System, method, and computer program for automatically classifying user accounts in a computer network based on account behavior

US 10,178,108 B1
Filed: 05/31/2016
Issued: 01/08/2019
Est. Priority Date: 05/31/2016
Status: Active Grant

First Claim

Patent Images

1. A method, performed by a computer system, for identifying and classifying service accounts in a network based on account behavior, the method comprising:

classifying an account during setup as a service account or a non-service account;

tracking networks events associated with the account;

for each of a plurality of service account behaviors, calculating an indicator of the extent to which the account displays the service account behavior (a “

behavior indicator”

), wherein there is a different behavior indicator for each of the service account behaviors, wherein each behavior indicator is calculated based on the network events associated with the account, and wherein one service account behavior is generating many network events (“

many events behavior”

);

for each of the service account behaviors, determining whether the applicable behavior indicator satisfies a threshold specific to the service account behavior, wherein the threshold for the many events behavior is dynamically determined each time the behavior of the accounts in the network is classified, and wherein the threshold is determined by ranking accounts by the average number of events per active day and then identifying an acceleration point in the average number of events per active day;

in response to the account having one or more behavior indicators satisfy the applicable threshold, determining that the account triggered for service account behavior, wherein determining whether an account triggers for many events behavior further comprises;

for each account in the system, calculating the average number of events of any type per active day,ranking accounts in ascending order of average number of events per active day,dividing ranked accounts into fixed-size windows each having a sequence number,computing the sum of each window (S_i), wherein i is the sequence number,starting with the first fixed-size window, identifying the first value for i in which S_i+2/(S_i+S_i+2) is greater than a minimum acceleration rate, wherein the minimum acceleration rate is a threshold with a predetermined value,setting the dynamic threshold for the many events account behavior to the average number of events per active day in the first account in the (i+1)th window for the above-identified value of i, andfor each account with an average number of events per active day above the dynamic threshold, concluding that the account triggered for the many events behavior;

calculating a ratio of (1) the number of times the account triggered for service account behavior during a period of time to (2) the number of times during the period of time that the account was evaluated for service account behavior (the “

service account attempt ratio”

);

calculating a ratio of (1) the number of times the account did not trigger for service account behavior during the period of time to (2) the number of times during the period of time that the account was evaluated for service account behavior (the “

non-service account attempt ratio”

);

in response to the service account attempt ratio exceeding a consistency threshold, classifying the account behavior as that of a service account;

in response to the non-service account attempt ratio exceeding the consistency threshold, classifying the account behavior as that of a non-service account;

in response to neither the service account attempt ratio and the non-service account attempt ratio exceeding the threshold, taking no action with respect to classifying the account behavior; and

in response to the account during setup being classified as a non-service account but the account behavior being classified as that of a service account, issuing a security alert that a non-service account is behaving like a service account.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure describes a system, method, and computer program for identifying and classifying service accounts in a network based on account behavior. For each evaluated account in the network, a plurality of behavior indicators are calculated. The behavior indicators correspond to service account behaviors and, for each account, are calculated based on network events associated with the account. Each behavior indicator is compared to a threshold specific to the corresponding behavior. If one or more behavior indicators for an account satisfies the applicable threshold, the account is deemed to display service account behavior. Consistency in which an account displays service account behavior is factored into classifying accounts as service accounts.

Citations

30 Claims

1. A method, performed by a computer system, for identifying and classifying service accounts in a network based on account behavior, the method comprising:
- classifying an account during setup as a service account or a non-service account;
  
  tracking networks events associated with the account;
  
  for each of a plurality of service account behaviors, calculating an indicator of the extent to which the account displays the service account behavior (a “
  
  behavior indicator”
  
  ), wherein there is a different behavior indicator for each of the service account behaviors, wherein each behavior indicator is calculated based on the network events associated with the account, and wherein one service account behavior is generating many network events (“
  
  many events behavior”
  
  );
  
  for each of the service account behaviors, determining whether the applicable behavior indicator satisfies a threshold specific to the service account behavior, wherein the threshold for the many events behavior is dynamically determined each time the behavior of the accounts in the network is classified, and wherein the threshold is determined by ranking accounts by the average number of events per active day and then identifying an acceleration point in the average number of events per active day;
  
  in response to the account having one or more behavior indicators satisfy the applicable threshold, determining that the account triggered for service account behavior, wherein determining whether an account triggers for many events behavior further comprises;
  
  for each account in the system, calculating the average number of events of any type per active day,ranking accounts in ascending order of average number of events per active day,dividing ranked accounts into fixed-size windows each having a sequence number,computing the sum of each window (S_i), wherein i is the sequence number,starting with the first fixed-size window, identifying the first value for i in which S_i+2/(S_i+S_i+2) is greater than a minimum acceleration rate, wherein the minimum acceleration rate is a threshold with a predetermined value,setting the dynamic threshold for the many events account behavior to the average number of events per active day in the first account in the (i+1)th window for the above-identified value of i, andfor each account with an average number of events per active day above the dynamic threshold, concluding that the account triggered for the many events behavior;
  
  calculating a ratio of (1) the number of times the account triggered for service account behavior during a period of time to (2) the number of times during the period of time that the account was evaluated for service account behavior (the “
  
  service account attempt ratio”
  
  );
  
  calculating a ratio of (1) the number of times the account did not trigger for service account behavior during the period of time to (2) the number of times during the period of time that the account was evaluated for service account behavior (the “
  
  non-service account attempt ratio”
  
  );
  
  in response to the service account attempt ratio exceeding a consistency threshold, classifying the account behavior as that of a service account;
  
  in response to the non-service account attempt ratio exceeding the consistency threshold, classifying the account behavior as that of a non-service account;
  
  in response to neither the service account attempt ratio and the non-service account attempt ratio exceeding the threshold, taking no action with respect to classifying the account behavior; and
  
  in response to the account during setup being classified as a non-service account but the account behavior being classified as that of a service account, issuing a security alert that a non-service account is behaving like a service account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the service account behaviors further include:
    - connecting to many hosts (“
      
      many hosts behavior”
      
      ) and having periodic activities (“
      
      periodic activity behavior”
      
      ), and wherein whether an account is deemed to have any of these service account behaviors is determined relative to the threshold for the service account behavior.
  - 3. The method of claim 2, wherein threshold for the many hosts behavior is calculated relative to a total number of hosts in the network.
  - 4. The method of claim 2, wherein the threshold for the periodic behavior is a fixed value.
  - 5. The method of claim 2, wherein determining whether an account triggers for the connected hosts behavior comprises:
    - calculating an average number of connected hosts per active day for the account;
      
      determining whether the average number of connected hosts per active day exceeds a fixed threshold based on the number of hosts in the network; and
      
      in response to determining that the average number of connected hosts per active day exceeds the fixed threshold, concluding that the account triggers for the connected host behavior.
  - 6. The method of claim 2, wherein determining whether an account triggers for the periodic behavior comprises:
    - dividing each day in a period of time into a plurality of fixed-length windows;
      
      counting the number of events for the account in each fixed-length window to create an event-window sequence for each day during the period of time;
      
      quantifying distances between the window sequences in sequential active days during the relevant period;
      
      calculating an average inverse distance during the relevant period;
      
      determining whether the average inverse distance exceeds a fixed threshold;
      
      in response to determining that the average inverse distance exceeds a fixed threshold, concluding that the account triggered for the always online behavior.
  - 7. The method of claim 2, wherein the service account behaviors also include being online all the time (“
    - always online behavior”
      
      ).
  - 8. The method of claim 7, wherein the threshold for the always online behavior is dynamically determined each time the behavior of the accounts in the network is classified, and wherein the threshold is determined by ranking accounts by a function of an average number of active fixed-length windows and identifying an acceleration point in the function values.
  - 9. The method of claim 8, wherein determining whether an account triggers for always online behavior further comprises:
    - dividing days in a period of time into fixed-length windows;
      
      for each account, tracking the number of active windows in the period of time;
      
      for each account, calculating an average number of active fixed-length windows;
      
      for each account, calculating a function of the average number of active fixed-length windows, wherein the function is the behavior indicator for always online behavior;
      
      ranking accounts in ascending order of function values;
      
      dividing ranked accounts into fixed-size windows each having a sequence number;
      
      computing the sum of the function values of each window (S_i), wherein i is the sequence number;
      
      starting with the first fixed-size window, identifying the first value for i in which S_i+2/(S_i+S_i+2) is greater than a minimum acceleration rate, wherein the minimum accelerate rate is a threshold with a predetermined value;
      
      setting the dynamic threshold for the always online behavior to the function value of the first account in the (i+1)th window for the above-identified value of i;
      
      for each account with a function value about the dynamic threshold, concluding that the account triggered for the always online behavior.
  - 10. The method of claim 1, wherein:
    - accounts in the network are evaluated for service account behavior on a daily basis;
      
      calculating the service account attempt ratio comprises calculating the number of days, over a period of x days, that an account triggered for service account behavior and dividing the number by x; and
      
      calculating the non-service account attempt ratio comprises calculating the number of days, over a period of x days, that an account did not trigger for service account behavior and dividing the number by x, wherein x is a number greater than 1.

11. A non-transitory computer-readable medium comprising a computer program that, when executed by a computer system, enables the computer system to perform the following method for identifying and classifying service accounts in a network based on account behavior, the method comprising:
- classifying an account during setup as a service account or a non-service account;
  
  tracking networks events associated with the account;
  
  for each of a plurality of service account behaviors, calculating an indicator of the extent to which the account displays the service account behavior (a “
  
  behavior indicator”
  
  ), wherein there is a different behavior indicator for each of the service account behaviors, wherein each behavior indicator is calculated based on the network events associated with the account, and wherein one service account behavior is generating many network events (“
  
  many events behavior”
  
  );
  
  for each of the service account behaviors, determining whether the applicable behavior indicator satisfies a threshold specific to the service account behavior, wherein the threshold for the many events behavior is dynamically determined each time the behavior of the accounts in the network is classified, and wherein the threshold is determined by ranking accounts by the average number of events per active day and then identifying an acceleration point in the average number of events per active day;
  
  in response to the account having one or more behavior indicators satisfying the applicable threshold, determining that the account triggered for service account behavior, wherein determining whether an account triggers for many events behavior further comprises;
  
  for each account in the system, calculating the average number of events of any type per active day,ranking accounts in ascending order of average number of events per active day,dividing ranked accounts into fixed-size windows each having a sequence number,computing the sum of each window (S_i), wherein i is the sequence number,starting with the first fixed-size window, identifying the first value for i in which S_i+2/(S_i+S_i+2) is greater than a minimum acceleration rate, wherein the minimum acceleration rate is a threshold with a predetermined value,setting the dynamic threshold for the many events account behavior to the average number of events per active day in the first account in the (i+1)th window for the above-identified value of i, andfor each account with an average number of events per active day above the dynamic threshold, concluding that the account triggered for the many events behavior;
  
  calculating a ratio of (1) the number of times the account triggered for service account behavior during a period of time to (2) the number of times during the period of time that the account was evaluated for service account behavior (the “
  
  service account attempt ratio”
  
  );
  
  calculating a ratio of (1) the number of times the account did not trigger for service account behavior during the period of time to (2) the number of times during the period of time that the account was evaluated for service account behavior (the “
  
  non-service account attempt ratio”
  
  );
  
  in response to the service account attempt ratio exceeding a consistency threshold, classifying the account behavior as that of a service account;
  
  in response to the non-service account attempt ratio exceeding the consistency threshold, classifying the account behavior as that of a non-service account;
  
  in response to neither the service account attempt ratio and the non-service account attempt ratio exceeding the threshold, taking no action with respect to classifying the account behavior; and
  
  in response to the account during setup being classified as a non-service account but the account behavior being classified as that of a service account, issuing a security alert that a non-service account is behaving like a service account.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable medium of claim 11, wherein the service account behaviors further include:
    - connecting to many hosts (“
      
      many hosts behavior”
      
      ) and having periodic activities (“
      
      periodic activity behavior”
      
      ), and wherein whether an account is deemed to have any of these service account behaviors is determined relative to the threshold for the service account behavior.
  - 13. The computer-readable medium of claim 12, wherein threshold for the many hosts behavior is calculated relative to a total number of hosts in the network.
  - 14. The computer-readable medium of claim 12, wherein the threshold for the periodic behavior is a fixed value.
  - 15. The computer-readable medium of claim 12, wherein determining whether an account triggers for the connected hosts behavior comprises:
    - calculating an average number of connected hosts per active day for the account;
      
      determining whether the average number of connected hosts per active day exceeds a fixed threshold based on the number of hosts in the network; and
      
      in response to determining that the average number of connected hosts per active day exceeds the fixed threshold, concluding that the account triggers for the connected host behavior.
  - 16. The computer-readable medium of claim 12, wherein determining whether an account triggers for the periodic behavior comprises:
    - dividing each day in a period of time into a plurality of fixed-length windows;
      
      counting the number of events for the account in each fixed-length window to create an event-window sequence for each day during the period of time;
      
      quantifying distances between the window sequences in sequential active days during the relevant period;
      
      calculating an average inverse distance during the relevant period;
      
      determining whether the average inverse distance exceeds a fixed threshold;
      
      in response to determining that the average inverse distance exceeds a fixed threshold, concluding that the account triggered for the always online behavior.
  - 17. The computer-readable medium of claim 12, wherein the service account behaviors also include being online all the time (“
    - always online behavior”
      
      ).
  - 18. The computer-readable medium of claim 17, wherein the threshold for the always online behavior is dynamically determined each time the behavior of the accounts in the network is classified, and wherein the threshold is determined by ranking accounts by a function of an average number of active fixed-length windows and identifying an acceleration point in the function values.
  - 19. The computer-readable medium of claim 18, wherein determining whether an account triggers for always online behavior further comprises:
    - dividing days in a period of time into fixed-length windows;
      
      for each account, tracking the number of active windows in the period of time;
      
      for each account, calculating an average number of active fixed-length windows;
      
      for each account, calculating a function of the average number of active fixed-length windows, wherein the function is the behavior indicator for always online behavior;
      
      ranking accounts in ascending order of function values;
      
      dividing ranked accounts into fixed-size windows each having a sequence number;
      
      computing the sum of the function values of each window (S_i), wherein i is the sequence number;
      
      starting with the first fixed-size window, identifying the first value for i in which S_i+2/(S_i+S_i+2) is greater than a minimum acceleration rate, wherein the minimum accelerate rate is a threshold with a predetermined value;
      
      setting the dynamic threshold for the always online behavior to the function value of the first account in the (i+1)th window for the above-identified value of i;
      
      for each account with a function value about the dynamic threshold, concluding that the account triggered for the always online behavior.
  - 20. The computer-readable medium of claim 11, wherein:
    - accounts in the network are evaluated for service account behavior on a daily basis;
      
      calculating the service account attempt ratio comprises calculating the number of days, over a period of x days, that an account triggered for service account behavior and dividing the number by x; and
      
      calculating the non-service account attempt ratio comprises calculating the number of days, over a period of x days, that an account did not trigger for service account behavior and dividing the number by x, wherein x is a number greater than 1.

21. A computer system for identifying and classifying service accounts in a network based on account behavior, the system comprising:
- one or more processors; and
  
  one or more memory units coupled to one or more processors, wherein the one or more memory units store instructions that, when executed by the one or more processors, cause the system to perform the operation of;
  
  classifying an account during setup as a service account or a non-service account;
  
  tracking networks events associated with the account;
  
  for each of a plurality of service account behaviors, calculating an indicator of the extent to which the account displays the service account behavior (a “
  
  behavior indicator”
  
  ), wherein there is a different behavior indicator for each of the service account behaviors, wherein each behavior indicator is calculated based on the network events associated with the account, and wherein one service account behavior is generating many network events (“
  
  many events behavior”
  
  );
  
  for each of the service account behaviors, determining whether the applicable behavior indicator satisfies a threshold specific to the service account behavior, wherein the threshold for the many events behavior is dynamically determined each time accounts in the network are classified, and wherein the threshold is determined by ranking accounts by the average number of events per active day and then identifying an acceleration point in the average number of events per active day;
  
  in response to the account having one or more behavior indicators satisfy the applicable threshold, determining that the account triggered for service account behavior, wherein determining whether an account triggers for many events behavior further comprises;
  
  for each account in the system, calculating the average number of events of any type per active day,ranking accounts in ascending order of average number of events per active day,dividing ranked accounts into fixed-size windows each having a sequence number,computing the sum of each window (S_i), wherein i is the sequence number,starting with the first fixed-size window, identifying the first value for i in which S_i+2/(S_i+S_i+2) is greater than a minimum acceleration rate, wherein the minimum acceleration rate is a threshold with a predetermined value,setting the dynamic threshold for the many events account behavior to the average number of events per active day in the first account in the (i+1)th window for the above-identified value of i, andfor each account with an average number of events per active day above the dynamic threshold, concluding that the account triggered for the many events behavior;
  
  calculating a ratio of (1) the number of times the account triggered for service account behavior during a period of time to (2) the number of times during the period of time that the account was evaluated for service account behavior (the “
  
  service account attempt ratio”
  
  );
  
  calculating a ratio of (1) the number of times the account did not trigger for service account behavior during the period of time to (2) the number of times during the period of time that the account was evaluated for service account behavior (the “
  
  non-service account attempt ratio”
  
  );
  
  in response to the service account attempt ratio exceeding a consistency threshold, classifying the account behavior as that of a service account;
  
  in response to the non-service account attempt ratio exceeding the consistency threshold, classifying the account behavior as that of a non-service account;
  
  in response to neither the service account attempt ratio and the non-service account attempt ratio exceeding the threshold, taking no action with respect to classifying the account behavior; and
  
  in response to the account during setup being classified as a non-service account but the account behavior being classified as that of a service account, issuing a security alert that a non-service account is behaving like a service account.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein the service account behaviors further include:
    - connecting to many hosts (“
      
      many hosts behavior”
      
      ) and having periodic activities (“
      
      periodic activity behavior”
      
      ), and wherein whether an account is deemed to have any of these service account behaviors is determined relative to the threshold for the service account behavior.
  - 23. The system of claim 22, wherein threshold for the many hosts behavior is calculated relative to a total number of hosts in the network.
  - 24. The system of claim 22, wherein the threshold for the periodic behavior is a fixed value.
  - 25. The system of claim 22, wherein determining whether an account triggers for the connected hosts behavior comprises:
    - calculating an average number of connected hosts per active day for the account;
      
      determining whether the average number of connected hosts per active day exceeds a fixed threshold based on the number of hosts in the network; and
      
      in response to determining that the average number of connected hosts per active day exceeds the fixed threshold, concluding that the account triggers for the connected host behavior.
  - 26. The system of claim 22, wherein determining whether an account triggers for the periodic behavior comprises:
    - dividing each day in a period of time into a plurality of fixed-length windows;
      
      counting the number of events for the account in each fixed-length window to create an event-window sequence for each day during the period of time;
      
      quantifying distances between the window sequences in sequential active days during the relevant period;
      
      calculating an average inverse distance during the relevant period;
      
      determining whether the average inverse distance exceeds a fixed threshold;
      
      in response to determining that the average inverse distance exceeds a fixed threshold, concluding that the account triggered for the always online behavior.
  - 27. The system of claim 22, wherein the service account behaviors also include being online all the time (“
    - always online behavior”
      
      ).
  - 28. The system of claim 27, wherein the threshold for the always online behavior is dynamically determined each time the behavior of the accounts in the network is classified, and wherein the threshold is determined by ranking accounts by a function of an average number of active fixed-length windows and identifying an acceleration point in the function values.
  - 29. The system of claim 28, wherein determining whether an account triggers for always online behavior further comprises:
    - dividing days in a period of time into fixed-length windows;
      
      for each account, tracking the number of active windows in the period of time;
      
      for each account, calculating an average number of active fixed-length windows;
      
      for each account, calculating a function of the average number of active fixed-length windows, wherein the function is the behavior indicator for always online behavior;
      
      ranking accounts in ascending order of function values;
      
      dividing ranked accounts into fixed-size windows each having a sequence number;
      
      computing the sum of the function values of each window (S_—
      
      i), wherein i is the sequence number;
      
      starting with the first fixed-size window, identifying the first value for i in which (S_i+2/S_i+S_i+2) is greater than a minimum acceleration rate, wherein the minimum accelerate rate is a threshold with a predetermined value;
      
      setting the dynamic threshold for the always online behavior to the function value of the first account in the (i+1)th window for the above-identified value of i;
      
      for each account with a function value about the dynamic threshold, concluding that the account triggered for the always online behavior.
  - 30. The system of claim 21, wherein:
    - accounts in the network are evaluated for service account behavior on a daily basis;
      
      calculating the service account attempt ratio comprises calculating the number of days, over a period of x days, that an account triggered for service account behavior and dividing the number by x; and
      
      calculating the non-service account attempt ratio comprises calculating the number of days, over a period of x days, that an account did not trigger for service account behavior and dividing the number by x, wherein x is a number greater than 1.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exabeam, Inc.
Original Assignee
Exabeam, Inc.
Inventors
Lin, Derek, Steiman, Barry, Mihovilovic, Domingo, Gil, Sylvain
Primary Examiner(s)
Kim, Tae K

Application Number

US15/169,284
Time in Patent Office

952 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1425   Traffic logging, e.g. anoma...

System, method, and computer program for automatically classifying user accounts in a computer network based on account behavior

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program for automatically classifying user accounts in a computer network based on account behavior

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links