Abstract: A computing device determines a peer group identifier and supplements netflow records with the peer group identifier. An authentication event block object is received that was sent to a first source window. The authentication event block object includes a user identifier, an IP address, and a peer group identifier. Members of the peer group are identified based on an expected network activity behavior. The user identifier and the peer group identifier are stored in association with the IP address in a cache. A netflow event block object sent to the first source window is received that includes a netflow packet IP address. Netflow data is parsed from the netflow event block object into a netflow record. When the stored IP address matches the netflow packet IP address, the netflow record is supplemented with the user identifier and the peer group identifier. The supplemented netflow record is output to summary data.

Abstract: A computing device determines a peer group identifier and supplements netflow records with the peer group identifier. An authentication event block object is received that was sent to a first source window. The authentication event block object includes a user identifier, an IP address, and a peer group identifier. Members of the peer group are identified based on an expected network activity behavior. The user identifier and the peer group identifier are stored in association with the IP address in a cache. A netflow event block object sent to the first source window is received that includes a netflow packet IP address. Netflow data is parsed from the netflow event block object into a netflow record. When the stored IP address matches the netflow packet IP address, the netflow record is supplemented with the user identifier and the peer group identifier. The supplemented netflow record is output to summary data.

Abstract: An authentication packet including a user identifier is received. The user identifier identifies a user of a second computing device being monitored by the first computing device. Authentication data is parsed from the authentication packet. A peer group identifier is determined that identifies a peer group to which the user is assigned. Members of the peer group are identified based on an expected network activity behavior. The authentication data and the peer group identifier are buffered into a first event block object and into a second event block object. The first event block object is sent to a first source window of an event stream processing engine (ESPE) that processes a netflow packet. The second event block object is sent to a second source window of the ESPE that processes the authentication packet. The first source window and the second source window are different source windows of the ESPE.

Abstract: An authentication packet including a user identifier is received. The user identifier identifies a user of a second computing device being monitored by the first computing device. Authentication data is parsed from the authentication packet. A peer group identifier is determined that identifies a peer group to which the user is assigned. Members of the peer group are identified based on an expected network activity behavior. The authentication data and the peer group identifier are buffered into a first event block object and into a second event block object. The first event block object is sent to a first source window of an event stream processing engine (ESPE) that processes a netflow packet. The second event block object is sent to a second source window of the ESPE that processes the authentication packet. The first source window and the second source window are different source windows of the ESPE.

Abstract: A computing device computes a risk score for a user using a device based on a peer group identifier. Network activity measures characterize use of the device by the user. For each unique peer group identifier included in netflow records, a mean value is computed of each network activity measure. For each unique IP address and user identifier combination included in the netflow records, the mean value of each network activity measure is selected for a peer group identifier of the user; a risk score is computed by comparing each network activity measure for the unique IP address and user identifier combination to the selected mean value for the respective network activity measure; and when the risk score exceeds a predefined alert threshold, a high risk alert indicator is set indicating that the device is being used in an anomalous manner relative to other devices monitored by the computing device.

Abstract: A computing device computes a risk score for a user using a device based on a peer group identifier. Network activity measures characterize use of the device by the user. For each unique peer group identifier included in netflow records, a mean value is computed of each network activity measure. For each unique IP address and user identifier combination included in the netflow records, the mean value of each network activity measure is selected for a peer group identifier of the user; a risk score is computed by comparing each network activity measure for the unique IP address and user identifier combination to the selected mean value for the respective network activity measure; and when the risk score exceeds a predefined alert threshold, a high risk alert indicator is set indicating that the device is being used in an anomalous manner relative to other devices monitored by the computing device.