Patent Issued for Detection Of Anomalous Computer Behavior (USPTO 10,652,257)

2020 MAY 26 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- State Farm Mutual Automobile Insurance Company (Bloomington, Illinois, United States) has been issued patent number 10,652,257, according to news reporting originating out of Alexandria, Virginia, by NewsRx editors.

The patent’s inventors are Shah, Rajiv (Bloomington, IL); Morrison, Shannon (Gilbert, AZ); Cunningham, Jeremy (Bloomington, IL); Smith, Taylor (Addison, TX); Sundararaman, Sripriya (Plano, TX); Wan, Jing (Allen, TX); Hevrin, Jeffrey (Bloomington, IL); Duehr, Ronald (Normal, IL); Sliz, Brad (Normal, IL); Allen, Lucas (East Peoria, IL).

This patent was filed on July 7, 2017 and was published online on May 25, 2020.

From the background information supplied by the inventors, news correspondents obtained the following quote: “Corporations, government offices, universities, colleges, and other organizations may have a large number of computers and file servers that are networked together. Typically, these computers have access to websites on the Internet via proxy servers and firewall servers. Occasionally, one or more computers attempts to access a website which is unexpected, not approved, or nonexistent. This anomalous behavior may be the result of activity of the computer user, malware, viruses, or bots (Internet or web robots) on the machine, computer hardware, firmware, or software misconfiguration, or other circumstances. Scanning a computer’s hard drive and memory for malware, viruses, and bots may detect some malicious programs, but a scanner can only detect programs of which it is aware, so new malware or viruses may not be detected. And, scanning a computer’s hard drive and memory for malware and viruses typically does not detect hardware, firmware, or software misconfigurations. Thus, some anomalous behavior, particularly resulting from misconfigurations, may go undetected.”

Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “Embodiments of the present technology relate to computer-implemented methods, computing devices, and computer-readable media for detecting anomalous behavior of one or more computers in a large group of computers. In a first aspect, a computer-implemented method for detecting anomalous behavior of one or more computers in a large group of computers may be provided. The method may include, via one or more processors and/or transceivers: (1) receiving log files including a plurality of entries of data regarding connections between a plurality of computers belonging to an organization and a plurality of websites outside the organization, each entry being associated with the actions of one computer and including a plurality of features; (2) executing a first plurality of algorithms to determine a portion of the features which contribute to anomalous computer behavior; and/or (3) executing a second plurality of algorithms utilizing the portion of features to determine the computers which are behaving anomalously. The method may include additional, fewer, or alternative actions, including those discussed elsewhere herein.

“In another aspect, a computer-readable medium for detecting anomalous behavior of one or more computers in a large group of computers may be provided. The computer-readable medium may include an executable program stored thereon, wherein the program instructs a processing element of a computing device to perform the following actions: (1) receiving log files including a plurality of entries of data regarding connections between a plurality of computers belonging to an organization and a plurality of websites outside the organization, each entry being associated with the actions of one computer and including a plurality of features; (2) executing a first plurality of algorithms to determine a portion of the features which contribute to anomalous computer behavior; and/or (3) executing a second plurality of algorithms utilizing the portion of features to determine the computers which are behaving anomalously. The program stored on the computer-readable medium may instruct the processing element to perform additional, fewer, or alternative actions, including those discussed elsewhere herein.

“In yet another aspect, a computing device for detecting anomalous behavior of one or more computers in a large group of computers may be provided. The computing device may include a communication element, a memory element, and a processing element. The communication element may receive and transmit communications to and from a plurality of servers and computers within an organization. The memory element may be electronically coupled to the communication element and may store executable instructions. The processing element may be electronically coupled to the communication element and the memory element. The processing element may be configured to receive log files including a plurality of entries of data regarding connections between a plurality of computers belonging to an organization and a plurality of websites outside the organization, each entry being associated with the actions of one computer and including a plurality of features; execute a first plurality of algorithms to determine a portion of the features which contribute to anomalous computer behavior; and/or execute a second plurality of algorithms utilizing the portion of features to determine the computers which are behaving anomalously. The computing device may include additional, fewer, or alternate components and/or functionality, including that discussed elsewhere herein.

“Advantages of these and other embodiments will become more apparent to those skilled in the art from the following description of the exemplary embodiments which have been shown and described by way of illustration. As will be realized, the present embodiments described herein may be capable of other and different embodiments, and their details are capable of modification in various respects. Accordingly, the drawings and description are to be regarded as illustrative in nature and not as restrictive.”

The claims supplied by the inventors are:

“We claim:

“1. A computer-implemented method for detecting anomalous behavior of one or more computers in a large group of computers, the computer-implemented method comprising, via one or more processors and/or transceivers: receiving log files including a plurality of entries of anomalous and non-anomalous data regarding connections between a plurality of computers belonging to an organization and a plurality of websites outside the organization, each entry being associated with one event of one of the plurality of computers and including a plurality of fields of data; determining a plurality of features, each feature including one field of data of the plurality of fields of data or a derivation from one or more fields of data of the plurality of fields of data; executing a first set of algorithms generating lists of features, each algorithm generating a list of features of the lists of features which include data indicative of anomalous computer behavior, with a first portion of the first set of algorithms receiving as input first data that occurred over a period of time for the plurality of features and a second portion of the first set of algorithms receiving as input second data regarding traffic between the plurality of computers and the plurality of websites, wherein the first portion is different from the second portion of the first set of algorithms and the first data is different from the second data; and executing a second set of algorithms, each algorithm generating a list of computers which are behaving anomalously, with a first portion of the second set of algorithms receiving as input third data from one of the lists of features and a second portion of the second set of algorithms receiving as input fourth data regarding traffic between the plurality of computers and the plurality of websites, wherein the first portion is different from the second portion of the second set of algorithms and the third data is different from the fourth data.

“2. The computer-implemented method of claim 1, wherein the first set of algorithms includes a seasonal hybrid extreme studentized deviates algorithm and a breakout detection algorithm to determine features which include date recorded over a period of time and is indicative of anomalous computer behavior.

“3. The computer-implemented method of claim 1, wherein the first set of algorithms includes creation of a plurality of traffic dispersion graphs to determine features which are derived from the graphs and include data that is indicative of anomalous computer behavior.

“4. The computer-implemented method of claim 1, wherein the first set of algorithms includes a first autoencoder to determine a plurality of entries that include anomalous data and a random forest regressor to determine a ranking of the features from each entry.

“5. The computer-implemented method of claim 1, wherein the second set of algorithms includes K-means clustering to determine a first group of computers exhibiting potentially anomalous behavior and a density-based spatial clustering of applications with noise algorithm to determine a second group of computers from within the first group of computers, the second group exhibiting anomalous behavior.

“6. The computer-implemented method of claim 1, wherein the second set of algorithms includes creation of a plurality of egonet graphs followed by creation of a heavy vicinity plot and a dominant edge plot for each egonet graph to determine the computers which are behaving anomalously.

“7. The computer-implemented method of claim 1, wherein the second set of algorithms includes a second autoencoder to encode and decode the entries, each entry including only the portion of features, and to determine an error level between each entry before encoding and after decoding, the entries with error levels greater than a first threshold indicating the computers which are behaving anomalously.

“8. A non-transitory computer-readable medium with an executable program stored thereon for detecting anomalous behavior of one or more computers in a large group of computers, wherein the program instructs a processing element of a computing device to perform the following: receiving log files including a plurality of entries of anomalous and non-anomalous data regarding connections between a plurality of computers belonging to an organization and a plurality of websites outside the organization, each entry being associated with one event of one of the plurality of computers and including a plurality of fields of data; determining a plurality of features, each feature including one field of data of the plurality of fields of data or a derivation from one or more fields of data of the plurality of fields of data; executing a first set of algorithms generating lists of features, each algorithm generating a list of features of the lists of features which include data indicative of anomalous computer behavior, with a first portion of the first set of algorithms receiving as input first data that occurred over a period of time for the plurality of features and a second portion of the first set of algorithms receiving as input second data regarding traffic between the plurality of computers and the plurality of websites, wherein the first portion is different from the second portion of the first set of algorithms and the first data is different from the second data; and executing a second set of algorithms, each algorithm generating a list of computers which are behaving anomalously, with a first portion of the second set of algorithms receiving as input third data from one of the lists of features and a second portion of the second set of algorithms receiving as input fourth data regarding traffic between the plurality of computers and the plurality of websites, wherein the first portion is different from the second portion of the second set of algorithms and the third data is different from the fourth data.

“9. The non-transitory computer-readable medium of claim 8, wherein the first set of algorithms includes a seasonal hybrid extreme studentized deviates algorithm and a breakout detection algorithm to determine features which include data recorded over a period of time and is indicative of anomalous computer behavior.

“10. The non-transitory computer-readable medium of claim 8, wherein the first set of algorithms includes creation of a plurality of traffic dispersion graphs to determine features which are derived from the graphs and include data that is indicative of anomalous computer behavior.

“11. The non-transitory computer-readable medium of claim 8, wherein the first set of algorithms includes a first autoencoder to determine a plurality of entries that include anomalous data and a random forest regressor to determine a ranking of the features from each entry.

“12. The non-transitory computer-readable medium of claim 8, wherein the second set of algorithms includes K-means clustering to determine a first group of computers exhibiting potentially anomalous behavior and a density-based spatial clustering of applications with noise algorithm to determine a second group of computers from within the first group of computers, the second group exhibiting anomalous behavior.

“13. The non-transitory computer-readable medium of claim 8, wherein the second set of algorithms includes creation of a plurality of egonet graphs followed by creation of a heavy vicinity plot and a dominant edge plot for each egonet graph to determine the computers which are behaving anomalously and include a second autoencoder to encode and decode the entries, each entry including only the portion of features, and to determine an error level between each entry before encoding and after decoding, the entries with error levels greater than a first threshold indicating the computers which are behaving anomalously.

“14. A computing device for detecting anomalous behavior of one or more computers in a large group of computers, the device comprising: a communication element configured to receive and transmit communications to and from a plurality of servers and computers within an organization; a memory element electronically coupled to the communication element, the memory element configured to store executable instructions; and a processing element electronically coupled to the communication element and the memory element, the processing element configured to: receive log files including a plurality of entries of anomalous and non-anomalous data regarding connections between a plurality of computers belonging to an organization and a plurality of websites outside the organization, each entry being associated with one event of one of the plurality of computers and including a plurality of fields of data; execute a first set of algorithms generating lists of features, each algorithm generating a list of features of the lists of features which include data indicative of anomalous computer behavior, with a first portion of the first set of algorithms receiving as input first data that occurred over a period of time for the plurality of features and a second portion of the first set of algorithms receiving as input second data regarding traffic between the plurality of computers and the plurality of websites, wherein the first portion is different from the second portion of the first set of algorithms and the first data is different from the second data; and execute a second set of algorithms, each algorithm generating a list of computers which are behaving anomalously, with a first portion of the second set of algorithms receiving as input third data from one of the lists of features and a second portion of the second set of algorithms receiving as input fourth data regarding traffic between plurality of computers and the plurality of websites, wherein the first portion is different from the second portion of the second set of algorithms and the third data is different from the fourth data.

“15. The computing device of claim 14, wherein the first set of algorithms includes a seasonal hybrid extreme studentized deviates algorithm and a breakout detection algorithm to determine features which include data recorded over a period of time and is indicative of anomalous computer behavior.

“16. The computing device of claim 14, wherein the first set of algorithms includes creation of a plurality of traffic dispersion graphs to determine features which are derived from the graphs and include data that is indicative of anomalous computer behavior.

“17. The computing device of claim 14, wherein the first set of algorithms includes a first autoencoder to determine a plurality of entries that include anomalous data and a random forest regressor to determine a ranking of the features from each entry.

“18. The computing device of claim 14, wherein the second set of algorithms includes K-means clustering to determine a first group of computers exhibiting potentially anomalous behavior and a density-based spatial clustering of applications with noise algorithm to determine a second group of computers from within the first group of computers, the second group exhibiting anomalous behavior.

“19. The computing device of claim 14, wherein the second set of algorithms includes creation of a plurality of egonet graphs followed by creation of a heavy vicinity plot and a dominant edge plot for each egonet graph to determine the computers which are behaving anomalously.

“20. The computing device of claim 14, wherein the second set of algorithms includes a second autoencoder to encode and decode the entries, each entry including only the portion of features, and to determine an error level between each entry before encoding and after decoding, the entries with error levels greater than a first threshold indicating the computers which are behaving anomalously.”

For the URL and additional information on this patent, see: Shah, Rajiv; Morrison, Shannon; Cunningham, Jeremy; Smith, Taylor; Sundararaman, Sripriya; Wan, Jing; Hevrin, Jeffrey; Duehr, Ronald; Sliz, Brad; Allen, Lucas. Detection Of Anomalous Computer Behavior. U.S. Patent Number 10,652,257, filed July 7, 2017, and published online on May 25, 2020. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=10,652,257.PN.&OS=PN/10,652,257RS=PN/10,652,257

(Our reports deliver fact-based news of research and discoveries from around the world.)