| CPC H04L 63/1425 (2013.01) [G06N 3/08 (2013.01); H04L 63/0245 (2013.01)] | 13 Claims |
|
1. A computer implemented method of detecting anomalous behavior within a computer network, the method comprising:
accessing data records each corresponding to an occurrence of communication occurring via the computer network and including a plurality of attributes of the communication;
generating, for each of at least a subset of the data records, a training data item for a neural network, the training data item being derived from at least a portion of the attributes of the data record and the neural network having input units and output units corresponding to items in a corpus of attribute values for communications occurring via the computer network;
augmenting the training data by replicating each of one or more training data items responsive to one or more attributes of the data record corresponding to the training data item;
training the neural network using the augmented training data so as to define a vector representation for each attribute value in the corpus based on weights in the neural network for an input unit corresponding to the attribute value;
repeating the accessing, the generating, the augmenting and the training to generate multiple generations of vector representations for each attribute value in the corpus, each generation corresponding to data records received during a different time period; and
for at least a subset of attribute values in the corpus, comparing the multiple generations of vector representations to identify a change in one or more vector representation as an indication of an anomalous change of behavior in the computer network.
|