The present invention, in some embodiments thereof, relates to detecting anomalous network addresses in a group of network addresses, and, more specifically, but not exclusively, to detecting anomalous events in models represented by tree data structures.
Network behavior anomaly detection is an approach to network security threat detection. Anomaly detection is based on continuous monitoring of a network for unusual events or trends. Many security monitoring systems utilize a signature-based approach to detect threats. In contrast, anomaly detection monitors network characteristics, user activity and other parameters, and generates an alarm if a strange event or trend is detected that could indicate the presence of a threat. In order to effectively implement anomaly detection a model of normal activity must first be learned. Once the model is learned, new activities which are not consistent with the model may be flagged as anomalous. For example, access to or from a given network address may be considered a new activity which is analyzed for anomaly with regards to previous accesses from/to the given network address.