Connection-based network behavioral anomaly detection system and method

Abstract

Various embodiments of the present disclosure provide a system and method for detecting network connections having a plurality of interconnected network nodes; a connection-based behavioral anomaly detection device ('CBAD') connected to one of the plurality of network nodes such that the CBAD may observe data traffic flowing through at least one node of the plurality of network nodes; an application loaded onto a first node of the plurality of network nodes, the application initializing a connection from the first node to a second node of the plurality of network nodes; and a computer-readable storage device communicatively connected to the CBAD; wherein the application transmits a plurality of data packets from the first node to the second node of the plurality of network nodes; the CBAD observes at least one of the plurality of data packets exchanged between the first node and the second node; the CBAD extrapolates packet information from at least one of the plurality of data packets observed; and the extrapolated packet information is stored on the storage device. The present disclosure also provides a method and system for detecting connections within a network including observing a plurality of data packets transferred from an application loaded onto a first node to a second node of the plurality of interconnected network nodes; extrapolating packet information; and comparing the extrapolated data packets against historical data; wherein the CBAD is connected to at least one of the nodes; and the application initialized a connection with the second node.