Detecting and managing abnormal data behavior

US 9,794,291 B2
Filed: 11/17/2015
Issued: 10/17/2017
Est. Priority Date: 02/26/2014
Status: Active Grant

First Claim

Patent Images

1. A method performed by one or more processors, the method comprising:

identifying one or more data movements performed by a particular computing device over a network;

determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement destinations associated with the particular computing device, wherein the normal data movement destinations represent one or more features of other computing devices to which the data is being moved;

identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation;

after determining the normal data movement profile and identifying the data movement rule;

monitoring data movements performed by the particular computing device;

identifying data movement destinations of the monitored data movements, wherein the identified data movement destinations represent the one or more features of other computing devices to which the data is being moved;

determining that at least one of the identified data movement destinations differs from a corresponding normal data movement destination for the particular computing device by at least the deviation amount for the data movement rule; and

performing the one or more actions associated with the data movement rule upon determining that the identified data movement destinations differ from a corresponding normal data movement attribute.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule.

52 Citations

View as Search Results

20 Claims

1. A method performed by one or more processors, the method comprising:
- identifying one or more data movements performed by a particular computing device over a network;
  
  determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement destinations associated with the particular computing device, wherein the normal data movement destinations represent one or more features of other computing devices to which the data is being moved;
  
  identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation;
  
  after determining the normal data movement profile and identifying the data movement rule;
  
  monitoring data movements performed by the particular computing device;
  
  identifying data movement destinations of the monitored data movements, wherein the identified data movement destinations represent the one or more features of other computing devices to which the data is being moved;
  
  determining that at least one of the identified data movement destinations differs from a corresponding normal data movement destination for the particular computing device by at least the deviation amount for the data movement rule; and
  
  performing the one or more actions associated with the data movement rule upon determining that the identified data movement destinations differ from a corresponding normal data movement attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 19)
- - 2. The method of claim 1, wherein:
    - the normal data movement profile includes an amount of data transferred during the particular time period,the deviation amount specifies a percentage deviation from the amount of data transferred that will trigger the data movement rule, anddetermining that the data movement violates the data movement rule comprises determining that an amount of data associated with the data movement is greater than the amount of data transferred by more than the deviation amount.
  - 3. The method of claim 1, wherein:
    - the normal data movement profile includes a data transfer type distribution for the particular time period,the deviation amount specifies a percentage deviation from the data transfer type distribution that will trigger the data movement rule, anddetermining that the data movement violates the data movement rule comprises determining that an observed data transfer type distribution associated with the data movement differs from the data transfer type distribution by more than the deviation amount.
  - 4. The method of claim 3, wherein the data transfer type distribution includes a ratio of Universal Datagram Protocol (UDP) transfers to Transmission Control Protocol (TCP) transfers.
  - 5. The method of claim 1, wherein:
    - the normal data movement profile includes a number of simultaneous data destinations for the particular time period,the deviation amount specifies a percentage deviation from the number of simultaneous data destinations transferred that will trigger the data movement rule, anddetermining that the data movement violates the data movement rule comprises determining that a number of simultaneous data destinations for the particular computing device is greater than the number of simultaneous data destinations by more than the deviation amount.
  - 6. The method of claim 1, wherein:
    - the normal data movement profile includes a data rate for the particular time period,the deviation amount specifies a percentage deviation from the data rate that will trigger the data movement rule, anddetermining that the data movement violates the data movement rule comprises determining that a data rate for the particular computing device is greater than the data rate by more than the deviation amount.
  - 7. The method of claim 1, wherein the one or more features of other computing devices that receive data transfers from the particular computing device comprise a geo-location result of an IP address to which the data is being moved.
  - 8. The method of claim 1, wherein the data movement occurs from a private network to a public network.
  - 9. The method of claim 1, wherein the data movement occurs from a first private network to a second private network.
  - 10. The method of claim 1, wherein the data movement includes at least one of data being transferred from the particular computing device or data being transferred to the particular computing device.
  - 19. The method of claim 1, wherein the one or more features of other computing devices that receive data transfers from the particular computing device comprise a range of IP addresses.

11. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising:
- identifying one or more data movements performed by a particular computing device over a network;
  
  determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement destinations associated with the particular computing device, wherein the normal data movement destinations represent one or more features of other computing devices to which the data is being moved;
  
  identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation;
  
  after determining the normal data movement profile and identifying the data movement rule;
  
  monitoring data movements performed by the particular computing device;
  
  identifying data movement destinations of the monitored data movements, wherein the identified data movement destinations represent the one or more features of other computing devices to which the data is being moved;
  
  determining that at least one of the identified data movement destinations differs from a corresponding normal data movement destination for the particular computing device by at least the deviation amount for the data movement rule; and
  
  performing the one or more actions associated with the data movement rule upon determining that the identified data movement destinations differ from a corresponding normal data movement attribute.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 20)
- - 12. The computer-readable medium of claim 11, wherein:
    - the normal data movement profile includes an amount of data transferred during the particular time period,the deviation amount specifies a percentage deviation from the amount of data transferred that will trigger the data movement rule, anddetermining that the data movement violates the data movement rule comprises determining that an amount of data associated with the data movement is greater than the amount of data transferred by more than the deviation amount.
  - 13. The computer-readable medium of claim 11, wherein:
    - the normal data movement profile includes a data transfer type distribution for the particular time period,the deviation amount specifies a percentage deviation from the data transfer type distribution that will trigger the data movement rule, anddetermining that the data movement violates the data movement rule comprises determining that an observed data transfer type distribution associated with the data movement differs from the data transfer type distribution by more than the deviation amount.
  - 14. The computer-readable medium of claim 13, wherein the data transfer type distribution includes a ratio of Universal Datagram Protocol (UDP) transfers to Transmission Control Protocol (TCP) transfers.
  - 15. The computer-readable medium of claim 11, wherein:
    - the normal data movement profile includes a number of simultaneous data destinations for the particular time period,the deviation amount specifies a percentage deviation from the number of simultaneous data destinations transferred that will trigger the data movement rule, anddetermining that the data movement violates the data movement rule comprises determining that a number of simultaneous data destinations for the particular computing device is greater than the number of simultaneous data destinations by more than the deviation amount.
  - 16. The computer-readable medium of claim 11, wherein:
    - the normal data movement profile includes a data rate for the particular time period,the deviation amount specifies a percentage deviation from the data rate that will trigger the data movement rule, anddetermining that the data movement violates the data movement rule comprises determining that a data rate for the particular computing device is greater than the data rate by more than the deviation amount.
  - 17. The computer-readable medium of claim 11, wherein the one or more features of other computing devices that receive data transfers from the particular computing device comprise a geo-location result of an IP address to which the data is being moved.
  - 20. The computer-readable medium of claim 11, wherein the one or more features of other computing devices that receive data transfers from the particular computing device comprise a range of IP addresses.

18. A system comprising:
- memory for storing data; and
  
  one or more processors operable to perform operations comprising;
  
  identifying one or more data movements performed by a particular computing device over a network;
  
  determining a normal data movement profile for the particular computing device based on one or more identified data transfers during a particular time period, the normal data movement profile including one or more normal data movement destinations associated with the particular computing device, wherein the normal data movement destinations represent one or more features of other computing devices to which the data is being moved;
  
  identifying a data movement rule associated with the particular computing device, the data movement rule including a deviation amount representing a difference between an attribute of a detected data movement by the particular computing device and a corresponding normal data movement attribute included in the normal data movement profile for the particular computing device that indicates a violation of the data movement rule, and the data movement rule including one or more actions to be performed in response to a violation;
  
  after determining the normal data movement profile and identifying the data movement rule;
  
  monitoring data movements performed by the particular computing device;
  
  identifying data movement destinations of the monitored data movements, wherein the identified data movement destinations represent the one or more features of other computing devices to which the data is being moved;
  
  determining that at least one of the identified data movement destinations differs from a corresponding normal data movement destination for the particular computing device by at least the deviation amount for the data movement rule; and
  
  performing the one or more actions associated with the data movement rule upon determining that the identified data movement destinations differ from a corresponding normal data movement attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iBoss
Original Assignee
iBoss
Inventors
Martini, Paul Michael, Martini, Peter Anthony
Primary Examiner(s)
SYED, FARHAN M

Application Number

US14/944,057
Publication Number

US 20160072848A1
Time in Patent Office

700 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/303   Terminal profiles

H04W 12/12   Detection or prevention of ...

H04W 12/63   Location-dependent; Proximi...

H04W 4/029   Location-based management o...

Detecting and managing abnormal data behavior

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Detecting and managing abnormal data behavior

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others