主权项 |
1. A method of detecting risky communication in a network, the method comprising:
generating, by processing circuitry, a network history baseline from prior network communications occurring in the network; for a new network communication, assigning, by the processing circuitry, the new network communication a risk score based on a comparison of the new network communication to the network history baseline, the risk score being a numerical measure of behavioral normalcy relative to the prior network communications occurring in the network; and providing, by the processing circuitry, an output signal having a first value when the risk score is above a predefined risk threshold to indicate that the risk score exceeds the predefined risk threshold, and a second value which is different than the first value when the risk score is below the predefined risk threshold to indicate that the risk score does not exceed the predefined risk threshold;wherein the network history baseline includes normal behavior profiles and abnormal behavior profiles; and wherein assigning the new network communication the risk score includes:
performing a set of anomaly detection operations to gauge difference between Hypertext Transfer Protocol (HTTP) attributes of the new network communication and the normal behavior profiles, and performing a set of pattern matching operations to gauge difference between the HTTP attributes of the new network communication and the abnormal behavior profiles, the risk score being based at least in part on (i) the gauged difference between the HTTP attributes of the new network communication and the normal behavior profiles and (ii) the gauged difference between the HTTP attributes of the new network communication and the abnormal behavior profiles. |