Network management using entropy-based signatures
US-10623429-B1 · Apr 14, 2020 · US
Entropy-based classification of human and digital entities
US11288111B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11288111-B2 |
| Application number | US-202016750863-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 23, 2020 |
| Priority date | Apr 18, 2019 |
| Publication date | Mar 29, 2022 |
| Grant date | Mar 29, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method of distinguishing between human and computer actions in a cloud environment includes receiving one or more actions from a monitored cloud environment; identifying a text string associated with the one or more actions; calculating an entropy value for the text string; determining whether the text string is bot-generated based at least in part on the entropy value; and determining whether to generate an alert based at least in part on a result of determining whether the text string is bot-generated.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of distinguishing between human and computer actions in cloud environments, the method comprising: receiving a list of one or more actions from a cloud environment, wherein the list of one or more actions are recorded by the cloud environment and sent to a server that monitors security for a plurality of different cloud environments; identifying a text string in the list of one or more actions, wherein the text string is received by the cloud environment as part of a request from a client device; calculating an entropy value for the text string; comparing the entropy value to a predetermined threshold; determining whether the text string is bot-generated if the entropy value exceeds the predetermined threshold; and determining whether to generate an alert based at least in part on a result of determining whether the text string is bot-generated. 2. The method of claim 1 , wherein the entropy value of the text string is calculated by calculating a probability of occurrence for each token in the text string. 3. The method of claim 2 , wherein the entropy value of the text string is further calculated by calculating the base-2 logarithm of the probability of occurrence for each token in the text string. 4. The method of claim 3 , wherein the entropy value of the text string is further calculated by multiplying a result of the base-2 logarithm by the probability of occurrence for each token in the text string. 5. The method of claim 4 , wherein the entropy value of the text string is further calculated by aggregating results of multiplying the base-2 logarithm by the probability of occurrence to generate an overall entropy measure for the text string. 6. The method of claim 1 , wherein identifying the text string in the list of one or more actions comprises extracting a substring from a request in at least one of the one or more actions. 7. The method of claim 1 , wherein identifying the text string in the list of one or more actions comprises removing text from a white list of common text from the text string before calculating the entropy value. 8. The method of claim 1 , wherein identifying the text string in the list of one or more actions comprises combining text strings from each of the list of one or more actions together to form the text string. 9. A non-transitory computer-readable medium comprising instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving a list of one or more actions from a cloud environment, wherein the list of one or more actions are recorded by the cloud environment and sent to a server that monitors security for a plurality of different cloud environments; identifying a text string in the list of one or more actions, wherein the text string is received by the cloud environment as part of a request from a client device; calculating an entropy value for the text string; comparing the entropy value to a predetermined threshold; determining whether the text string is bot-generated if the entropy value exceeds the predetermined threshold; and determining whether to generate an alert based at least in part on a result of determining whether the text string is bot-generated. 10. The non-transitory computer-readable medium of claim 9 , wherein the predetermined threshold is determined based on a type of the one or more actions. 11. The non-transitory computer-readable medium of claim 9 , wherein the predetermined threshold is determined based on a rate at which the one or more actions occur. 12. The non-transitory computer-readable medium of claim 9 , wherein the predetermined threshold is determined based on a type of resource on which the one or more actions are performed. 13. The non-transitory computer-readable medium of claim 9 , wherein determining whether the text string is bot-generated based at least in part on the entropy value comprises: providing the list of one or more actions and the entropy value to a neural network; and receiving an output of the neural network indicating whether the text string is bot-generated. 14. The non-transitory computer-readable medium of claim 9 , wherein the operations further comprise altering a baseline threshold used to detect threats in the cloud environment based on the entropy value. 15. The non-transitory computer-readable medium of claim 14 , wherein the operations further comprise altering an upper threshold used to detect threats in the cloud environment based on the entropy value. 16. A system comprising: one or more processors; and one or more memory devices comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving a list of one or more actions from a cloud environment, wherein the list of one or more actions are recorded by the cloud environment and sent to a server that monitors security for a plurality of different cloud environments; identifying a text string in the list of one or more actions, wherein the text string is received by the cloud environment as part of a request from a client device; calculating an entropy value for the text string; comparing the entropy value to a predetermined threshold; determining whether the text string is bot-generated if the entropy value exceeds the predetermined threshold; and determining whether to generate an alert based at least in part on a result of determining whether the text string is bot-generated. 17. The system of claim 16 , wherein the operations further comprise determining that the one or more actions are executed against a same resource. 18. The system of claim 16 , wherein the operations further comprise determining that the one or more actions are executed by a same user. 19. The system of claim 16 , wherein determining whether to generate the alert comprises: determining that the system had determined not to generate the alert based on a similarity score being compared to a baseline threshold and an upper threshold; and causing the system to generate the alert based on the entropy value. 20. The non-transitory computer-readable medium of claim 9 , wherein the text string comprises a random text string generated by a bot.
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
- G06F11/0709Primary
in a distributed system consisting of a plurality of standalone computer nodes, e.g. clusters, client-server systems · CPC title
by exceeding a count or rate limit, e.g. word- or bit count limit · CPC title
for evaluating statistical data {, e.g. average values, frequency distributions, probability functions, regression analysis (forecasting specially adapted for a specific administrative, business or logistic context G06Q10/04)} · CPC title
Means for error signaling, e.g. using interrupts, exception flags, dedicated error registers · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11288111B2 cover?
- A method of distinguishing between human and computer actions in a cloud environment includes receiving one or more actions from a monitored cloud environment; identifying a text string associated with the one or more actions; calculating an entropy value for the text string; determining whether the text string is bot-generated based at least in part on the entropy value; and determining whethe…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 29 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).