User behavioral risk assessment
First Claim
1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- develop a behavioral profile associated with a particular user to characterize the user'"'"'s behavior;
analyze data from a computing device, wherein the data describes;
at least one of a plurality of activities by the particular user at the computing device, andat least one identifier associated with the computing device, wherein the at least one identifier comprises one or more of a MAC address or an IP address;
detect that the data indicates a security threat, based at least in part on a determination that the data indicates a deviation from the behavior of the behavioral profile; and
initiate one or more countermeasures to attempt to mitigate against the security threat,wherein the one or more countermeasures restrict access by the computing device to one or more computing resources, andwherein the one or more countermeasures require reauthentication of the computing device to allow access to the one or more computing resources.
11 Assignments
0 Petitions
Accused Products
Abstract
A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation.
79 Citations
20 Claims
-
1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
-
develop a behavioral profile associated with a particular user to characterize the user'"'"'s behavior; analyze data from a computing device, wherein the data describes; at least one of a plurality of activities by the particular user at the computing device, and at least one identifier associated with the computing device, wherein the at least one identifier comprises one or more of a MAC address or an IP address; detect that the data indicates a security threat, based at least in part on a determination that the data indicates a deviation from the behavior of the behavioral profile; and initiate one or more countermeasures to attempt to mitigate against the security threat, wherein the one or more countermeasures restrict access by the computing device to one or more computing resources, and wherein the one or more countermeasures require reauthentication of the computing device to allow access to the one or more computing resources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
developing a behavioral profile associated with a particular user to characterize the user'"'"'s behavior; analyzing data from a computing device, wherein the data describes; at least one of a plurality of activities by the particular user at the computing device, and at least one identifier associated with the computing device, wherein the at least one identifier comprises one or more of a MAC address or an IP address; detecting that the data indicates a security threat, based at least in part on a determination that the data indicates a deviation from the behavior of the behavioral profile; and initiating one or more countermeasures to attempt to mitigate against the security threat, wherein the one or more countermeasures restrict access by the computing device to one or more computing resources, and wherein the one or more countermeasures require reauthentication of the computing device to allow access to the one or more computing resources.
-
-
18. A system comprising:
-
at least one processor; at least one memory; a risk engine, executable by the at least one processor, to; develop a behavioral profile associated with a particular user to characterize the user'"'"'s behavior; analyze data from a computing device, wherein the data describes; at least one of a plurality of activities by the particular user at the computing device, and at least one identifier associated with the computing device, wherein the at least one identifier comprises one or more of a MAC address or an IP address; detect that the data indicates a security threat, based at least in part on a determination that the data indicates a deviation from the behavior of the behavioral profile; and initiate performance of one or more security activities to attempt to mitigate against the security threat, wherein the one or more security activities comprise forcing forced re-authentication of the computing device. - View Dependent Claims (19, 20)
-
Specification