| CPC H04L 41/06 (2013.01) [H04L 41/12 (2013.01); H04L 43/08 (2013.01); H04L 43/16 (2013.01)] | 19 Claims |
|
1. A method of identifying anomalous network activity, the method comprising:
identifying, based on network data representative of aggregated network activity within a network over a period of time, at least one instance of a sequence of events that occurred within the network;
storing the at least one instance of the sequence of events that occurred within the network in a database;
obtaining a probability of the at least one instance of the sequence of events occurring during non-anomalous network activity using a trained statistical model representative of a transition matrix based on transition probabilities between a particular event in the at least one instance of the sequence of events occurring immediately prior to a different particular event in the at least one instance of the sequence of events;
determining a frequency characteristic representative of a frequency at which the at least one instance of the sequence of events is identified to have occurred within the network based on a number of times the at least one instance of the sequence of events is stored in the database over the period of time;
determining, based on calculating a function of the probability and the frequency characteristic, a likelihood of the at least one instance of the sequence of events occurring within the network at the frequency;
comparing the likelihood to a first threshold and a second threshold;
identifying, based on the likelihood being less than the first threshold or greater than the second threshold, that at least a portion of the network data is anomalous; and
sending an alert to a client device after identifying that at least the portion of the network data is anomalous.
|