Persona-based contextual security
US-2020314126-A1 · Oct 1, 2020 · US
Providing contextual forensic data for user activity-related security incidents
US11979424B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11979424-B2 |
| Application number | US-201916425098-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 29, 2019 |
| Priority date | May 29, 2019 |
| Publication date | May 7, 2024 |
| Grant date | May 7, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for providing contextual forensic data based on user activities. A first method includes identifying a user action in user activity data, wherein the user action is a discrete event initiated by a user, wherein the user action is performed with respect to a portion of a system; and correlating the identified user action with at least one system change, wherein the at least one system change is related to the portion of the system, wherein the at least one system change occurred after the user action. A second method includes taking a first snapshot before a user action occurs, wherein the user action is a discrete event initiated by a user, wherein the first snapshot is taken of at least a portion of a system; and taking a second snapshot after the user action occurs, wherein the second snapshot is taken of the at least a portion of the system.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: detecting a vulnerability of a system; identifying a change to a first portion of the system, wherein the first portion of the system is related to the vulnerability; obtaining user activity data comprising data of user actions corresponding to discrete events initiated by a user, wherein the user actions are performed by the user with respect to the system; analyzing correlations between the user activity data and system change data, wherein the system change data comprise data collected from the system that indicate changes to the system; based on analyzing the correlations, determining that a first user action identified in the user activity data is correlated with the change to the first portion of the system, wherein the change occurred after the first user action; and determining, based on the correlation between the first user action and the change to the first portion of the system, that the first user action caused the vulnerability. 2. The method of claim 1 , further comprising: determining at least one of a user that caused the vulnerability based on the user performing the first user action and a time period during which the vulnerability affected the first portion of the system based on a time of the first user action and a time of detection of the vulnerability. 3. The method of claim 1 further comprising tracking sequences of processes of the system and identifying the first user action as beginning a first of the sequences of processes. 4. The method of claim 1 , wherein determining that the first user action is correlated with the change to the first portion of the system comprises determining that the first user action is correlated with the change based on the change occurring within a threshold period of time relative to the first user action or the change occurring prior to a next user action identified in the user activity data. 5. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to: detect a vulnerability of a system; identify a change to a first portion of the system, wherein the first portion of the system is related to the vulnerability; obtain user activity data comprising data of user actions corresponding to discrete events initiated by a user, wherein the user actions are performed by the user with respect to the system; analyzing correlations between the user activity data and system change data, wherein the system change data comprise data collected from the system that indicate changes to the system; based on the analysis of the correlations, determine that a first user action identified in the user activity data is correlated with the change to the first portion of the system, wherein the change occurred after the first user action; and determine, based on the correlation between the first user action and the change to the first portion of the system, that the first user action caused the vulnerability. 6. The non-transitory computer readable medium of claim 5 , further comprising instructions to determine at least one of a user that caused the vulnerability and based on the user performing the first user action and a time period during which the vulnerability affected the first portion of the system based on a time of the first user action and a time of detection of the vulnerability. 7. The non-transitory computer readable medium of claim 5 , wherein the instructions to determine that the first user action is correlated with the change to the first portion of the system comprise instructions to determine that the first user action is correlated with the change based on the change occurring within a threshold period of time relative to the first user action or the change occurring prior to a next user action identified in the user activity data. 8. A first system, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, cause the first system to: detect a vulnerability of a second system; identify a change to a first portion of the second system, wherein the first portion of the second system is related to the vulnerability; obtain user activity data comprising data of user actions corresponding to discrete events initiated by a user, wherein the user actions are performed by the user with respect to the second system; analyze correlations between the user activity data and system change data, wherein the system change data comprise data collected from the second system that indicate changes to the second system; determine, based on the analysis of the correlations, that a first user action identified in the user activity data is correlated with the change to the first portion of the second system, wherein the change occurred after the first user action; and determine, based on the correlation between first user action and the change to the first portion of the second system, that the first user action caused the vulnerability. 9. The first system of claim 8 , further comprising instructions that, when executed by the processing circuitry, cause the first system to: determine at least one of a user that caused the vulnerability based on the user performing the first user action and a time period during which the vulnerability affected the first portion of the second system based on a time of the first user action and a time of detection of the vulnerability. 10. The first system of claim 8 further comprising instructions that, when executed by the processing circuitry, cause the first system to track sequences of processes of the second system and identify the first user action as beginning a first of the sequences of processes. 11. The first system of claim 8 , wherein the instructions that, when executed by the processing circuitry, cause the first system to determine that the first user action is correlated with the change to the first portion of the second system comprise instructions that, when executed by the processing circuitry, cause the first system to determine that the first user action is correlated with the change based on the change occurring within a threshold period of time relative to the first user action or the change occurring prior to a next user action identified in the user activity data. 12. A method comprising: installing a hook to a system that delays occurrence of a predefined set of user actions until a snapshot has been taken, wherein actions in the predefined set of user actions comprise those that cause changes to the system; based on detecting an attempt by a user to perform a first user action in the predefined set of user actions that is caught by the hook, delay the first user action, wherein detection of the attempt to perform the first user action is based on the hook catching the first user action; taking a first snapshot of a portion of the system while the first user action is delayed; allowing the first user action to proceed after taking the first snapshot; and taking a second snapshot of the portion of the system after the first user action occurs. 13. The method of claim 12 further comprising, based on detecting an attempt by a user to perform a second user action that is not in the predefined set of user actions, allowing the second user action to occur without snapshotting. 14. The method of claim 12 , wherein each user action indicated in the predefined set of user actions is a discrete user action that will cause a change to the system. 15. A non-transitory computer readable medium having stored thereon instructions for caus
Assignees
Inventors
Classifications
- H04L63/1433Primary
Vulnerability analysis · CPC title
Traffic logging, e.g. anomaly detection · CPC title
- G06F21/552Primary
involving long-term monitoring or reporting · CPC title
involving event detection and direct action · CPC title
Assessing vulnerabilities and evaluating computer system security · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11979424B2 cover?
- Techniques for providing contextual forensic data based on user activities. A first method includes identifying a user action in user activity data, wherein the user action is a discrete event initiated by a user, wherein the user action is performed with respect to a portion of a system; and correlating the identified user action with at least one system change, wherein the at least one system…
- Who is the assignee on this patent?
- Twistlock Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 07 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).