公开(公告)号：US09516039B1

公开(公告)日：2016-12-06

申请号：US14139047

申请日：2013-12-23

Applicant: EMC Corporation

Inventor： Ting-Fang Yen ,  Alina Oprea ,  Kaan Onarlioglu ,  Todd Leetham ,  William Robertson ,  Ari Juels ,  Engin Kirda

IPC: H04L29/06

CPC classification number: H04L63/14 ,  H04L63/0245 ,  H04L63/1425

Abstract: Methods, apparatus and articles of manufacture for behavioral detection of suspicious host activities in an enterprise are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network over a given period of time, wherein the enterprise network comprises multiple host devices; extracting one or more features from said log data on a per host device basis, wherein said extracting comprises: determining a pattern of behavior associated with the multiple host devices based on said processing; and identifying said features representative of host device behavior based on the determined pattern of behavior; clustering the multiple host devices into one or more groups based on said one or more features; and identifying a behavioral anomaly associated with one of the multiple host devices by comparing said host device to the one or more groups across the multiple host devices.

Abstract translation: 本文提供了企业中可疑主机活动行为检测的方法，装置和制造。 一种方法包括处理在给定时间段内从与企业网络相关联的一个或多个数据源导出的日志数据，其中所述企业网络包括多个主机设备; 基于每个主机设备从所述日志数据中提取一个或多个特征，其中所述提取包括：基于所述处理确定与所述多个主机设备相关联的行为模式; 以及基于所确定的行为模式来识别代表主机设备行为的所述特征; 基于所述一个或多个特征将所述多个主机设备聚类成一个或多个组; 以及通过将所述主机设备与所述多个主机设备中的所述一个或多个组进行比较来识别与所述多个主机设备之一相关联的行为异常。