Detecting and managing abnormal data behavior
First Claim
1. A method performed by one or more processors, the method comprising:
- identifying one or more data movements performed by a particular computing device over a network;
determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement destinations associated with the particular computing device, wherein the normal data movement destinations represent one or more features of other computing devices to which the data is being moved;
identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation;
after determining the normal data movement profile and identifying the data movement rule;
monitoring data movements performed by the particular computing device;
identifying data movement destinations of the monitored data movements, wherein the identified data movement destinations represent the one or more features of other computing devices to which the data is being moved;
determining that at least one of the identified data movement destinations differs from a corresponding normal data movement destination for the particular computing device by at least the deviation amount for the data movement rule; and
performing the one or more actions associated with the data movement rule upon determining that the identified data movement destinations differ from a corresponding normal data movement attribute.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule.
52 Citations
20 Claims
-
1. A method performed by one or more processors, the method comprising:
-
identifying one or more data movements performed by a particular computing device over a network; determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement destinations associated with the particular computing device, wherein the normal data movement destinations represent one or more features of other computing devices to which the data is being moved; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; after determining the normal data movement profile and identifying the data movement rule; monitoring data movements performed by the particular computing device; identifying data movement destinations of the monitored data movements, wherein the identified data movement destinations represent the one or more features of other computing devices to which the data is being moved; determining that at least one of the identified data movement destinations differs from a corresponding normal data movement destination for the particular computing device by at least the deviation amount for the data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the identified data movement destinations differ from a corresponding normal data movement attribute. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 19)
-
-
11. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising:
-
identifying one or more data movements performed by a particular computing device over a network; determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement destinations associated with the particular computing device, wherein the normal data movement destinations represent one or more features of other computing devices to which the data is being moved; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; after determining the normal data movement profile and identifying the data movement rule; monitoring data movements performed by the particular computing device; identifying data movement destinations of the monitored data movements, wherein the identified data movement destinations represent the one or more features of other computing devices to which the data is being moved; determining that at least one of the identified data movement destinations differs from a corresponding normal data movement destination for the particular computing device by at least the deviation amount for the data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the identified data movement destinations differ from a corresponding normal data movement attribute. - View Dependent Claims (12, 13, 14, 15, 16, 17, 20)
-
-
18. A system comprising:
-
memory for storing data; and one or more processors operable to perform operations comprising; identifying one or more data movements performed by a particular computing device over a network; determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement destinations associated with the particular computing device, wherein the normal data movement destinations represent one or more features of other computing devices to which the data is being moved; identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation; after determining the normal data movement profile and identifying the data movement rule; monitoring data movements performed by the particular computing device; identifying data movement destinations of the monitored data movements, wherein the identified data movement destinations represent the one or more features of other computing devices to which the data is being moved; determining that at least one of the identified data movement destinations differs from a corresponding normal data movement destination for the particular computing device by at least the deviation amount for the data movement rule; and performing the one or more actions associated with the data movement rule upon determining that the identified data movement destinations differ from a corresponding normal data movement attribute.
-
Specification