| 发明名称 |
Anomaly detection using adaptive behavioral profiles |
| 摘要 |
Anomalous activities in a computer network are detected using adaptive behavioral profiles that are created by measuring at a plurality of points and over a period of time observables corresponding to behavioral indicators related to an activity. Normal kernel distributions are created about each point, and the behavioral profiles are created automatically by combining the distributions using the measured values and a Gaussian kernel density estimation process that estimates values between measurement points. Behavioral profiles are adapted periodically using data aging to de-emphasize older data in favor of current data. The process creates behavioral profiles without regard to the data distribution. An anomaly probability profile is created as a normalized inverse of the behavioral profile, and is used to determine the probability that a behavior indicator is indicative of a threat. The anomaly detection process has a low false positive rate. |
| 申请公布号 |
US9544321(B2) |
申请公布日期 |
2017.01.10 |
| 申请号 |
US201514811732 |
申请日期 |
2015.07.28 |
| 申请人 |
Securonix, Inc. |
发明人 |
Baikalov Igor A.;Gulati Tanuj;Nayyar Sachin;Shenoy Anjaneya;Patwardhan Ganpatrao H. |
| 分类号 |
H04L29/06;G06N7/00 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
Young Barry N. |
| 主权项 |
1. A method of automated detection of anomalous activities in a computer network of an organization comprising:
measuring, at a plurality of points, values of observables corresponding to behavioral indicators related to an activity over a predetermined period of time; forming distributions of estimated values about said plurality of points based upon said measured values of observables at said points; creating a behavioral profile for each of said behavioral indicators over a range of points by combining said distributions and said measured values using a kernel density estimation process, wherein said creating a behavioral profile using the kernel density estimation process comprises selecting a kernel bandwidth based upon the type of data being measured; forming an anomaly probability based upon a normalized inverse of said behavioral profile; determining a probability that a behavioral indicator that deviates from said behavioral profile for said behavioral indicator by more than a predetermined amount is an anomaly by comparing said behavioral indicator to said anomaly probability; and identifying that said activity is an anomaly when said determined probability exceeds a predetermined threshold. |
| 地址 |
Los Angeles CA US |
