Method and system for anonymizing activity records

US 10,387,667 B2
Filed: 04/18/2018
Issued: 08/20/2019
Est. Priority Date: 10/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting cyber-threats to a company from activity records logged by the company'"'"'s computing devices while protecting sensitive company information, the method comprising:

receiving, by an activity monitoring engine, an activity record that documents user activities on a computing device;

generating, by the activity monitoring engine, an anonymization dictionary, wherein generating the anonymization dictionary comprises;

using a statistical method or an artificial intelligence method to detect, in the activity record, a plurality of target entities to be anonymized;

making a determination that a resource is associated with a set of target entities of the plurality of target entities; and

after making the determination;

assigning an anonymized identity to the set of target entities; and

generating an anonymized identifier for each target entity in the set of target entities to obtain a plurality of anonymized identifiers each including the anonymized identity;

replacing, by the activity monitoring engine, the plurality of target entities in the activity record with their anonymized identifiers from the anonymization dictionary to obtain an anonymized activity record;

storing, by the activity monitoring engine, the anonymized activity record; and

analyzing, by the activity monitoring engine, the anonymized activity record to detect cyber-threats to the company or sharing, by the activity monitoring engine, the anonymized activity record with a third-party system to detect cyber-threats to the company.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for processing activity records. The method includes obtaining an activity record, and generating an anonymization dictionary. Generating the anonymization dictionary includes detecting, in the activity record, a set of target entities to be anonymized, making a determination that a resource is associated with a subset of the target entities of the set of target entities, and after making the determination, assigning an anonymized identity to the subset of target entities, and generating an anonymization identifier for each target entity in the subset of target entities to obtain a set of anonymization identifiers, each including the anonymized identity. The method further includes processing the activity record using the anonymization dictionary to obtain an anonymized activity record and storing the anonymized activity record.

27 Citations

View as Search Results

17 Claims

1. A method for detecting cyber-threats to a company from activity records logged by the company'"'"'s computing devices while protecting sensitive company information, the method comprising:
- receiving, by an activity monitoring engine, an activity record that documents user activities on a computing device;
  
  generating, by the activity monitoring engine, an anonymization dictionary, wherein generating the anonymization dictionary comprises;
  
  using a statistical method or an artificial intelligence method to detect, in the activity record, a plurality of target entities to be anonymized;
  
  making a determination that a resource is associated with a set of target entities of the plurality of target entities; and
  
  after making the determination;
  
  assigning an anonymized identity to the set of target entities; and
  
  generating an anonymized identifier for each target entity in the set of target entities to obtain a plurality of anonymized identifiers each including the anonymized identity;
  
  replacing, by the activity monitoring engine, the plurality of target entities in the activity record with their anonymized identifiers from the anonymization dictionary to obtain an anonymized activity record;
  
  storing, by the activity monitoring engine, the anonymized activity record; and
  
  analyzing, by the activity monitoring engine, the anonymized activity record to detect cyber-threats to the company or sharing, by the activity monitoring engine, the anonymized activity record with a third-party system to detect cyber-threats to the company.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16, 17)
- - 2. The method of claim 1, further comprising detecting an additional target entity to be anonymized based on its consistent appearance uniquely with one of the plurality of target entities.
  - 3. The method of claim 1, wherein making the determination that the resource is associated with the set of target entities comprises using statistical analysis to determine user accounts are associated with the resource when the user accounts access an email account more than the user accounts access other email accounts.
  - 4. The method of claim 1, wherein making the determination that the resource is associated with the set of target entities comprises using cluster analysis to determine user accounts are associated with the resource based on utilization parameters.
  - 5. The method of claim 1, wherein:
    - generating the anonymization dictionary further comprises, for each target entity in the set of target entities, assigning an entity type of the target entity; and
      
      generating the anonymized identifier for each target entity comprises storing the entity type in the anonymized identifier.
  - 6. The method of claim 5, wherein the entity type is at least one selected from the group consisting of a user name, an email address, a domain name, an IP address, a port number, a host name, a company name, and a partner name.
  - 7. The method of claim 5, wherein:
    - for at least two target entities in the set of target entities, the entity type is identical;
      
      a unique instance identifier is assigned to each of the at least two target entities; and
      
      the unique instance identifiers are included in the anonymized identifiers for the at least two target entities.
  - 8. The method of claim 1, wherein each of the plurality of target entities comprises at least one selected from a group consisting a user name, an email address, a domain name, IP address, a port number, a host name, company name, and a partner name.
  - 9. The method of claim 1, further comprising:
    - analyzing the at least one anonymized activity record using a threat detection algorithm.
  - 10. The method of claim 1, wherein the resource is a user or a company.
  - 16. A computer system, comprising:
    - the anonymization engine programmed to perform the method of claim 1 or 11; and
      
      a repository configured to store the anonymized activity record.
  - 17. The system of claim 16, further comprising:
    - a threat analysis engine programmed to analyze the anonymized activity record using a threat detection algorithm.

11. A method for detecting cyber-threats to a company from activity records logged by the company'"'"'s computing devices while protecting sensitive company information, the method comprising:
- obtaining, by an activity monitoring engine, an activity record including metadata that documents user activities on a computing device;
  
  generating, by the activity monitoring engine, an anonymization dictionary, wherein generating the anonymization dictionary comprises;
  
  using a statistical method or an artificial intelligence method to detect, in the activity record, a plurality of target entities to be anonymized;
  
  assigning an anonymized identity to each unique target entity of the plurality of target entities; and
  
  generating dictionary entries for the plurality of target entities, wherein each dictionary entry comprises a target entity and a corresponding anonymized identifier comprising the anonymized identity for the target entity;
  
  generating, by the activity monitoring engine, an equivalence map, wherein generating the equivalence map comprises;
  
  making a determination that a resource is associated with a set of target entities of the plurality of target entities; and
  
  storing, in the equivalence map, an identity relationship specifying that anonymized identities corresponding to the set of target entities are associated with the resource;
  
  replacing, by the activity monitoring engine, the plurality of target entities in the activity record with their anonymized identifiers from the anonymization dictionary to obtain an anonymized activity record;
  
  storing, by the activity monitoring engine, the anonymized activity record; and
  
  analyzing, by the activity monitoring engine, the anonymized activity record to detect cyber-threats to the company or sharing, by the activity monitoring engine, the anonymized activity record with a third-party system to detect cyber-threats to the company.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising detecting an additional target entity to be anonymized based on its consistent appearance uniquely with one of the plurality of target entities.
  - 13. The method of claim 11, wherein making the determination that the resource is associated with the set of target entities comprises using statistical analysis to determine user accounts are associated with the resource when the user accounts access an email account more than the user accounts access other email accounts.
  - 14. The method of claim 11, wherein making the determination that the resource is associated with the set of target entities comprises using cluster analysis to determine user accounts are associated with the resource based on utilization parameters.
  - 15. The method of claim 11, wherein generating the equivalence map is performed prior to or after storing the anonymized activity record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dtex System Inc.
Original Assignee
Dtex System Inc.
Inventors
Koo, Rajan Peng Kiat, Bruechert, Russell Alan, Stamp, Roderick Duncan, Swami, Arun Narasimha, Akkineni, Vamsi Krishna
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US15/956,514
Publication Number

US 20180239918A1
Time in Patent Office

489 Days
Field of Search

726 23, 726 4, 713165, 713182
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/6209   to a single file or object,...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/1441   Countermeasures against mal...

Method and system for anonymizing activity records

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Method and system for anonymizing activity records

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others