Network security apparatus and method of detecting malicious behavior in computer networks via cost-sensitive and connectivity constrained classification

Assignee

• International Business Machines Corporation · US

Inventors

• Jing Gao · Urbana, US
• Deepak S. Turaga · Elmsford, US
• Long H. Vu · White Plains, US
• Houping Xiao · Buffalo, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1433
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A network security apparatus includes a packet detector detecting transmission of data packets between a plurality of hosts and a plurality of domains and defining a plurality of links therefrom. A model builder circuit receives the plurality of links from the packet detector, receives ground truth information labeling one or more of the plurality of hosts or one or more of the plurality of domains as benign or malicious, generates predictive models from the received links and ground truth information, and stores generated predictive models in a predictive model database. An anomaly detector circuit retrieves the generated predictive models from the predictive model database and uses the predictive models to label each of the plurality of hosts and plurality of domains, that have not previously been labeled by the ground truth information, as benign or malicious.