Anomaly detection based on processes executed within a network

Assignee

• Exabeam, Inc. · US

Inventors

• Derek Lin · San Mateo, US
• Barry Steiman · San Ramon, US
• Domingo Mihovilovic · Menlo Park, US
• Sylvain Gil · San Francisco, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2201/81
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A cybersecurity system, method, and computer program is provided for detecting whether an entity's collection of processes during an interval is abnormal compared to the historical collection of processes observed for the entity during previous intervals of the same length. Logs from a training period are used to calculate global and local risk probabilities for each process based on the process's execution history during the training period. Risk probabilities may be computed using a Bayesian framework. For each entity in a network, an entity risk score is calculated by summing the applicable risk probabilities of the unique processes executed by the entity during an interval. An entity's historical risk scores form a score distribution. If an entity's current score is an outlier on the historical score distribution, an alert of potentially malicious behavior is generated with respect to the entity. Additional post-processing may be performed to reduce false positives.