Anomalous network monitoring, user behavior detection and database system
First Claim
1. A computerized method performed by one or more computer systems, the method comprising:
- accessing network access logs associated with a plurality of network accessible systems, the network access logs being generated in response to network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices;
determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and
providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts.
8 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for network monitoring, user account compromise determination, and user behavior database system. The system monitors network actions of user accounts including user account access across multitudes of network accessible systems, determines user account transitions, and determines different types of high-risk user behavior indicative of compromise. Network actions can be obtained from generated information by the network accessible systems, and correlated across additional data sets including contextual ones. User interfaces are generated describing network actions of user accounts, and are configured for user interaction, which cause generation of updated user interfaces and access to electronic data sources to determine information relevant to the user interaction.
-
Citations
20 Claims
-
1. A computerized method performed by one or more computer systems, the method comprising:
-
accessing network access logs associated with a plurality of network accessible systems, the network access logs being generated in response to network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices; determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising one or more computer systems and one or more computer storage media storing instructions that when executed by the one or more computer systems cause the one or more computer systems to perform operations comprising:
-
accessing network access logs associated with a plurality of network accessible systems, the network access logs indicating network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices; determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. Non-transitory computer storage media storing instructions that when executed one or more computer systems cause the one or more computer systems to perform operations comprising:
-
accessing network access logs associated with a plurality of network accessible systems, the network access logs indicating network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices; determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts. - View Dependent Claims (18, 19, 20)
-
Specification