System, method, and computer program product for detecting and assessing security risks in a network

US 10,095,871 B2
Filed: 09/19/2017
Issued: 10/09/2018
Est. Priority Date: 10/06/2014
Status: Active Grant

First Claim

Patent Images

1. A method, performed by one or more computer devices, for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:

building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user;

comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including tracking whether the user has switched to a different identity in moving from one device to another;

determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;

calculating the risk assessment score for the plurality of user events; and

determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;

in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with data related to the plurality of user events including at least data related to user logon events, server access events, application access events, and data access events.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise'"'"'s computer network. A behavior model is built for a user in the network based on the user'"'"'s interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user'"'"'s behavior during a period of time is compared to the user'"'"'s behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user'"'"'s behavior and the user'"'"'s behavior model, wherein any one of certain anomalies between the user'"'"'s behavior and the user'"'"'s behavior model increase the risk assessment.

29 Citations

View as Search Results

25 Claims

1. A method, performed by one or more computer devices, for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
- building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user;
  
  comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including tracking whether the user has switched to a different identity in moving from one device to another;
  
  determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;
  
  calculating the risk assessment score for the plurality of user events; and
  
  determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;
  
  in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with data related to the plurality of user events including at least data related to user logon events, server access events, application access events, and data access events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the plurality of user events is during a user logon session, wherein a user logon session begins at the user'"'"'s logon to the network and ends at the user'"'"'s subsequent logout of the network or a specified period of inactivity by the user.
  - 3. The method of claim 2, wherein the user events are identified from raw data logs, wherein enhanced events logs are created from the raw data logs by adding additional context information related to the user events, wherein the enhanced event logs are grouped by user logon session to track user actions during a user logon session, and wherein the enhanced event logs are used to build user behavior models.
  - 4. The method of claim 3, wherein the additional context information comprises one or more of the following:
    - additional user information, additional client device information, additional server information, and additional information about accessed data.
  - 5. The method of claim 2, wherein an alert is displayed if the user logon session meets at least one of the following criteria:
    - (i) the user logon session is a current session and the risk assessment score exceeds a threshold for a specified duration and (ii) the user logon session has ended and the final risk assessment score is above a threshold.
  - 6. The method of claim 1, wherein the user'"'"'s behavior model includes the user'"'"'s time logon patterns and comparing the plurality of user events to the user'"'"'s behavior model also includes determining whether the user events are occurring or occurred at a time consistent with the time patterns in the user'"'"'s behavior model.
  - 7. The method of claim 1, wherein the user'"'"'s behavior model include the user'"'"'s geo-location logon patterns and comparing the plurality of user events to the user'"'"'s behavior model also includes determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model.
  - 8. The method of claim 1, wherein calculating the risk assessment score comprises associating a sub-total risk score with each of certain anomalies in the user events and aggregating all sub-total risk scores to calculate the risk assessment score for the plurality of user events.
  - 9. The method of claim 8, wherein the system stores rules that define types of anomalies associated with a positive risk score.
  - 10. The method of claim 9, wherein the system also stores one or more rules that define types of behavior associated with a negative risk score.
  - 11. The method of claim 1, wherein one or more of the following are factored into the risk assessment:
    - the user'"'"'s access authorization level in the system, a value of the data accessed, and threat intelligence.

12. A non-transitory computer-readable medium comprising a computer program that, when executed by a computer system, enables the computer system to perform the following method for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
- building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user;
  
  comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including tracking whether the user has switched to a different identity in moving from one device to another;
  
  determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;
  
  calculating the risk assessment score for the plurality of user events; and
  
  determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;
  
  in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with data related to the plurality of user events including at least data related to user logon events, server access events, application access events, and data access events.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The non-transitory computer-readable medium of claim 12, wherein the plurality of user events is during a user logon session, wherein a user logon session begins at the user'"'"'s logon to the network and ends at the user'"'"'s subsequent logout of the network or a specified period of inactivity by the user.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the user events are identified from raw data logs, wherein enhanced events logs are created from the raw data logs by adding additional context information related to the user events, wherein the enhanced event logs are grouped by user logon session to track user actions during a user logon session, and wherein the enhanced event logs are used to build user behavior models.
  - 15. The non-transitory computer-readable medium of claim 14, wherein the additional context information comprises one or more of the following:
    - additional user information, additional client device information, additional server information, and additional information about accessed data.
  - 16. The non-transitory computer-readable medium of claim 13, wherein an alert is displayed if the user logon session meets at least one of the following criteria:
    - (i) the user logon session is a current session and the risk assessment score exceeds a threshold for a specified duration and (ii) the user logon session has ended and the final risk assessment score is above a threshold.
  - 17. The non-transitory computer-readable medium of claim 12, wherein the user'"'"'s behavior model includes the user'"'"'s time logon patterns and comparing the plurality of user events to the user'"'"'s behavior model also includes determining whether the user events are occurring or occurred at a time consistent with the time patterns in the user'"'"'s behavior model.
  - 18. The non-transitory computer-readable medium of claim 12, wherein the user'"'"'s behavior model include the user'"'"'s geo-location logon patterns and comparing the plurality of user events to the user'"'"'s behavior model also includes determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model.
  - 19. The non-transitory computer-readable medium of claim 12, wherein calculating the risk assessment score comprises associating a sub-total risk score with each of certain anomalies in the user events and aggregating all sub-total risk scores to calculate the risk assessment score for the plurality of user events.
  - 20. The non-transitory computer-readable medium of claim 19, wherein the system stores rules that define types of anomalies associated with a positive risk score.
  - 21. The non-transitory computer-readable medium of claim 20, wherein the system also stores one or more rules that define types of behavior associated with a negative risk score.
  - 22. The non-transitory computer-readable medium of claim 12, wherein one or more of the following are factored into the risk assessment:
    - the user'"'"'s access authorization level in the system, a value of the data accessed, and threat intelligence.

23. A computer system for detecting and assessing security risks in an enterprise'"'"'s computer network, the system comprising:
- one or more processors;
  
  one or more memory units coupled to the one or more processors, wherein the one or more memory units store instructions that, when executed by the one or more processors, cause the system to perform the operations of;
  
  building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user;
  
  comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including tracking whether the user has switched to a different identity in moving from one device to another;
  
  determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;
  
  calculating the risk assessment score for the plurality of user events; and
  
  determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;
  
  in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with data related to the plurality of user events including at least data related to user logon events, server access events, application access events, and data access events.
- View Dependent Claims (24, 25)
- - 24. The computer system of claim 23, wherein the plurality of user events is during a user logon session, wherein a user logon session begins at the user'"'"'s logon to the network and ends at the user'"'"'s subsequent logout of the network or a specified period of inactivity by the user.
  - 25. The computer system of claim 24, wherein an alert is displayed if the user logon session meets at least one of the following criteria:
    - (i) the user logon session is a current session and the risk assessment score exceeds a threshold for a specified duration and (ii) the user logon session has ended and the final risk assessment score is above a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exabeam, Inc.
Original Assignee
Exabeam, Inc.
Inventors
Gil, Sylvain, Mihovilovic, Domingo, Polak, Nir, Stensmo, Magnus, Yip, Sing
Primary Examiner(s)
Shaifer Harriman, Dant B

Application Number

US15/709,113
Publication Number

US 20180004961A1
Time in Patent Office

385 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

System, method, and computer program product for detecting and assessing security risks in a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

System, method, and computer program product for detecting and assessing security risks in a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others