	US 12,452,268 B2
	Methods, systems, and media for detecting anomalous network activity
Sherin M. Mathews, Santa Clara, CA (US); Vaisakh Shaj, Kollam (IN); Sriranga Seetharamaiah, Bangalore (IN); Carl D. Woodward, Santa Clara, CA (US); and Kantheti V V S M B Kumar, Bangalore (IN)
Assigned to McAfee, LLC, San Jose, CA (US)
Filed by McAfee, LLC, San Jose, CA (US)
Filed on Apr. 6, 2021, as Appl. No. 17/223,912.
Application 17/223,912 is a continuation of application No. 16/138,553, filed on Sep. 21, 2018, granted, now 11,005,868.
Prior Publication US 2021/0226975 A1, Jul. 22, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06N 3/02 (2006.01); G06N 20/00 (2019.01); H04L 41/14 (2022.01); H04L 41/142 (2022.01); H04L 43/045 (2022.01); G06F 16/901 (2019.01); H04L 101/668 (2022.01)

CPC H04L 63/1425 (2013.01) [G06N 3/02 (2013.01); G06N 20/00 (2019.01); H04L 41/142 (2013.01); H04L 41/145 (2013.01); H04L 43/045 (2013.01); H04L 63/1441 (2013.01); G06F 16/9024 (2019.01); H04L 2101/668 (2022.05)]

15 Claims

1. A method for detecting anomalous network activity, comprising:

generating, using a hardware processor, a weighted directed graph representing network activity, wherein the weighted directed graph has a plurality of nodes and has an edge between two of the plurality of nodes, wherein each node of the graph indicates an IP address of a device participating in the network activity, and wherein the edge has at least one weight, wherein the at least one weight includes at least one of: a number of connections between the two of the plurality of nodes, an average number of bytes per packet sent between the two of the plurality of nodes, and a number of ports scanned;

generating a representation of the graph representing the network activity, wherein the representation of the graph representing the network activity reduces a dimensionality of information indicated in the graph representing the network activity, wherein the representation includes a plurality of adjacency matrices, wherein:

a first of the plurality of adjacency matrices represents one of: a number of connections between a source IP address and a destination IP address; an average number of bytes per packet sent between a source IP address and a destination IP address; and a number of ports scanned; and

a second of the plurality of adjacency matrices represents another of: the number of connections between a source IP address and a destination IP address; the average number of bytes per packet sent between a source IP address and a destination IP address; and the number of ports scanned;

identifying a plurality of clusters of network activity from the representation of the graph including the plurality of adjacency matrices;

determining that at least one cluster of the plurality of clusters corresponds to anomalous network activity; and

in response to determining that the at least one cluster of the plurality of clusters corresponds to anomalous network activity, causing a network connection of at least one device included in the at least one cluster to be blocked.