Cyber-semantic account management system

US 10,205,740 B2
Filed: 05/16/2017
Issued: 02/12/2019
Est. Priority Date: 11/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one hardware processor; and

memory encoding computer executable instructions that, when executed by the at least one hardware processor, perform a method comprising;

receiving network data corresponding to a set of transactions for a plurality of users in a network;

comparing the network data to expected global network behavior data, wherein the expected global network behavior data comprises previously received network data comprising at least two of;

an access time, location data, page requests made, PKI status, page referrer URL, common access card information, login name, encryption information, and weather data;

based on the comparison, determining if the network data deviates from the expected global network behavior data for a specific transaction; and

when the network data is determined to deviate from the expected global network behavior data, performing one or more actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus for identifying anomalous behavior are provided. For example, a method may include receiving raw data, generating a behavior profile for the entity based on the raw data, receiving comparison data, determining whether the comparison data deviates from a pattern of behavior defined in the behavior profile, and identifying the comparison data as anomalous behavior when the comparison data deviates from the pattern of behavior. In one embodiment, the raw data includes recorded activity for the entity. In one embodiment, the behavior profile defines a pattern of behavior for the entity. In one embodiment, a countermeasure is performed upon identifying anomalous behavior. The countermeasure may include at least one of revoking the entity'"'"'s credentials, denying the entity access to a resource, shutting down access to a port, and denying access to the entity. The method may further include providing a report of the anomalous behavior.

10 Citations

19 Claims

1. A system comprising:
- at least one hardware processor; and
  
  memory encoding computer executable instructions that, when executed by the at least one hardware processor, perform a method comprising;
  
  receiving network data corresponding to a set of transactions for a plurality of users in a network;
  
  comparing the network data to expected global network behavior data, wherein the expected global network behavior data comprises previously received network data comprising at least two of;
  
  an access time, location data, page requests made, PKI status, page referrer URL, common access card information, login name, encryption information, and weather data;
  
  based on the comparison, determining if the network data deviates from the expected global network behavior data for a specific transaction; and
  
  when the network data is determined to deviate from the expected global network behavior data, performing one or more actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the method further comprises:
    - analyzing the network data to identify observed user activity; and
      
      using the observed user activity to generate a global network behavior profile.
  - 3. The system of claim 2, wherein the global network behavior profile is indexed based on one or more attributes of the observed user activity.
  - 4. The system of claim 1, wherein comparing the network data to the expected global network behavior data comprises determining whether at least a portion of the network data exists in the expected global network behavior data.
  - 5. The system of claim 1, wherein comparing the network data to the expected global network behavior data comprises analyzing attributes of the network behavior and comparing the analyzed attributes to corresponding attributes of the expected global network behavior data.
  - 6. The system of claim 5, wherein the analyzed attributes comprise at least two of:
    - an access time, location data, page requests made, PKI status, page referrer URL, common access card information, login name, encryption information, and weather data.
  - 7. The system of claim 1, wherein comparing the network data to the expected global network behavior data comprises applying a statistical analysis to calculate one or more bandwidth thresholds for a set of behavior attributes.
  - 8. The system of claim 7, wherein network data exceeding the one or more bandwidth thresholds is determined to be anomalous.
  - 9. The system of claim 1, wherein determining if the network data deviates from the expected global network behavior data comprises evaluating the network data against one or more watch lists.
  - 10. The system of claim 9, wherein the one or more watch lists correspond to at least one of:
    - a list of acceptable network behavior, a list of unacceptable network behavior, and a list of potentially suspicious behavior.
  - 11. The system of claim 1, wherein the one or more actions includes at least one of:
    - revoking the credentials of one or more users, denying access to a resource, denying access to a port, prompting for approval to execute an activity associated with the network data, and generating a behavior report.
  - 12. The system of claim 1, wherein the expected global network behavior data represents activity authorized on the network.

13. A computer implemented method, using at least one hardware processor, the method comprising:
- detecting, by using at least the hardware processor, network data corresponding to a set of transactions for a plurality of users in a network;
  
  comparing the network data to expected global network behavior data, wherein the expected global network behavior data comprises previously received network data comprising at least two of;
  
  an access time, location data, page requests made, PKI status, page referrer URL, common access card information, login name, encryption information, and weather data;
  
  based on the comparison, determining if the network data deviates from the expected global network behavior data; and
  
  when the network data is determined to deviate from the expected global network behavior data, performing one or more actions.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein determining if the network data deviates from the expected global network behavior data comprises identifying activity in the network data this is absent from the expected global network behavior data.
  - 15. The method of claim 13, wherein determining if the network data deviates from the expected global network behavior data comprises generating one or more standard deviation values for user activity associated with the network data, and evaluating the network data against the one or more standard deviation values.
  - 16. The method of claim 15, wherein the network data that is outside the one or more standard deviation values is identified as anomalous behavior.
  - 17. The method of claim 13, wherein the previously received network data is used to generate network behavior profile, wherein the network behavior profile is normalized.
  - 18. The method of claim 13, wherein the one or more actions comprise identifying whether the network data is at least one of:
    - beneficial, detrimental, and suspicious.

19. A system comprising:
- at least one hardware processor; and
  
  memory encoding computer executable instructions that, when executed by at least one processor, perform a method comprising;
  
  receiving network data corresponding to activity for a plurality of users on a network;
  
  dynamically generating a network behavior profile for the network based on the network data, wherein the network behavior profile defines a pattern of behavior for the network for one or more transactions;
  
  receiving comparison data;
  
  comparing the comparison data to the network behavior profile for a specific transaction, wherein the network behavior profile comprises previously received network data comprising at least two of;
  
  an access time, location data, page requests made, PKI status, page referrer URL, common access card information, login name, encryption information, and weather data;
  
  based on the comparison, determining if the comparison data deviates from the network behavior profile; and
  
  when the comparison data is determined to deviate from the network behavior profile, performing one or more actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tautuk Incorporated
Original Assignee
Securboration, Inc.
Inventors
Stirtzinger, Anthony, Shapiro, Keith, Warhover, Brian, McQueary, Bruce
Primary Examiner(s)
Lemma, Samson B

Application Number

US15/596,515
Publication Number

US 20170318051A1
Time in Patent Office

637 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04W 12/12   Detection or prevention of ...

H04W 12/126   Anti-theft arrangements, e....

Cyber-semantic account management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber-semantic account management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links