Patent · US Active

Methods and apparatus for detecting suspicious network activity

US10425432B1 · kind B1 · utility

3Cited by

1References

20Claims

0Family size

Assignee

EMC IP Holding Company LLC · US

Inventors

Kineret Raviv · Herzliya, IL
Uri Fleyder · Givat Shmuel, IL
Eyal Kolman · Nes Ziona, IL
Ofri Mann · Nes Ziona, IL

Key dates

Filing date	Jun 24, 2016
Grant date	Sep 24, 2019
Priority date	—
Expiry date	Nov 12, 2036

Classification

Technology area (CPC H)Electricity
CPC primaryH04L63/1441
WIPO fieldDigital communication
WIPO sectorElectrical engineering

Abstract

Methods and apparatus are provided for detecting suspicious network activity, such as in an enterprise network. An exemplary method comprises obtaining network event data for a plurality of user-server communications for a given user, determining a number of distinct servers the user communicated with during a predefined time window; determining a number of distinct servers the user failed in authenticating to during the predefined time window; and assigning a risk score to the user based on the number of distinct servers the user communicated with and the number of distinct servers the user failed in authenticating to during the predefined time window. Generally, the risk score provides a measure of an anomalousness of the user communicating with the number of servers during the predefined time window. An absolute score is optionally assigned based on an evaluation of the number of distinct servers the user communicated with during the predefined time window relative to a predefined threshold number.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.