| CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01); H04L 63/20 (2013.01)] | 20 Claims |
|
1. A method of identifying anomalous network threat events that occur in a private computer network, the method comprising:
monitoring network traffic of a plurality of hosts of the private computer network;
receiving a stream of notifications of network threat events, wherein a network threat event occurs when network traffic data indicative of a network threat are detected in the network traffic;
identifying a first plurality of common hosts from among the plurality of hosts of the private computer network, each of the first plurality of common hosts having a same hostname and Internet Protocol (IP) address for at least a minimum frequency in network threat events that have occurred within a sampling period;
for each common host of the first plurality of common hosts, generating a baseline of network behavior of the common host in network threat events that have occurred within a sliding time window that is shorter in duration than the sampling period;
receiving notification of a first network threat event involving a first common host of the first plurality of common hosts and that has occurred after the sliding time window;
comparing a first network behavior of the first common host in the first network threat event to a baseline of network behavior of the first common host; and
issuing an alert in response to detecting that the first network behavior of the first common host in the first network threat event deviates from the baseline of network behavior of the first common host and the first network threat event has a risk level that exceeds a risk threshold.
|