Level of network suspicion detection
US-11190534-B1 · Nov 30, 2021 · US
System and method for assessing insider influence on enterprise assets
US2022131890A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2022131890-A1 |
| Application number | US-202117452186-A |
| Country | US |
| Kind code | A1 |
| Filing date | Oct 25, 2021 |
| Priority date | Oct 26, 2020 |
| Publication date | Apr 28, 2022 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This disclosure relates generally to system and method for assessing insider influence on enterprise assets. Existing work focuses on the detection of insider threat and does not consider the influence of an insider on their peers and subordinates. The present disclosure aggregates and preprocesses the enterprise data specific to the individuals received from various sources, and further creates an enterprise graph between entities. Weights of every edge connected between any two entities in the enterprise graph is then calculated. Community of the individuals are detected wherein, relevant insider(s) are identified, and susceptibility of the individuals for probable influence by relevant insider(s) based on the analysis scenarios(s) is calculated. Paths taken by the relevant insider(s) is calculated for estimating probability of data loss. The present disclosure identifies the assets which are under possible threat from the relevant insider(s), obtains cumulative risk associated with the enterprise and generates an analysis report accordingly.
First claim
Opening claim text (preview).
What is claimed is: 1 . A processor-implemented method, comprising: receiving, via one or more hardware processors, an enterprise data specific to one or more individuals associated with an enterprise from a plurality of sources, wherein the one or more individuals comprises of at least one of one or more vendors, one or more employees and one or more contractors associated with the enterprise; pre-processing, via the one or more hardware processors, the received enterprise data to obtain an intermediate common input representation; creating, via the one or more hardware processors, an enterprise graph between one or more entities from the obtained intermediate common input representation, wherein the one or more entities includes the one or more individuals and one or more assets associated with the enterprise, and wherein the enterprise graph includes a plurality of vertices consisting of the one or more entities associated with the enterprise in a present time period and a past time period, and a plurality of edges between the one or more entities and a plurality of attributes associated with the plurality of vertices and the plurality of edges; calculating, via the one or more hardware processors, a weight for each of the plurality of edges between any two connected entities based on a plurality of enterprise graph features and the plurality of attributes; detecting, via the one or more hardware processors, one or more communities of the one or more individuals by using a plurality of graph-based techniques based on the calculated weights of the plurality of edges; calculating, via the one or more hardware processors, a threshold behavior for the one or more individuals and the one or more detected communities within an observation window by applying a plurality of statistical methods based on the plurality of enterprise graph features and the plurality of attributes; performing, via the one or more hardware processors, a comparison of the threshold behavior of the one or more individuals calculated within the observation window with a current behavior of the one or more individuals to identify one or more potential insiders; performing, via the one or more hardware processors, a comparison of the current behavior of the one or more potential insiders and the current behavior of a plurality of individuals of the one or more detected communities to identify the one or more potential insiders as one or more relevant insiders; calculating, via the one or more hardware processors, a susceptibility of the plurality of individuals for probable influence by the one or more relevant insiders based on an analysis of a plurality of scenarios, wherein the plurality of scenarios includes hierarchy exploitation, relationship exploitation and mixed mode; calculating, via the one or more hardware processors, a plurality of paths taken by the one or more relevant insiders based on the calculated susceptibility of the plurality of individuals; and performing, via the one or more hardware processors, an analysis of the calculated paths to obtain a probability score indicative of a probable data loss. 2 . The processor implemented method of claim 1 , wherein the plurality of attributes comprises attributes specific to (i) the one or more assets and (ii) the one or more individuals associated with the enterprise. 3 . The processor implemented method of claim 1 , further comprising identifying at least a subset of one or more impacting assets from the one or more assets based on the probable data loss. 4 . The processor implemented method of claim 3 , further comprising estimating risk associated with the one or more impacting assets and obtaining cumulative risk associated with the enterprise based on the probable data loss. 5 . The processor implemented method of claim 1 , generating an analysis report comprising at least one of: the information of the one or more relevant insiders, the plurality of individuals affected by the one or more relevant insiders, the paths taken by the one or more relevant insiders to influence the plurality of individuals, the susceptibility of the plurality of individuals for probable influence by the one or more relevant insiders, the probability of data loss, the impacting one or more assets and the estimated risk. 6 . A system, comprising: a memory storing instructions; one or more communication interfaces; and one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the instructions to: receive an enterprise data specific to one or more individuals associated with an enterprise from a plurality of sources, wherein the one or more individuals comprises of at least one of one or more vendors, one or more employees and one or more contractors associated with the enterprise; pre-process the received enterprise data to obtain an intermediate common input representation; create an enterprise graph between one or more entities from the obtained intermediate common input representation, wherein the one or more entities includes the one or more individuals and one or more assets associated with the enterprise, and wherein the enterprise graph includes a plurality of vertices consisting of the one or more entities associated with the enterprise in a present time period and a past time period, and a plurality of edges between the one or more entities and a plurality of attributes associated with the plurality of vertices and the plurality of edges; calculate a weight for each of the plurality of edges between any two connected entities based on a plurality of enterprise graph features and the plurality of attributes; detect one or more communities of the one or more individuals by using a plurality of graph-based techniques based on the calculated weights of the plurality of edges; calculate a threshold behavior for the one or more individuals and the one or more detected communities within an observation window by applying a plurality of statistical methods based on the plurality of enterprise graph features and the plurality of attributes; perform a comparison of the threshold behavior of the one or more individuals calculated within the observation window with a current behavior of the one or more individuals to identify one or more potential insiders; perform a comparison of the current behavior of the one or more potential insiders and the current behavior of a plurality of individuals of the one or more detected communities to identify the one or more potential insiders as one or more relevant insiders; calculate a susceptibility of the plurality of individuals for probable influence by the one or more relevant insiders based on an analysis of a plurality of scenarios, wherein the plurality of scenarios includes hierarchy exploitation, relationship exploitation and mixed mode; calculate a plurality of paths taken by the one or more relevant insiders based on the calculated susceptibility of the plurality of individuals; and perform an analysis of the calculated paths to obtain a probability score indicative of a probable data loss. 7 . The system of claim 6 , wherein the plurality of attributes comprises attributes specific to (i) the one or more assets and (ii) the one or more individuals associated with the enterprise. 8 . The system of claim 6 , wherein the one or more hardware processors are further configured to identify at least a subset of one or more impacting assets from the one or more assets based on the probable data loss. 9 . The system of claim 8 , wherein the one or more hardware processors are further configured to estimate risk associated with the one or more impacting
Assignees
Inventors
Classifications
- G06F21/577Primary
Assessing vulnerabilities and evaluating computer system security · CPC title
Traffic logging, e.g. anomaly detection · CPC title
- H04L63/1433Primary
Vulnerability analysis · CPC title
involving long-term monitoring or reporting · CPC title
Entity profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2022131890A1 cover?
- This disclosure relates generally to system and method for assessing insider influence on enterprise assets. Existing work focuses on the detection of insider threat and does not consider the influence of an insider on their peers and subordinates. The present disclosure aggregates and preprocesses the enterprise data specific to the individuals received from various sources, and further create…
- Who is the assignee on this patent?
- Tata Consultancy Services Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/577. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Apr 28 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).