| 主权项 |
1. A computer implemented method for detecting anomalous behavior in a network, comprising:
receiving, using at least one hardware processor, data representing at least one network activity, each network activity representing a certain data access event occurring between certain network entities; extracting from said data representing each respective network activity, the certain network entities involved in the respective network activity; retrieving plurality of relevant diversity values from a network behavior model based on said extracted certain network entities, wherein said network behavior model includes relevant diversity values, wherein each respective relevant diversity value represents a certain relationship between at least one network entity and at least one network entity type; calculating a first abnormality score using a first combination of relevant diversity values; calculating a second abnormality score using a second combination of relevant diversity values; wherein the first abnormality score and second abnormality score are different; designating a lower of said first and said second abnormality scores as a minimum score, and designating a higher of said first and said second abnormality scores as maximum score; and classifying at least one network activity comprises at least one member of the group consisting of: classifying said at least one received network activity as normal when said maximum score is below a predefined threshold, classifying said at least one received network activity as anomalous when said minimum score is above said predefined threshold, classifying said at least one received network activity as normal when the average of said minimum and said maximum score is below said threshold, and classifying said at least one received network activity as anomalous when the average of said minimum score and said maximum score is above said predefined threshold; and generating an alert when said at least one network activity is classified as anomalous. |
