| CPC H04L 63/1425 (2013.01) [G06F 21/552 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/20 (2013.01)] | 18 Claims |
|
1. A computer system for anomaly detection and profiling, the computer system comprising:
one or more computer readable storage devices configured to store computer executable instructions; and
one or more computer processors in communication with the one or more computer readable storage devices and configured to execute the computer executable instructions to cause the computer system to:
access information indicating network activity associated with an actor;
access a data store containing a plurality of profiles, wherein at least some of the plurality of profiles are representative of groups to which previous anomalous network activity has been attributed;
identify one or more features of the network activity that are anomalous;
identify one or more attributes associated with a first profile of the plurality of profiles, the first profile associated with a first group;
compare the one or more features of the network activity to the one or more attributes associated with the first profile to generate a similarity score, wherein the similarity score is indicative of a likelihood that the network activity is associated with the first group;
based at least in part on the similarity score satisfying a threshold, associate the actor with the first profile associated with the first group;
receive one or more filter criteria usable to identify at least the first group and at least a first attribute; and
responsive to receiving the one or more filter criteria, cause display of a user interface including at least a visualization of a trend in at least values of the first attribute associated with the first group over time, wherein the values of the first attribute are based at least in part on the network activity.
|