| CPC H04L 63/1491 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01)] | 20 Claims |
|
1. A computer-implemented method, comprising:
receiving a honeypot dataset associated with a honeypot network, wherein the honeypot dataset comprises one or more connections to at least one or more ports or one or more applications of one or more honeypots in the honeypot network over a period of time;
determining a representative usage value from the honeypot dataset, wherein the representative usage value comprises a number of connections to a port of the one or more ports or to an application of the one or more applications over the period of time;
identifying the number of connections as being associated with anomalous behavior, wherein the identification is based on a probability of a deviation of the number of connections from a historical average of the number of connections according to an expected probability distribution; and
initiating a remediation operation in the honeypot network in response to the identification of the number of connections as being associated with the anomalous behavior.
|