| 发明名称 |
Anomaly detection in groups of network addresses |
| 摘要 |
A method for identifying anomalies in a group of network addresses includes building a model of the group of network addresses and identifying a network address as anomalous based on the deviation of the network address from the model. The model is built from a group of network addresses. The network addresses are input and parsed into one or more address trees. A ripeness score is maintained for each of the nodes in the address trees, based, at least in part, on the number of occurrences of the network address portion represented by the node. Nodes having respective ripeness scores within a specified range are classified as ripe nodes, and may be indicative of normal behavior, and nodes having respective ripeness scores outside the specified range of ripeness scores are classified as unripe, and may be indicative of anomalous behavior. |
| 申请公布号 |
US9497206(B2) |
申请公布日期 |
2016.11.15 |
| 申请号 |
US201414253945 |
申请日期 |
2014.04.16 |
| 申请人 |
Cyber-Ark Software Ltd. |
发明人 |
Bernstein Ruth;Dulkin Andrey;Weiss Assaf;Shmueli Aviram |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method for identifying anomalies in a group of network addresses, comprising:
inputting, with a data processor, a plurality of network addresses; parsing said plurality of network addresses, with said data processor, into at least one tree data structure, each tree data structure comprising a plurality of nodes wherein successive nodes in said tree data structure represent successive portions of said network addresses; during said parsing, assigning a respective ripeness score to each of said nodes, said respective ripeness score indicating a number of occurrences of each of said nodes in said plurality of network addresses; building a model of normal behavior from tree data structure nodes assigned respective ripeness scores within a specified range of ripeness scores and excluding from said tree data structure nodes with assigned respective ripeness score outside said specified range; and for an input network address:
traversing said model of network behavior along said input network address;identifying whether said input network address is anomalous based on a deviation of said network address from said traversed model, said deviation being zero when said traversing said model of network behavior along said input network address leads to a leaf node;when an anomalous network address is identified, calculating an abnormality score indicating said deviation of said anomalous network address from said model and reclassifying said anomalous network address as normal when said abnormality score is below a specified level; andwhen said tree data structure comprises less than specified number of leaves and at least some of said leaves have respective ripeness scores greater than a specified ripeness score, recalculating said abnormality score for said identified anomalous network address. |
| 地址 |
Petach-Tikva IL |
