User behavioral risk assessment

US 10,505,965 B2
Filed: 08/31/2016
Issued: 12/10/2019
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

develop a behavioral profile associated with a particular user to characterize the user'"'"'s behavior;

analyze data from a computing device, wherein the data describes;

at least one of a plurality of activities by the particular user at the computing device, andat least one identifier associated with the computing device, wherein the at least one identifier comprises one or more of a MAC address or an IP address;

detect that the data indicates a security threat, based at least in part on a determination that the data indicates a deviation from the behavior of the behavioral profile; and

initiate one or more countermeasures to attempt to mitigate against the security threat,wherein the one or more countermeasures restrict access by the computing device to one or more computing resources, andwherein the one or more countermeasures require reauthentication of the computing device to allow access to the one or more computing resources.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation.

79 Citations

20 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- develop a behavioral profile associated with a particular user to characterize the user'"'"'s behavior;
  
  analyze data from a computing device, wherein the data describes;
  
  at least one of a plurality of activities by the particular user at the computing device, andat least one identifier associated with the computing device, wherein the at least one identifier comprises one or more of a MAC address or an IP address;
  
  detect that the data indicates a security threat, based at least in part on a determination that the data indicates a deviation from the behavior of the behavioral profile; and
  
  initiate one or more countermeasures to attempt to mitigate against the security threat,wherein the one or more countermeasures restrict access by the computing device to one or more computing resources, andwherein the one or more countermeasures require reauthentication of the computing device to allow access to the one or more computing resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to:
    - determine an association between the computing device and the particular user; and
      
      associate the behavioral profile with the data received from the computing device based on the association.
  - 3. The storage medium of claim 1, wherein the one or more countermeasures restrict network access by the computing device.
  - 4. The storage medium of claim 3, wherein the one or more countermeasures comprise a web gateway.
  - 5. The storage medium of claim 3, wherein the one or more countermeasures comprise a firewall.
  - 6. The storage medium of claim 1, wherein the computing resources comprise one or more files.
  - 7. The storage medium of claim 1, wherein the one or more countermeasures disable the computing device.
  - 8. The storage medium of claim 1, wherein the plurality of activities comprise an authentication action performed at the computing device.
  - 9. The storage medium of claim 8, wherein the behavioral profile is based on one or more authentication actions performed by the particular user.
  - 10. The storage medium of claim 1, wherein the behavioral profile is based at least in part on email use of the particular user.
  - 11. The storage medium of claim 1, wherein the behavioral profile is based at least in part on online activities performed by the particular user.
  - 12. The storage medium of claim 1, wherein the behavioral profile is based at least in part on compliance, by the particular user, with a set of security policies.
  - 13. The storage medium of claim 12, wherein the set of security policies comprise policies of a particular organization.
  - 14. The storage medium of claim 1, wherein the instructions, when executed, further cause the machine to:
    - determine, from the data, that a particular one of a plurality of predefined use violations has been performed at the computing device.
  - 15. The storage medium of claim 14, wherein the data indicates detection of the particular predefined use violation by the computing device.
  - 16. The storage medium of claim 14, wherein detecting that the data indicates the security threat is further based on the particular predefined use violation.

17. A method comprising:
- developing a behavioral profile associated with a particular user to characterize the user'"'"'s behavior;
  
  analyzing data from a computing device, wherein the data describes;
  
  at least one of a plurality of activities by the particular user at the computing device, andat least one identifier associated with the computing device, wherein the at least one identifier comprises one or more of a MAC address or an IP address;
  
  detecting that the data indicates a security threat, based at least in part on a determination that the data indicates a deviation from the behavior of the behavioral profile; and
  
  initiating one or more countermeasures to attempt to mitigate against the security threat,wherein the one or more countermeasures restrict access by the computing device to one or more computing resources, andwherein the one or more countermeasures require reauthentication of the computing device to allow access to the one or more computing resources.

18. A system comprising:
- at least one processor;
  
  at least one memory;
  
  a risk engine, executable by the at least one processor, to;
  
  develop a behavioral profile associated with a particular user to characterize the user'"'"'s behavior;
  
  analyze data from a computing device, wherein the data describes;
  
  at least one of a plurality of activities by the particular user at the computing device, andat least one identifier associated with the computing device, wherein the at least one identifier comprises one or more of a MAC address or an IP address;
  
  detect that the data indicates a security threat, based at least in part on a determination that the data indicates a deviation from the behavior of the behavioral profile; and
  
  initiate performance of one or more security activities to attempt to mitigate against the security threat, wherein the one or more security activities comprise forcing forced re-authentication of the computing device.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, further comprising one or more security tools, wherein the risk engine is executable to invoke the security tools to perform the one or more security activities.
  - 20. The system of claim 19, wherein at least a portion of the one or more security tools are hosted on the computing device and another portion of the one or more security tools are hosted remote from the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Moyle, Michael Mason, Basavapatna, Prasanna Ganapathi, Schrecker, Sven
Primary Examiner(s)
Sholeman, Abu S

Application Number

US15/253,263
Publication Number

US 20160373477A1
Time in Patent Office

1,196 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

User behavioral risk assessment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

User behavioral risk assessment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links