Methods and Systems for Using Causal Analysis for Boosted Decision Stumps to Identify and Respond to Non-Benign Behaviors
US-2016330223-A1 · Nov 10, 2016 · US
Systems and methods for identifying potentially risky data users within organizations
US9900330B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9900330-B1 |
| Application number | US-201514941527-A |
| Country | US |
| Kind code | B1 |
| Filing date | Nov 13, 2015 |
| Priority date | Nov 13, 2015 |
| Publication date | Feb 20, 2018 |
| Grant date | Feb 20, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosed computer-implemented method for identifying potentially risky data users within organizations may include (1) monitoring computing activity of a member of an organization with respect to the member's access to data related to the organization, (2) generating, based at least in part on the member's computing activity, a baseline representation of the member's access to the data, (3) detecting at least one attempt by the member to access at least a portion of the data, (4) determining that the member's attempt to access the portion of data represents an anomaly that is suspiciously inconsistent with the baseline representation, and then in response to determining that the member's attempt to access the portion of data represents the anomaly, (5) classifying the member as a potential risk to the security of the data. Various other methods, systems, and computer-readable media are also disclosed.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for identifying potentially risky data users within organizations, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: monitoring computing activity of at least one member of an organization with respect to the member's access to data related to the organization; generating, based at least in part on the member's computing activity, a baseline representation of the member's access to the data related to the organization; detecting at least one attempt by the member to access at least a portion of the data related to the organization; determining that the member's attempt to access the portion of data represents an anomaly that is suspiciously inconsistent with the baseline representation by: identifying an amount of deviation between the member's attempt to access the portion of data and the baseline representation by: determining current computing activity of the member based at least in part on the member's attempt to access the portion of data; identifying one or more characteristics of the member's current computing activity; determining, by comparing the member's current computing activity with the baseline representation, the amount of deviation between at least one of the characteristics of the member's current computing activity and the baseline representation; calculating, based at least in part on the amount of deviation, a risk score for the member that represents a degree of risk posed by the member to the security of the data, wherein calculating the risk score comprises weighting, within a mathematical formula, a numerical value that represents the amount of deviation between the at least one of the characteristics of the member's current computing activity and the baseline representation; determining that the risk score for the member is above a riskiness threshold; in response to determining that the member's attempt to access the portion of data represents the anomaly, classifying the member as a potential risk to the security of the data related to the organization. 2. The method of claim 1 , wherein monitoring the computing activity of the member of the organization comprises at least one of: tracking opcodes identified in connection with the member's access to the data related to the organization; tracking the number of unique files related to the organization that are accessed by the member per day; identifying the number of files related to the organization for which the member has read or write permissions; tracking the number of alerts triggered in connection with the member's access to the data related to the organization; tracking the number of policy violations committed by the member while accessing the data related to the organization; tracking the number of unique Internet Protocol (IP) addresses with which the member accesses the data related to the organization. 3. The method of claim 1 , wherein determining that the member's attempt to access the portion of data represents the anomaly comprises: identifying at least one member group of the organization that includes the member; identifying the number of members from the member group that have accessed the portion of data; determining that the number of members from the member group that have accessed the portion of data is below a minority threshold. 4. The method of claim 1 , wherein generating the baseline representation comprises: identifying past attempts by the member to access the data related to the organization over a certain period of time; generating, based at least in part on the past attempts by the member to access the data over the certain period of time, a baseline representation of the member's access to the data related to the organization. 5. The method of claim 4 , wherein determining that the member's attempt to access the portion of data represents the anomaly comprises: identifying recent attempts by the member to access the data related to the organization over a recent period of time, the recent attempts including the member's attempt to access the portion of data; comparing the recent attempts by the member to access the data related to the organization with the baseline representation; identifying, based at least in part on the comparison, an amount of deviation between the recent attempts by the member to access the portion of data and the baseline representation; determining, based at least in part on the amount of deviation, that at least a portion of the recent attempts by the member to access the data are anomalous due at least in part to the portion of recent attempts being suspiciously inconsistent with the baseline representation. 6. The method of claim 5 , wherein: identifying the recent attempts by the member to access the data related to the organization comprises identifying the number of policy violations committed by the member while accessing the data related to the organization over the recent period of time; determining that the member's attempt to access the portion of data represents the anomaly comprises determining, based at least in part on the number of policy violations, that at least a portion of the recent attempts by the member to access the data are anomalous. 7. The method of claim 1 , wherein determining that the member's attempt to access the portion of data represents the anomaly comprises determining that the member's attempt to access the portion of data represents the anomaly based on at least one of: an opcode identified in connection with the member's attempt to access the portion of data; a file that the member is attempting to access; an alert triggered in connection with the member's attempt to access the portion of data; a policy violation committed in connection with the member's attempt to access the portion of data; an IP address with which the member accesses the data related to the organization. 8. A system for identifying potentially risky data users within organizations, the system comprising: a monitoring module, stored in memory, that monitors computing activity of at least one member of an organization with respect to the member's access to data related to the organization; a baseline module, stored in memory, that generates, based at least in part on the member's computing activity, a baseline representation of the member's access to the data related to the organization; a detection module, stored in memory, that detects at least one attempt by the member to access at least a portion of the data related to the organization; a determination module, stored in memory, that determines that the member's attempt to access the portion of data represents an anomaly that is suspiciously inconsistent with the baseline representation by: identifying an amount of deviation between the member's attempt to access the portion of data and the baseline representation by: determining current computing activity of the member based at least in part on the member's attempt to access the portion of data; identifying one or more characteristics of the member's current computing activity; determining, by comparing the member's current computing activity with the baseline representation, the amount of deviation between at least one of the characteristics of the member's current computing activity and the baseline representation; calculating, based at least in part on the amount of deviation, a risk score for the member that represents a degree of risk posed by the member to the security of the data, wherein calculating the risk score comprises weighting, within a mathematical formula, a numerical value that represents the amount of deviati
Assignees
Inventors
Classifications
Event detection, e.g. attack signature detection · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
by observing the pattern of computer usage, e.g. typical user behaviour · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9900330B1 cover?
- The disclosed computer-implemented method for identifying potentially risky data users within organizations may include (1) monitoring computing activity of a member of an organization with respect to the member's access to data related to the organization, (2) generating, based at least in part on the member's computing activity, a baseline representation of the member's access to the data, (3…
- Who is the assignee on this patent?
- Veritas Tech, Veritas Technologies Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 20 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).