Dynamic detection of abnormal network activity

Abstract

Approaches presented herein relate to the monitoring of network traffic, and identification of potentially malicious behavior, in a networked resource environment. Values for key features of interest can be extracted from monitored network traffic. This data can be aggregated for one or more data dimensions, such as for a given region, and modeling can be performed to generate distributions for those values in that region. A threshold can be applied to this distribution to identify anomalous activity, where the same threshold can be applied to distributions for different regions and the values that meet or exceed that threshold will differ across regions based at least in part upon different levels of activity or different behavior. Such an approach scales with changes in the amount or type of traffic to be monitored, and can handle very large numbers of resources and volumes of traffic. If potentially malicious behavior is identified, one or more remedial or mitigation actions may be taken.

CPC Classifications