Risk map for communication networks
US-2024422072-A1 · Dec 19, 2024 · US
Insider threat prediction
US9589245B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9589245-B2 |
| Application number | US-201414246816-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 7, 2014 |
| Priority date | Apr 7, 2014 |
| Publication date | Mar 7, 2017 |
| Grant date | Mar 7, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method for predicting insider threat includes mining electronic data of an organization corresponding to activity of an entity, determining features of the electronic data corresponding to the activity of the entity, classifying the features corresponding to the activity of the entity, determining sequences of classified features matching one or more patterns of insider threat, scoring the entity according to matches of the classified features to the one or more patterns of insider threat, and predicting an insider threat corresponding to the entity according to the score.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: deploying a plurality of detectors within an infrastructure of an organization; storing electronic data in a database, the electronic data corresponding to computer activity of an entity detected by the plurality of detectors within the infrastructure of an organization; determining, using the plurality of detectors, features of the electronic data corresponding to the computer activity of the entity, wherein different ones of the plurality of detectors are configured to detect different features; classifying the features corresponding to the computer activity of the entity to determine classified features, each of the classified features having a score; determining a plurality of sequences of the classified features, wherein each of the sequences of the classified features matches a different pattern of insider threat from among a plurality of models of insider threat activity, wherein the models of insider threat activity each include one or more of the patterns of insider threat; determining a plurality of scores for the entity, each of the scores determined using an aggregation of the scores of the classified features in a corresponding one of the sequences of the classified features matching the patterns of insider threat; and predicting an insider threat corresponding to the entity and at least one of the patterns of insider threat using the scores, wherein the prediction of the insider threat causes a security procedure to be enacted within the infrastructure of the organization. 2. The method of claim 1 , wherein determining features of the electronic data is performed over time. 3. The method of claim 1 , wherein classifying the features corresponding to the computer activity of the entity further comprises determining a confidence of each classification. 4. The method of claim 1 , wherein classifying the features corresponding to the computer activity of the entity further comprises comparing the features corresponding to the computer activity of the entity to a plurality of historic features of corresponding to historic computer activity of the entity. 5. The method of claim 1 , wherein classifying the features corresponding to the computer activity of the entity further comprises comparing the features corresponding to the computer activity of the entity to a plurality of features of another entity. 6. The method of claim 1 , wherein classifying the features corresponding to the computer activity of the entity further comprises comparing the features corresponding to the computer activity of the entity to a plurality of features of a plurality of entities in the organization. 7. The method of claim 1 , wherein determining the plurality of scores for the entity comprises: determining a first probability that a first one of the sequences of the classified features match a first one of the patterns of insider threat; determining a second probability that a second one of the sequences of the classified features match a second one of the patterns of insider threat; and combining the first and second probabilities to determining a score of insider threat corresponding to the entity. 8. A computer program product for predicting insider threat, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform a method comprising: deploying a plurality of detectors within an infrastructure of an organization; storing electronic data in a database, the electronic data corresponding to computer activity of an entity detected by the plurality of detectors within the infrastructure of an organization; determining, using the plurality of detectors, features of the electronic data corresponding to the computer activity of the entity, wherein different ones of the plurality of detectors are configured to detect different features; classifying the features corresponding to the computer activity of the entity to determine classified features, the classified features corresponding to nodes of one or more models of insider threat activity, wherein the nodes represent the detected computer activity of the entity; determining a plurality of sequences of the classified features, wherein each of the sequences of the classified features matches a different pattern of insider threat from among the models of insider threat activity, wherein the models of insider threat activity each include one or more of the patterns of insider threat; scoring the entity according to the matches of the sequences of the classified features to the patterns of insider threat; and predicting an insider threat corresponding to the entity and at least one of the plurality of sequences using the scoring, wherein the prediction of the insider threat causes a security procedure to be enacted within the infrastructure of the organization. 9. The computer program product of claim 8 , wherein classifying the features corresponding to the computer activity of the entity further comprises determining a confidence of each classification. 10. The computer program product of claim 8 , wherein classifying the features corresponding to the computer activity of the entity further comprises comparing the features corresponding to the computer activity of the entity to a plurality of historic features of corresponding to historic computer activity of the entity. 11. The computer program product of claim 8 , wherein classifying the features corresponding to the computer activity of the entity further comprises comparing the features corresponding to the computer activity of the entity to a plurality of features of another entity. 12. The computer program product of claim 8 , wherein scoring the entity comprises: determining a first probability that a first one of the sequences of the classified features match a first one of the patterns of insider threat; determining a second probability that a second one of the sequences of the classified features match a second one of the patterns of insider threat; and combining the first and second probabilities to determining a score of insider threat corresponding to the entity.
Assignees
Inventors
Classifications
Traffic logging, e.g. anomaly detection · CPC title
involving event detection and direct action · CPC title
- G06Q10/0635Primary
Risk analysis of enterprise or organisation activities · CPC title
involving long-term monitoring or reporting · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9589245B2 cover?
- A method for predicting insider threat includes mining electronic data of an organization corresponding to activity of an entity, determining features of the electronic data corresponding to the activity of the entity, classifying the features corresponding to the activity of the entity, determining sequences of classified features matching one or more patterns of insider threat, scoring the en…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06Q10/0635. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 07 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).