Presentation of threat history associated with network activity
US-9888023-B2 · Feb 6, 2018 · US
System for determining network anomalies
US10158658B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10158658-B1 |
| Application number | US-201514960013-A |
| Country | US |
| Kind code | B1 |
| Filing date | Dec 4, 2015 |
| Priority date | Dec 4, 2015 |
| Publication date | Dec 18, 2018 |
| Grant date | Dec 18, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Described are techniques for determining abnormalities in the transmission of data using one or more networks. Responsive to a request or other data, multiple anomaly detection services may determine anomaly values indicative of the likelihood that the request is anomalous. An aggregate value may also be determined based on at least a subset of the anomaly values. Based on correspondence between the aggregate value or any of the anomaly values and threshold data, the request may be determined to be anomalous or non-anomalous. The anomaly values may also be compared to security profile data indicative of sets of values determined based on previous requests. If the current anomaly values do not correspond to the security profile data, this determination may indicate that one or more of the anomaly detection services is compromised. Subsequent values from compromised anomaly detection services may be disregarded until remedied.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: one or more memories storing computer-executable instructions; and one or more hardware processors configured to execute the computer-executable instructions to: access security profile data including sets of previously generated anomaly values for a plurality of anomaly detection services configured to determine anomalous data associated with one or more levels of a network stack, the sets of previously generated anomaly values indicative of non-anomalous functioning of the plurality of anomaly detection services; receive a request at the plurality of anomaly detection services; generate, at the plurality of anomaly detection services, detected anomaly values associated with the request, the detected anomaly values indicative of confidence that the request is not anomalous; determine a difference between the detected anomaly values and the sets of previously generated anomaly values of the security profile data, the difference exceeding a threshold value; based on the difference, determine at least one detected anomaly value associated with the request that deviates from at least one of the sets of previously generated anomaly values of the security profile data; determine at least one anomaly detection service of the plurality of anomaly detection services associated with the at least one detected anomaly value deviating from the at least one of the sets of previously generated anomaly values of the security profile data; and execute a control action associated with the at least one anomaly detection service, the control action including reducing a weight associated with anomaly detection for one or more subsequent detected anomaly values received from the at least one anomaly detection service. 2. The system of claim 1 , further comprising computer-executable instructions to: determine an aggregate anomaly value based on at least a subset of the detected anomaly values associated with the request; determine the aggregate anomaly value to exceed a threshold aggregate value; determine, based at least in part on the aggregate anomaly value exceeding the threshold aggregate value, an anomaly associated with the request; and execute a second control action associated with the request, the second control action including one or more of: rejecting the request, modifying an access credential associated with the request, modifying a processing rate associated with the request, providing identification data associated with the request to one or more receiving devices, modifying a route via which the request is provided, or modifying a format associated with the request. 3. The system of claim 1 , wherein the security profile data further includes one or more of a request type or a request source, the system further comprising computer-executable instructions to: determine, based at least in part on the request, the one or more of the request type and the request source associated with the request; and determine correspondence between the security profile data and the one or more of the request type and the request source associated with the request. 4. The system of claim 1 , wherein the computer-executable instructions to determine the detected anomaly values associated with the request that deviates from the at least one of the sets of previously generated anomaly values of the security profile data include computer-executable instructions to: determine the sets of previously generated anomaly values of the security profile data to be within a threshold tolerance of the detected anomaly values associated with the request; and determine a mismatch between the detected anomaly values associated with the request and one or more corresponding anomaly values of the sets of previously generated anomaly values of the security profile data. 5. A method comprising: determining detected anomaly values associated with a request received by a plurality of anomaly detection services, the detected anomaly values indicative of confidence that the request is not anomalous; determining correspondence between the detected anomaly values and security profile data indicative of sets of corresponding previously generated anomaly values for the plurality of anomaly detection services, wherein the sets of corresponding previously generated anomaly values are indicative of non-anomalous functioning of the plurality of anomaly detection services; determining, based at least in part on the correspondence between the detected anomaly values and the sets of corresponding previously generated anomaly values of the security profile data, at least one detected anomaly value that deviates from at least one of the sets of corresponding previously generated anomaly values of the security profile data by at least a threshold value; determining at least one anomaly detection service of the plurality of anomaly detection services associated with the at least one detected anomaly value deviating from the at least one of the sets of corresponding previously generated anomaly values of the security profile data; and performing a control action associated with the at least one anomaly detection service. 6. The method of claim 5 , wherein the security profile data further includes one or more of a source or type associated with the sets of corresponding previously generated anomaly values of the securing profile data, the method further comprising: determining the one or more of the source or the type associated with the detected anomaly values; and determining correspondence between the security profile data and the one or more of the source or the type. 7. The method of claim 5 , wherein determining the at least one detected anomaly value that deviates from the at least one of the sets of corresponding previously generated anomaly values of the security profile data includes: determining a particular set of anomaly values of the at least one of the sets of the corresponding previously generated anomaly values of the security profile data to be within a threshold tolerance of the detected anomaly values; and determining a difference between the at least one detected anomaly value and a corresponding anomaly value of the particular set of anomaly values of the at least one of the sets of the corresponding previously generated anomaly values of the security profile data. 8. The method of claim 5 , wherein determining the at least one detected anomaly value that deviates from the at least one of the sets of corresponding previously generated anomaly values of the security profile data includes: determining a difference between the detected anomaly values and a corresponding anomaly value of a particular set of anomaly values of the at least one of the sets of the corresponding previously generated anomaly values of the security profile data; disregarding the at least one detected anomaly value of the detected anomaly values to form modified data; and determining correspondence between the modified data and the corresponding anomaly values of the particular set of anomaly values of the at least one of the sets of the corresponding previously generated anomaly values of the security profile data, the correspondence indicating that the difference is associated with the at least one detected anomaly value. 9. The method of claim 5 , wherein determining the at least one detected anomaly value that deviates from the at least one of the sets of corresponding previously generated anomaly values of the security profile data includes: determining a plurality of the sets of the corresponding previously generated anomaly values of the security profile data that include an anomaly value associated with the at least one an
Assignees
Inventors
Classifications
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10158658B1 cover?
- Described are techniques for determining abnormalities in the transmission of data using one or more networks. Responsive to a request or other data, multiple anomaly detection services may determine anomaly values indicative of the likelihood that the request is anomalous. An aggregate value may also be determined based on at least a subset of the anomaly values. Based on correspondence betwee…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 18 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).