US 12,238,127 B1
Anomalous data transfer detection
Vasudha Shivamoggi, Cambriege, MA (US); and Roy Hodgman, Cambridge, MA (US)
Assigned to Rapid7, Inc., Boston, MA (US)
Filed by Rapid7, Inc., Boston, MA (US)
Filed on Jan. 18, 2022, as Appl. No. 17/577,449.
Int. Cl. H04L 9/40 (2022.01); G06F 7/08 (2006.01)
CPC H04L 63/1425 (2013.01) [G06F 7/08 (2013.01)] 20 Claims
OG exemplary drawing
 
8. A method comprising:
implementing, using one or more hardware processors, anomalous data transfer detection,
wherein the implementing comprises:
determining hotspots for a particular asset of an organization, wherein the hotspots correspond to one or more periods of time in which outbound data from the particular asset satisfies a hotspot threshold determined to be indicative of high outbound data traffic activity for the particular asset;
identifying, based on the outbound data, a first set of days of the week as one or more quiet days of the week based on a number of hotspots in the first set of days of the week;
identifying, based on the outbound data, a second set of days of the week as one or more active days of the week based on a number of hotspots in the second set of days of the week;
identifying, based on the outbound data, one or more quiet hours of the day associated with the one or more active days of the week based on a number of hotspots in the one or more quiet hours of the day;
identifying the one or more quiet days of the week and the one or more quiet hours of the day as a warmspot dataset associated with one or more warmspots;
utilizing the warmspot dataset to detect anomalous data transfer activity associated with the particular asset, wherein, to detect the anomalous data transfer activity, the one or more hardware processors are configured to compute one or more statistics on the warmspot dataset; and
responsive to detecting the anomalous data transfer activity, generating an alert associated with the particular asset.