| CPC H04L 63/1425 (2013.01) [H04L 63/1441 (2013.01)] | 20 Claims |
|
1. A system for detecting and blocking data exfiltration, from a user device, associated with a computing network, to an external network, the system comprising:
the user device configured to send data to one or more devices in the computing network and the external network;
the external network; and
a network monitoring platform communicatively coupled to the user device and the external network, the network monitoring platform comprising:
at least one processor;
a communication interface communicatively coupled to the at least one processor; and
memory storing computer-readable instructions that, when executed by the at least one processor, cause the network monitoring platform to:
monitor outgoing data from the user device to the external network;
predict, based on a seasonal autoregressive integrated moving average (SARIMA) model of data volumes, expected data volumes of outgoing data for a first set of time intervals;
measure data volumes of outgoing data for the first set of time intervals without inspecting content of the outgoing data for the first set of time intervals;
based on the expected data volumes for the first set of time intervals and the measured data volumes for the first set of time intervals, identify anomalies in the measured data volumes of outgoing data for the first set of time intervals; and
send, via the communication interface and based on the identification of anomalies, a notification to disconnect the user device, wherein disconnecting the user device comprises blocking outgoing data from the user device to the external network.
|