Analytics-based security monitoring system and method
US-9654485-B1 · May 16, 2017 · US
Network anomaly detection and profiling
US10291637B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10291637-B1 |
| Application number | US-201615201856-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jul 5, 2016 |
| Priority date | Jul 5, 2016 |
| Publication date | May 14, 2019 |
| Grant date | May 14, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A security system detects and attributes anomalous activity in a network. The system logs user network activity, which can include ports used, IP addresses, commands typed, etc., and may detect anomalous activity by comparing users to find similar users, sorting similar users into cohorts, and comparing new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores. The system extracts features from the logged anomalous network activity, and determines whether the activity is attributable to an actor profile by comparing the extracted features and attributes associated with the actor profile based upon previous activity attributed to the actor.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer system for anomaly detection and profiling, the computer system comprising: one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; and one or more computer processors in communication with the one or more computer readable storage devices and configured to execute the one or more software modules to cause the computer system to: receive one or more logs indicating network activity by an actor; determine that the logged network activity is anomalous; in response to the determination that the logged network activity is anomalous: identify one or more features of the logged network activity that was determined to be anomalous; access a data store containing a plurality of profiles, each profile of the plurality of profiles corresponding to a respective person or group to which anomalous network activity has been attributed; determine, based at least in part on the identified one or more features, respective scores for each respective profile of the plurality of profiles, the respective scores indicating likelihoods that the logged network activity is attributable to each respective profile of the plurality of profiles; select, based on the respective scores, a subset of the plurality of profiles for presentation; and transmit data to present, to a user, the subset of the plurality of profiles; and receive, from the user, an input indicating that the logged network activity is attributable to at least one of: a particular profile of the subset of the plurality of profiles, or a new profile. 2. The computer system of claim 1 , wherein the identified one or more features includes a time of activity. 3. The computer system of claim 1 , wherein the identified one or more features includes one or more commands used to perform the logged network activity. 4. The computer system of claim 1 , wherein the identified one or more features includes one or more filenames associated with the logged network activity. 5. The computer system of claim 1 , wherein the respective scores are determined using a model trained to compare the identified one or more features to features of each respective profile of the plurality of profiles. 6. The computer system of claim 1 , wherein the respective scores are determined based at least in part upon the identified one or more features and one or more features associated with each respective profile. 7. The computer system of claim 1 , wherein the one or more computer processors are further configured to cause the computer system to: determine that the logged network activity that was determined to be anomalous is attributable to the particular profile or the new profile. 8. The computer system of claim 1 , wherein at least some profiles of the plurality of profiles are associated with a group profile. 9. The computer system of claim 8 , wherein the one or more computer processors are further configured to determine whether a profile is associated with the group profile by: identifying one or more attributes associated with the profile; comparing the one or more attributes associated with the profile to one or more attributes associated with the group profile to generate a similarity score; and associating the profile with the group profile in response, based at least in part upon the similarity score. 10. The computer system of claim 9 , wherein the one or more attributes associated with the group profile are determined based upon a second plurality of profiles associated with the group profile. 11. The computer system of claim 1 , wherein the one or more computer processors are further configured to cause the computer system to: use a trained model to analyze the identified one or more features to select the subset of the plurality of profiles; and update the trained model based on the input received from the user. 12. A computer-implemented method for anomaly detection and profiling, comprising: receiving one or more logs indicating network activity by an actor; determining that the logged network activity is anomalous; in response to the determination that the logged network activity is anomalous: identifying one or more features of the logged network activity that was determined to be anomalous; accessing a data store containing a plurality of profiles, each profile of the plurality of profiles corresponding to a respective person or group to which anomalous network activity has been attributed; determining, based at least in part on the identified one or more features, respective scores for each respective profile of the plurality of profiles, the respective scores indicating likelihoods that the logged network activity that was determined to be anomalous is attributable to each respective profile of the plurality of profiles; selecting, based on the respective scores, a subset of the plurality of profiles for presentation; and transmitting data to present, to a user, the subset of the plurality of profiles; and receiving, from the user, an input indicating that the logged network activity is attributable to at least one of: a particular profile of the subset of the plurality of profiles, or a new profile. 13. The computer-implemented method of claim 12 , wherein the identified one or more features includes a time of activity. 14. The computer-implemented method of claim 12 , wherein the identified one or more features includes one or more commands used to perform the logged network activity. 15. The computer-implemented method of claim 12 , wherein the identified one or more features includes one or more filenames associated with the logged network activity. 16. The computer-implemented method of claim 12 , wherein determining the scores comprises using a model trained to compare the identified one or more features to features of each respective profile of the plurality of profiles. 17. The computer-implemented method of claim 12 , wherein the respective scores are determined based at least in part upon the identified one or more features and one or more features associated with each respective profile. 18. The computer-implemented method of claim 12 , wherein at least some profiles of the plurality of profiles are associated with a group profile. 19. The computer-implemented method of claim 18 , further comprising determining whether a profile is associated with the group profile by: identifying one or more attributes associated with the profile; comparing the one or more attributes associated with the profile to one or more attributes associated with the group profile to generate a similarity score; and associating the profile with the group profile in response, based at least in part upon the similarity score. 20. The computer-implemented method of claim 19 , wherein the one or more attributes associated with the group profile are determined based upon a second plurality of profiles associated with the group profile.
Assignees
Inventors
Classifications
involving long-term monitoring or reporting · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Event detection, e.g. attack signature detection · CPC title
- H04L63/1408Primary
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10291637B1 cover?
- A security system detects and attributes anomalous activity in a network. The system logs user network activity, which can include ports used, IP addresses, commands typed, etc., and may detect anomalous activity by comparing users to find similar users, sorting similar users into cohorts, and comparing new user activity to logged behavior of the cohort. The comparison can include a divergence …
- Who is the assignee on this patent?
- Palantir Technologies Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 14 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).