Method and apparatus for examining network traffic and automatically detecting anomalous activity to secure a computer

摘要

A method and apparatus for examining network traffic and automatically detecting anomalous activity to secure a computer is described. In one embodiment, the method includes examining network traffic that is directed to at least one endpoint computer, accessing profile information associated with the at least one endpoint computer to determine confidence indicia associated with each portion of the network traffic, comparing the confidence indicia with heuristic information to identify anomalous activity for the at least one endpoint computer and communicating indicia of detection as to the anomalous activity to the at least one endpoint computer.

主权项

1. A method for using one or more processors automatically detecting anomalous activity in memory to secure a computer, comprising:
examining at least one data segment of network traffic that is directed to at least one endpoint computer wherein examining network traffic comprises generating profile information for each of the at least one endpoint computer and wherein generating profile information comprises:
extracting features from the at least one data segment of network traffic;defining file groupings based on the extracted features;classifying the at least one data segment of network traffic into the file groupings using the extracted features; andassigning confidence values to the file groupings; accessing the profile information associated with the at least one endpoint computer, wherein the profile information indicates characteristics of non-anomalous network traffic; computing confidence indicia for the at least one data segment of network traffic, wherein the confidence indicia are computed based on the accessed profile information and at least a portion of the at least one data segment of network traffic; comparing the confidence indicia with heuristic information to identify anomalous network activity for the at least one endpoint computer; and communicating indicia of detection as to the anomalous activity to the at least one endpoint computer.