Detecting anomalous behavior via user authentication graphs
First Claim
Patent Images
1. A computer-implemented method, comprising:
- determining, by a computing system, a set of reachable vertices and a respective distance to each of the reachable vertices from a starting vertex within a graph, wherein the set of reachable vertices represent other computers that a computer, represented by the starting vertex, has authenticated to during a period of time on behalf of its user;
outputting the set of reachable vertices and the respective distance to each of the vertices, by the computing system, as a Person'"'"'s Authentication Subgraph (PAS) for the starting vertex of the graph;
comparing, by the computing system, a plurality of PASs for a computer over a series of sliding time windows; and
determining, by the computing system, based on a statistical comparison of the PASs, whether a deviation between an estimated statistical model and observed PAS attributes at a given time window exceeds an expected deviation for a user, whereina level of deviation indicating potential compromise takes into account variability of a history of behavioral observations in order to report statistically significant deviations above normal variation by an externally provided threshold to allow users to receive alerts at a prescribed average reporting rate.
4 Assignments
0 Petitions
Accused Products
Abstract
Significant and aggregate user authentication activity may be analyzed across a population of users and computers in one or more networks to differentiate between authorized users and intruders in a network, and/or to detect inappropriate behavior by otherwise authorized users. Dynamic graphs and graph models over user and computer authentication activity, including time-constrained models, may be used for the purposes of profiling and analyzing user behavior in computer networks. More specifically, an edge-based breadth first search of graphs may be used that enforces time-constraints while maintaining traditional breadth first search computational complexity equivalence.
20 Citations
13 Claims
-
1. A computer-implemented method, comprising:
-
determining, by a computing system, a set of reachable vertices and a respective distance to each of the reachable vertices from a starting vertex within a graph, wherein the set of reachable vertices represent other computers that a computer, represented by the starting vertex, has authenticated to during a period of time on behalf of its user; outputting the set of reachable vertices and the respective distance to each of the vertices, by the computing system, as a Person'"'"'s Authentication Subgraph (PAS) for the starting vertex of the graph; comparing, by the computing system, a plurality of PASs for a computer over a series of sliding time windows; and determining, by the computing system, based on a statistical comparison of the PASs, whether a deviation between an estimated statistical model and observed PAS attributes at a given time window exceeds an expected deviation for a user, wherein a level of deviation indicating potential compromise takes into account variability of a history of behavioral observations in order to report statistically significant deviations above normal variation by an externally provided threshold to allow users to receive alerts at a prescribed average reporting rate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-implemented method, comprising:
-
determining, by a computing system, that a computer or its user is potentially malicious by computing statistical measures to compare one or more attributes of a Person'"'"'s Authentication Subgraph (PAS) based on user authentication events for the computer with one or more attributes indicative of normal user behavior; estimating, by the computing system, a statistical model for baseline behavior of the attributes; evaluating probabilities of observed attributes, by the computing system, under the baseline models; outputting the PAS, by the computing system, for review by a security analyst to determine whether the PAS represents a compromised computer or malicious user when the PAS exceeds a statistical threshold; comparing, by the computing system, a plurality of PASs for a computer over a series of sliding time windows; and determining, by the computing system, based on a statistical comparison of the PASs, whether a deviation between an estimated statistical model and observed PAS attributes at a given time window exceeds an expected deviation for a user, wherein a level of deviation indicating potential compromise takes into account variability of a history of behavioral observations in order to report statistically significant deviations above normal variation by an externally provided threshold to allow users to receive alerts at a prescribed average reporting rate. - View Dependent Claims (10, 11)
-
-
12. A computer-implemented method, comprising:
-
comparing, by a computing system, a plurality of Person'"'"'s Authentication Subgraphs (PASs) for a computer over a series of sliding time windows; determining, by the computing system, based on a statistical comparison of the PASs, whether a deviation between an estimated statistical model and observed PAS attributes at a given time window exceeds an expected deviation for a user; and when the expected deviation for the user has been exceeded, outputting an identification of the computer, the computing system, for review by a security analyst to determine whether the computer has been compromised or a malicious user is using the computer, wherein a level of deviation indicating potential compromise takes into account variability of a history of behavioral observations in order to report statistically significant deviations above normal variation by an externally provided threshold to allow users to receive alerts at a prescribed average reporting rate, and each PAS comprises a set of reachable vertices and a respective distance to each of the reachable vertices from a starting vertex within a graph, the set of reachable vertices representative of other computers that a computer, represented by the starting vertex, has authenticated to during a period of time. - View Dependent Claims (13)
-
Specification