Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness

摘要

A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.

主权项

1. A computer-implemented method, comprising:
determining, by a computing system, historical parameters of a network to determine normal activity levels; enumerating, by the computing system, a plurality of k-paths in the network as part of a graph representing the network, wherein each computing system in the network comprises a node in the graph and a sequence of connections between two computing systems comprise a directed edge in the graph; applying, by the computing system, a Markov edge resolution model to the plurality of k-paths in the graph on a sliding window basis; and detecting, by the computing system, anomalous behavior based on the applied Markov edge resolution model.