1035 results about "Network behavior" patented technology

A method, a device and computer program products for protecting privacy of users from web-trackers

The method comprising:

• • capturing and removing a public unique identifier set by a Website (300) in a computing device (100D) of a user (100);
  • monitoring, during a first time-period, web-requests the user (100) makes to obtain a web-behavioral profile of the user (300), and storing the obtained web-behavioral profile as a first vector;
  • tracking, during a second time-period, the web-requests to examine the effect each web-request has on assisting the de-anonymization of the user (100), obtaining a second vector;
  • classifying, the obtained second vector taking into account a computed similarity score parameter;
  • creating and mapping, a corresponding private unique identifier for said captured public identifier; and
  • executing, based on said mapping between the private and the public unique identifiers, an intervention algorithm for said web-tracker, that considers a configured intervention policy.

A baseline can be defined using specific attributes of the network traffic. Using the established baseline, deviation can then be measured to detect anomaly on the network. The accuracy of the baseline is the most important criterion of any effective network anomaly detection technique. In a local area network (LAN) environment, the attributes change very frequently by many change agents; for example, new entities, such as users, application, and network-enabled devices, added to and removed from the LAN environment. The invention provides an improved method of establishing a baseline for network anomaly detection based on user's behaviour profiling. A user behaviour profiling is a distinct network usage pattern pertaining to a specific individual user operating on the LAN environment. No two users profiling would be the same. A group of users that have similar network usage attributes can be extrapolated using data mining technique to establish a group profiling baseline to detect network usage anomaly. By combining user and group profiling, a network anomaly detection system can measure subtle shift in network usage and as a result separate good user's network usage behaviour from the bad one. Using the said technique, a lower rate of false positives of network anomaly can be created that is suitable to operate in a highly dynamic LAN environment.

A system for identifying chronic performance problems on data networks includes network monitoring devices that provide measurements of performance metrics such as latency, jitter, and throughput, and a processing system for analyzing measurement data to identify the onset of chronic performance problems. Network behavior is analyzed to develop a baseline performance level (e.g., computing a mean and variance of a baseline sample of performance metric measurements). An operating performance level is measured during operation of the network (e.g., computing a mean and variance of an operating sample of performance metric measurements). A chronic performance problem is identified if the operating performance level exceeds a performance threshold and a difference between the baseline performance level and the operating performance level is determined to be statistically significant. A t-test based on the baseline mean and variance and the operating mean and variance can be used to determine if this difference is significant.

A first capture system that captures network communication events related to an application, and a second capture system that captures internal processing events related to the application. A visualization system analyzes the data captured by each of the capture systems, synchronizes and correlates the data, and presents an integrated display of these communication and processing events. In a preferred embodiment, the communicated messages include an identifier of the application, and the processing components also associate an identifier of the application to each recorded processing event. To facilitate the integrated display of the events, the visualization system synchronizes the recorded communication and processing events to a common time base.

An intrusion detection system and method for a computer network includes a processor and one or more programs that run on the processor for application inspection of data packets traversing the computer network. The one or more programs also obtaining attribute information from the packets specific to a particular application and comparing the attribute information against a knowledge database that provides a baseline of normal network behavior. The processor raises an alarm whenever the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.

A method, system and computer program product are disclosed for evaluating a customer network value of a set of customers for a given marketing campaign, said method comprising the steps of storing for each customer static information, collecting for each customer, historical and time cumulative network behavior data, building a customer network map from network behavior data said map describing network relation between nodes, one node representing one customer, computing the social network parameters for the nodes of the network map, selecting the most relevant social network parameters according to the objectives of the given marketing campaign, and, computing for each customer a Customer Network Value Index (NVI) by combining the most relevant social network parameters and static information. When a static information profile is defined for an extended customer population, applying data mining techniques on this population allows estimating a probabilistic NVI for each customer in the extended customer population for which no NVI has been computed.

The invention discloses a high-interaction honeypot based network security system and an implementation method thereof. The system comprises a honeypot monitoring module, a website correlation analysis module, a summarizing analysis/display module, wherein the honeypot monitoring module is used for carrying out classified acquisition on the attack incidents network behavior logs and host behavior logs; the website correlation analysis module is used for carrying out summarization and automatic correlation analysis on the attack incidents network behavior logs and the host behavior logs, and filtering invalid network alarms, capturing known attack incidents, automatically finding out unknown attack incidents, and extracting concealed Internet malicious resource information according to the automatic correlation analysis results; and the summarizing analysis/display module is used for summarizing and accounting known attack incidents and/or unknown attack incidents captured on all honeypot websites, displaying and reducing selected attack incidents for users, and carrying out automatic detection on concealed Internet malicious resources according to the concealed Internet malicious resource information.

A system and method supporting access to multimedia information based upon user-defined quality of service criteria is disclosed. A broadband access gateway may coordinate network behavior during the transition of an access device among communication pathways having different available capacities. Adjustments in bit rates and levels of compression may be made based upon the user-defined quality of service criteria. The user may be notified when network conditions disallow support for the desired quality of service, and may choose to override selected criteria. The user-defined quality of service criteria may be stored within the gateway and associated with a user, or may be located in the access device and accessible to the gateway.

The invention discloses a method and a system for detecting a network security threat based on trusted business flow. The method comprises the following steps of establishing a blacklist and a white list of network flow and constructing a baseline model, wherein the white list is the trusted business flow and is a feature contour library of normal network behavior and host behavior; comparing real-time monitoring flow data and the baseline model; when the real-time data is matched with the blacklist, outputting an abnormal flow alarm; when the real-time data is matched with the white list and a deviation exceeds a preset threshold, outputting a threat flow alarm; and when the real-time data is mismatched with the blacklist and the white list, treating as a gray list and outputting an unknown flow alarm. According to the method and the system, the network security threat can be comprehensively and effectively detected at a low false alarm rate and high anti-virus efficiency, and the method and the system can adapt to a more granular network attack and defense confrontation environment.

The input characteristics of a real-time IDS change continuously with time therefore setting a rigid (time and behavior invariant) classification threshold limits the accuracy that the IDS can potentially achieve. A generic threshold tuning method and system is proposed which can adaptively tune the detection threshold of a real-time IDS in accordance with varying host and network behavior. The method and system perform statistical and information-theoretic analyses of network and host-based IDSs' anomaly based intrusions to reveal a consistent time correlation structure between benign activity periods which is used to predict future anomaly scores and to adapt an IDS' detection threshold accordingly.

The invention discloses a network attack abnormality detection method, and relates to the technical field of information security. The technical point of the network attack abnormality detection method disclosed by the invention is as follows: a step 1, deploying a traffic data collection device at a network traffic aggregation node; a step 2, extracting a network behavior feature value from the collected traffic data; a step 3, carrying out dimensionality reduction and standardization on the network behavior feature value; a step 4, determining normal network behavior feature values, and establishing a normal behavior model based on a set of the normal network behavior feature values; and a step 5, detecting other network behavior feature values based on the normal behavior model, and judging whether abnormal network behaviors occur; and when detecting abnormal network behaviors, updating the normal behavior model according to a new normal network behavior feature value.

The invention relates to a device for detecting network access abnormality based on data stream behavior analysis, comprising a flow information collection module, an abnormal behavior detection module and an abnormal flow processing module, wherein the flow information collection module is respectively connected with the abnormal behavior detection module and the abnormal flow processing module;and the abnormal behavior detection module is connected with the abnormal flow processing module. The invention also relates to a method for using the device. In the method, obvious abnormal flow data is filtered out firstly, then a network behavior model is used to detect the filtered flow data, and the network behavior model is automatically updated; and finally, the flow is blocked according to detection results. The device and method provided by the invention is utilized to establish a normal network behavior model. The model is compared with real-time data so as to detect whether real-time flow is abnormal; and the network behavior model is dynamically modified, abnormal flow sources are analyzed, and the abnormal flow is blocked, thus identifying the abnormal flow quickly and effectively and improving the accuracy of the detection.

Provided are systems, methods, and computer-program products for a network device, configured to use data science techniques to manage the deployment of deception mechanisms in a network, where the deception mechanisms can attract and detect threats to the network. In various implementations, the network device can receive network data. The network data can include data produced by an interaction with a deception mechanism. The deception mechanism can be part of the security of the network. An interaction can include a potential threat to the network. The network device can further be configured to analyze the network data using a data science engine, including identifying a pattern of network behavior. The network device can further generate an attack pattern that includes the behavior of the potential threat. The network device can further use the attack pattern to modify deception mechanisms on the network.

A method for detecting a malicious node in a network. The method includes obtaining a plurality of failed domain name service (DNS) queries from the network, wherein each of the plurality of failed DNS queries is initiated from a client node of the network and comprises an effective second-level domain (eSLD) name, generating, by a computer processor and using a pre-determined clustering algorithm, a cluster from a plurality of eSLD names comprising the eSLD name of each of the plurality of failed DNS queries, wherein the cluster comprises a portion of the plurality of eSLD names that is selected based on the pre-determined clustering algorithm, determining, by the computer processor and using a pre-determined formula, a score representing statistical characteristics of the cluster, and assigning, in response to the score meeting a pre-determined criterion, a malicious status to the client node.

Allocation of buffers for a TCP proxy session between a client and a server by a service gateway includes: monitoring dynamic network behaviors for server and client side sessions of the TCP proxy session; and allocating capacity for a server side buffer and capacity for a client side buffer in a memory buffer based on the dynamic server side network behaviors, the dynamic client side network behaviors, and a weighted average of a capacity of the memory buffer. In one approach to the allocation, the gateway determines whether an available capacity of the server or client side buffer is sufficient to store a data packet. If not sufficient, the allocated capacity of the server or client side buffer is increased based on measurements of the dynamic network behaviors and the weighted average, and the available capacity of the server or client side buffer is adjusted accordingly.