device basis, wherein said extracting comprises;
  
  determining a network traffic pattern associated with the multiple host devices based on said processing; and
  
  identifying said one or more network traffic features representative of a host device based on the determined network traffic pattern;
  
  clustering the multiple host devices into one or more groups based on said one or more network traffic features; and
  
  identifying an anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices of the enterprise network;
  
  wherein said processing, said creating, said filtering, said extracting, said clustering, and said identifying are carried out by at least one computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said extracting comprises extracting said one or more network traffic features from said filtered log data based on network traffic of said multiple host devices within the enterprise network.
  - 3. The method of claim 1, wherein said processing comprises normalizing said log data.
  - 4. The method of claim 3, wherein said normalizing comprises normalizing a timestamp associated with each item of said log data into a common time zone.
  - 5. The method of claim 3, wherein said normalizing comprises establishing a mapping between each internet protocol (IP) address associated with said log data and a unique identifier for each of said multiple host devices.
  - 6. The method of claim 1, wherein said one or more network traffic features comprise a feature based on one or more external destinations contacted by a given host device.
  - 7. The method of claim 1, wherein said one or more network traffic features comprise a feature based on software configuration of a given host device.
  - 8. The method of claim 1, wherein said one or more network traffic features comprise a feature related to volume of traffic generated by a given host device.
  - 9. The method of claim 1, wherein said one or more network traffic features comprise a feature related to one or more filtering policies imposed by a given web proxy associated with the enterprise network.
  - 10. The method of claim 1, wherein said extracting one or more network traffic features from said filtered log data further comprises specifying a value for each of said one or more network traffic features.
  - 11. The method of claim 1, further comprising:
    - determining a value for each of said one or more network traffic features among said filtered log data in the one or more groups.
  - 12. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry out the steps of the method of claim 1.

13. An apparatus comprising:
- a memory; and
  
  at least one processor coupled to the memory and configured to;
  
  process log data derived from data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices, and wherein the data sources comprise at least a domain controller, a virtual private network server, a web proxy, and a dynamic host configuration protocol server;
  
  create a whitelist that is customized to the enterprise network, wherein said whitelist comprises multiple external destinations determined to have been contacted by a given number of the multiple host devices over a temporal training period, wherein the given number of the host devices is in excess of a predetermined threshold number of host devices;
  
  filter the identified external destinations of the whitelist from the processed log data;
  
  extract one or more network traffic features from said filtered log data on a per host device basis, wherein said extracting comprises;
  
  determining a network traffic pattern associated with the multiple host devices based on said processing; and
  
  identifying said one or more network traffic features representative of a host device based on the determined network traffic pattern;
  
  cluster the multiple host devices into one or more groups based on said one or more network traffic features; and
  
  identify an anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices of the enterprise network.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 13, wherein said processing comprises normalizing said log data.
  - 20. The apparatus of claim 19, wherein said normalizing comprises normalizing a timestamp associated with each item of said log data into a common time zone.

14. A method comprising:
- normalizing multiple items of log data (i) associated with multiple user devices within an enterprise network and (ii) derived from data sources associated with the enterprise network, wherein the data sources comprise at least a domain controller, a virtual private network server, a web proxy, and a dynamic host configuration protocol server;
  
  creating a whitelist that is customized to the enterprise network, wherein said whitelist comprises multiple external destinations determined to have been contacted by a given number of the multiple host devices over a temporal training period, wherein the given number of the host devices is in excess of a predetermined threshold number of host devices;
  
  filtering the identified external destinations of the whitelist from the processed log data;
  
  extracting one or more network traffic features from said filtered log data;
  
  clustering said filtered log data into one or more groups, wherein said one or more groups are based on categories associated with each of the multiple devices;
  
  identifying outlying network traffic associated with one or more of the multiple devices based a comparison of device network traffic within each of the one or more groups to said one or more network traffic features;
  
  generating an alert based on said identified outlying network traffic; and
  
  outputting the alert.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein said normalizing comprises normalizing a timestamp associated with each item of said log data into a common time zone.
  - 16. The method of claim 14, wherein said normalizing comprises establishing a mapping between each internet protocol (IP) address associated with said log data and a unique identifier for each of said multiple host devices.
  - 17. The method of claim 14, wherein said one or more network traffic features comprise a feature based on one or more external destinations contacted by a given host device.
  - 18. The method of claim 14, further comprising:
    - determining a value for each of said one or more network traffic features among said filtered log data in the one or more groups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EMC Corporation (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Robertson, William, Kirda, Engin, Yen, Ting-Fang, Oprea, Alina, Onarlioglu, Kaan, Leetham, Todd, Juels, Ari
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Corum, Jr., William

Application Number

US14/139,047
Time in Patent Office

1,079 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

Behavioral detection of suspicious host activities in an enterprise

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral detection of suspicious host activities in an enterprise

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links