System, method, and computer program product for detecting and assessing security risks in a network
First Claim
1. A method, performed by one or more computer devices, for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
- building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user;
comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including tracking whether the user has switched to a different identity in moving from one device to another;
determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;
calculating the risk assessment score for the plurality of user events; and
determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;
in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with data related to the plurality of user events including at least data related to user logon events, server access events, application access events, and data access events.
2 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise'"'"'s computer network. A behavior model is built for a user in the network based on the user'"'"'s interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user'"'"'s behavior during a period of time is compared to the user'"'"'s behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user'"'"'s behavior and the user'"'"'s behavior model, wherein any one of certain anomalies between the user'"'"'s behavior and the user'"'"'s behavior model increase the risk assessment.
29 Citations
25 Claims
-
1. A method, performed by one or more computer devices, for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
-
building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user; comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including tracking whether the user has switched to a different identity in moving from one device to another; determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score; calculating the risk assessment score for the plurality of user events; and determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein; in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event, and in response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with data related to the plurality of user events including at least data related to user logon events, server access events, application access events, and data access events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable medium comprising a computer program that, when executed by a computer system, enables the computer system to perform the following method for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
-
building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user; comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including tracking whether the user has switched to a different identity in moving from one device to another; determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score; calculating the risk assessment score for the plurality of user events; and determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein; in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event, and in response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with data related to the plurality of user events including at least data related to user logon events, server access events, application access events, and data access events. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer system for detecting and assessing security risks in an enterprise'"'"'s computer network, the system comprising:
-
one or more processors; one or more memory units coupled to the one or more processors, wherein the one or more memory units store instructions that, when executed by the one or more processors, cause the system to perform the operations of; building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user; comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including tracking whether the user has switched to a different identity in moving from one device to another; determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score; calculating the risk assessment score for the plurality of user events; and determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein; in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event, and in response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with data related to the plurality of user events including at least data related to user logon events, server access events, application access events, and data access events. - View Dependent Claims (24, 25)
-
Specification