Ai-driven defensive penetration test analysis and recommendation system
US-2022201042-A1 · Jun 23, 2022 · US
Unauthorized access detection device and method
US2024346158A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2024346158-A1 |
| Application number | US-202318236464-A |
| Country | US |
| Kind code | A1 |
| Filing date | Aug 22, 2023 |
| Priority date | Apr 14, 2023 |
| Publication date | Oct 17, 2024 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
To reduce a risk of detecting an access within a range of temporarily elevated access authority as an unauthorized access, an unauthorized access detection device stores elevated access management data related to an elevated access operation (an operation within a range of temporarily elevated access authority) performed on a system. An operation log source that is a source of an operation log is configured to accumulate operation logs of operations as the elevated access operation on the system, as well as operation logs of operations other than the elevated access operation. The unauthorized access detection device acquires an operation history (one or more operation logs) from the operation log source, and performs determination on whether a response is required that is a determination on whether an operation identified from the operation history is an operation as an unauthorized access not matching an operation identified from the elevated access management data.
First claim
Opening claim text (preview).
1 . An unauthorized access detection device comprising: an interface device communicably connected to an operation log source; a storage device; and a processor connected to the interface device and the storage device, wherein the operation log source is a source of an operation log for an operation performed by a user on an operation target system, the processor is configured to store, in the storage device, elevated access management data that is data related to an elevated access operation performed on the operation target system, the elevated access operation is an operation within a range of temporarily elevated access authority, the operation log source is configured to accumulate operation logs of operations as the elevated access operation on the operation target system, as well as operation logs of operations other than the elevated access operation, the processor acquires an operation history that is one or more operation logs from the operation log source, and stores the operation history in the storage device, acquires the elevated access management data from the storage device, performs determination on whether a response is required that is a determination on whether an operation identified from the operation history is an operation as an unauthorized access not matching an operation identified from the elevated access management data, and provides a result of the determination on whether a response is required. 2 . The unauthorized access detection device according to claim 1 , wherein the elevated access management data includes data indicating at least one of a range of time at which the elevated access operation is performed, an account ID of a user that has performed the elevated access operation, an access source and an access destination as targets of the elevated access operation in the operation target system, and an event type corresponding to an operation as the elevated access operation, each of the one or more operation logs in the operation history includes data indicating at least one of a time point at which an operation is performed, an account ID of a user that has performed the operation, an access destination as an operation target in the operation target system, and an event type corresponding to the operation, the determination on whether a response is required includes at least one of comparison between a time indicated by the operation history and a time range indicated by the elevated access management data, comparison between an access source indicated by the operation history and an access source indicated by the elevated access management data, comparison between an access destination indicated by the operation history and an access destination indicated by the elevated access management data, comparison between an account ID indicated by the operation history and an account ID indicated by the elevated access management data, and comparison between an event type indicated by the operation history and an event type indicated by the elevated access management data, and the result of the determination on whether a response is required is a result indicating an unauthorized access in at least one case of: the time indicated by the operation history being time outside the time range, the account IDs not matching, no matching access destinations, and no matching event types. 3 . The unauthorized access detection device according to claim 1 , wherein the interface device is communicably connected to an event management system that detects a security event in real time, the processor receives event data that is data indicating the security event detected by the event management system through the interface device, and stores the event data in the storage device, acquires, as the operation history, one or more operation logs including an operation log of an operation corresponding to the security event indicated by the event data, from the operation log source, and associates the result of the determination on whether a response is required with the event data in the storage device. 4 . The unauthorized access detection device according to claim 1 , wherein the processor acquires an operation history from the operation log source periodically, or when a predetermined amount of operation logs or more is accumulated in the operation log source after an operation history has been acquired for previous determination on whether a response is required, and associates the result of the determination on whether a response is required with the operation log in the storage device. 5 . The unauthorized access detection device according to claim 1 , wherein a range of temporarily elevated access authority includes a role assigned and one or a plurality of actions that are associated with the role and each correspond to an event type, the elevated access management data includes data indicating an event type corresponding to an operation as the elevated access operation, an operation log includes data indicating an event type corresponding to an operation, the processor counts number of elevated access operations for each event type from the elevated access management data on one or a plurality of elevated access operations including a same role, and performs comparison between or provision of number of elevated access operations counted for each event type and an action within a range of the temporarily elevated access authority. 6 . The unauthorized access detection device according to claim 1 , wherein the result of the determination on whether a response is required is provided by providing a screen, and the screen is a screen that displays information indicating the result of the determination on whether a response is required, information indicating the operation history, and information indicated by the elevated access management data. 7 . The unauthorized access detection device according to claim 1 , wherein the storage device stores a plurality of workflows executed by the processor, the plurality of workflows include an elevated access workflow that is a workflow related to an elevated access operation and a determination workflow that is a workflow associated with the determination on whether a response is required, the processor is configured to store the elevated access management data in the storage device when executing the elevated access workflow, and the processor is configured to acquire and store the operation history, acquire the elevated access management data, perform the determination on whether a response is required, and provide the result of the determination on whether a response is required, when executing the determination workflow. 8 . The unauthorized access detection device according to claim 1 , wherein the operation target system is a system in a cloud environment, and is a system including one or a plurality of cloud computing services. 9 . An unauthorized access detection method comprising: by a computer, storing, in a storage device, elevated access management data that is data related to an elevated access operation performed on an operation target system by a user, the elevated access operation being an operation within a range of temporarily elevated access authority, an operation log source that is a source of an operation log for an operation performed by the user on the operation target system being configured to accumulate operation logs of operations as the elevated access operation on the operation target system, as well as operation logs of operations other than the elevated access operation; by a computer, acquiring an operation history that is one or more operation logs from the operation log source, and st
Assignees
Inventors
Classifications
involving long-term monitoring or reporting · CPC title
Auditing as a secondary aspect · CPC title
Multi-level security, e.g. mandatory access control · CPC title
Time limited access, e.g. to a computer or data · CPC title
- G06F21/604Primary
Tools and structures for managing or administering access control systems · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2024346158A1 cover?
- To reduce a risk of detecting an access within a range of temporarily elevated access authority as an unauthorized access, an unauthorized access detection device stores elevated access management data related to an elevated access operation (an operation within a range of temporarily elevated access authority) performed on a system. An operation log source that is a source of an operation log …
- Who is the assignee on this patent?
- Hitachi Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/604. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Oct 17 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).