| CPC H04L 63/1425 (2013.01) [H04L 43/062 (2013.01); H04L 63/1416 (2013.01)] | 20 Claims |
|
1. A method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising:
determining one or more metrics based on monitoring network traffic associated with a plurality of entities in the network;
determining one or more beaconing metrics associated with beaconing activity based on the one or more metrics;
generating a profile for each entity with one or more portions of the one or more beaconing metrics associated with update activity for each entity, wherein the update activity for an entity includes an aggregated characteristic associated with a type of the entity;
employing one or more observed cadences for validation of one or more licenses by one or more unknown applications associated with the one or more entities to infer one or more types of the one or more applications and infer one or more identities for the one or more entities;
characterizing the one or more entities based on its beaconing activity, wherein the beaconing activity includes one or more of communication with one or more endpoints associated with one or more third parties;
determining anomalous activity by the one or more entities or the one or more third parties based on one or more machine learning classifiers trained on captured network traffic to recognize the anomalous activity associated with it's beaconing activity, it's update activity and it's license activity; and
generating one or more reports that include information associated with the one or more entities and its beaconing activity and the anomalous activity.
|