Computer networks are essential modern business and enterprise tools. Networked computers facilitate global commerce and allow people all over the world to collaborate on work, be entertained, and control important aspects of society's technical infrastructure. It is extremely important that computer networks be secure so as to prevent unauthorized use of computers and communications pathways (such as the public Internet and private communication links), which can result in malicious, harmful, or disruptive actions.
Some network security approaches are known in the art. For example, firewalls provide basic protection from unwanted outside access to a computer network. As other examples, U.S. Pat. Nos. 7,185,368, 7,290,283, 7,457,426, 7,512,980, 7,644,151, 7,886,358, and 7,895,326, all of which are owned by the assignee of the present invention(s), provide for various network security, monitoring, and control functions, including flow-based network intrusion detection and monitoring, network port profiling, packet-sampling flow-based detection of network intrusions, and network service zone locking Other examples of network security technologies include malware/malicious software detection, prevention, and removal; internal access control; routing limitations; bot detection and tracking; packet tracing; denial of service (DOS) detection and prevention; and others.
In addition to network security functions such as those described above, there is a need to monitor behaviors of computers, networks, and individuals using computers and networks (all of which are “resources”) for activity that might signify unauthorized attempts to access controlled resources, hijacking of a resource such as occurs with certain malware, or simply, bad behavior of a disgruntled employee who acts out of normal character. In order to detect so-called “bad” behavior, the person's (or resource's) normal behavior must be observed and cataloged so that unusual behavior, or “anomalies” in behavior, can he detected.
Given the mobility and geographic dispersal of the modem workforce as well as the proliferation of cloud services and on-demand computing, it is difficult to accurately detect anomalies based on the data from a single observation point. Therefore, there is a need for improved computer resource anomaly detection, reporting, and handling, to which aspects and embodiments of the present invention(s) are directed.