Modeling and Outlier Detection in Threat Management System Data

摘要

Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.

主权项

1. A method of identifying potential threats on a network, the method comprising:
monitoring, by a processor of a system comprising the processor and a memory, communications between endpoints on the network; aggregating, by the processor of the system, the communications between the endpoints into traffic data, wherein the traffic data comprises a plurality of log entries, and wherein each of the plurality of log entries comprises information identifying a corresponding transport protocol used for each of the communications between the endpoints; storing, by the processor of the system, the traffic data; grouping, by the processor of the system, the traffic data between the endpoints on the network based on a key value; calculating, by the processor of the system, a first set of metric values for the traffic data grouped according to the key value and calculating, by the processor of the system, a second set of metric values for the traffic data grouped according to the key value; fitting, by the processor of the system, a first mixture distribution to the first set of metric values and a second mixture distribution to the second set of metric values; identifying, by the processor of the system, an endpoint from the endpoints as an outlier, wherein the endpoint identified as the outlier is associated with a metric value from the first set of metric values that does not fit the first mixture distribution and is associated with a metric value from the second set of metric values that does not fit the second mixture distribution; and providing, by the processor of the system, the endpoint identified as the outlier to a threat management system to provide an alarm associated with identification of the endpoint as the outlier.