Method and system for identifying security risks using graph analysis
First Claim
1. A computer-implemented method for identifying users of an information security system for determining risk of unauthorized access to secure data assets, the method executed by one or more processors programmed to perform the method, the method comprising:
- identifying, by one or more processors, a plurality of users, wherein each user has a job function related to a role of the user within an organization and is associated with an organizational network which contains a plurality of secure data assets and a plurality of security groups, each security group having permission to access at least one secure data asset;
for each of the plurality of users;
causing, by the one or more processors, a node of a graph data structure representing the user to be displayed on a user interface of a computing device,identifying, by the one or more processors, a connection between the node of the user and a node of another user of the plurality of users when the user and the other user both correspond to a same security group of the plurality of security groups; and
causing, by the one or more processors, the connection between the corresponding node for the user and the other user to be displayed as an edge of the graph data structure on the user interface; and
determining, by the one or more processors, a shortest path between each pair of nodes of the plurality of nodes based upon the connections between the nodes, wherein the shortest path between a pair of nodes is a least number of interconnected nodes in which a first node must pass through to reach a second node;
ranking, by the one or more processors, each of the plurality of users based upon a number of shortest paths which include the corresponding node for the respective user;
providing, by the one or more processors, the ranking of the plurality of users to the computing device; and
determining, by the one or more processors, that at least one of the plurality of users ranked above a threshold ranking belongs to at least two different security groups to determine users having a potential security risk.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, apparatus, and non-transitory computer readable media are described for identifying users who are likely to have unauthorized access to secure data files in an organizational network. Various aspects may include presenting the identified users on a display for a system administrator and/or security analyst to resolve. For example, the display may include a graph data structure with users represented as nodes and connections between users represented as edges. Each connection may be a pair of users belonging to the same security group. Nodes of the graph data structure may be clustered to indicate that each of the users in the cluster belong to the same security group. Moreover, the users who are connected to multiple clusters may be identified as a potential risk of having unauthorized access to secure data files. The authorized access may then be remedied or taken away.
11 Citations
18 Claims
-
1. A computer-implemented method for identifying users of an information security system for determining risk of unauthorized access to secure data assets, the method executed by one or more processors programmed to perform the method, the method comprising:
-
identifying, by one or more processors, a plurality of users, wherein each user has a job function related to a role of the user within an organization and is associated with an organizational network which contains a plurality of secure data assets and a plurality of security groups, each security group having permission to access at least one secure data asset; for each of the plurality of users; causing, by the one or more processors, a node of a graph data structure representing the user to be displayed on a user interface of a computing device, identifying, by the one or more processors, a connection between the node of the user and a node of another user of the plurality of users when the user and the other user both correspond to a same security group of the plurality of security groups; and causing, by the one or more processors, the connection between the corresponding node for the user and the other user to be displayed as an edge of the graph data structure on the user interface; and determining, by the one or more processors, a shortest path between each pair of nodes of the plurality of nodes based upon the connections between the nodes, wherein the shortest path between a pair of nodes is a least number of interconnected nodes in which a first node must pass through to reach a second node; ranking, by the one or more processors, each of the plurality of users based upon a number of shortest paths which include the corresponding node for the respective user; providing, by the one or more processors, the ranking of the plurality of users to the computing device; and determining, by the one or more processors, that at least one of the plurality of users ranked above a threshold ranking belongs to at least two different security groups to determine users having a potential security risk. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for identifying users of an information security system for determining risk of unauthorized access to secure data assets, the system comprising:
-
one or more processors; and a non-transitory computer-readable memory coupled to the one or more processors and storing thereon instructions that, when executed by the one or more processors, cause the system to; identify a plurality of users, wherein each user has a job function related to a role of the user within an organization and is associated with an organizational network which contains a plurality of secure data assets and a plurality of security groups, each security group having permission to access at least one secure data asset, for each of the plurality of users; cause a node of a graph data structure representing the user to be displayed on a user interface of a computing device, identify a connection between the node of the user and a node of another user of the plurality of users when the user and the other user both correspond to a same security group of the plurality of security groups, cause the connection between the corresponding node for the user and the other user to be displayed as an edge of the graph data structure on the user interface, and determine a shortest path between each pair of nodes of the plurality of nodes based upon the connections between the nodes, wherein the shortest path between a pair of nodes is a least number of interconnected nodes in which a first node must pass through to reach a second node; rank each of the plurality of users based upon a number of shortest paths which include the corresponding node for the respective user; provide the ranking of the plurality of users to the computing; and determine that at least one of the plurality of users ranked above a threshold ranking belongs to at least two different security groups to determine users having a potential security risk. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification