Analyzing user behavior patterns to detect compromised nodes in an enterprise network
US11700269B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Dec 18, 2018 |
| Grant date | Jul 11, 2023 |
| Priority date | — |
| Expiry date | Sep 10, 2041 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L43/16
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
Systems and methods for analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.