Computer security and usage-analysis system
First Claim
Patent Images
1. A method of authenticating a user, the method comprising:
- obtaining, with one or more processors, a log of user interactions with one or more client computing devices;
training, with one or more processors, an anomaly detection model based on the log of user interactions;
after training the anomaly detection model, with one or more processors, receiving a stream of events indicating user interactions with a given client computing device;
classifying, with one or more processors, the stream of events as indicating anomalous behavior based on the trained anomaly detection model; and
in response to the classification, adjusting, with one or more processors, network access privileges of the given client computing device, wherein;
training the anomaly detection model comprises;
determining candidate parameter values of the anomaly detection model;
comparing predictions of the anomaly detection model based on the candidate parameters to the log data to determine a measure of mismatch; and
adjusting the candidate parameters based on the measure of mismatch to reduce an amount of the mismatch;
classifying the stream of events as indicating anomalous behavior based on the trained anomaly detection model comprises determining a risk score and comparing the risk score to a threshold;
adjusting network access privileges of the given client computing device comprises;
sending a command to the given client computing device configured to cause the given client computing device to prompt the user for a credential value;
receiving the credentials from the given client computing device; and
determining that the credential value is incorrect and, in response, terminating network access to the given client computing device to at least some resources; and
classifying the stream of events as indicating anomalous behavior based on the trained anomaly detection model comprises comparing received events to predictions of time-series machine learning model.
5 Assignments
0 Petitions
Accused Products
Abstract
Provided is a private and secure network that uses an authentication mechanism with a uniquely assigned private IP address and network credentials issued as part of a VPN certificate exchange. A first layer of authentication establishes a secure tunnel between user and VPN server, and a second layer of authentication connects that secure tunnel to the web site or resource, without passing the VPN certificate. Once authenticated, interaction between website or resource and user are automatically monitored for abnormal or malicious behavior and, if required, automatic verification and authentication response is generated.
-
Citations
20 Claims
-
1. A method of authenticating a user, the method comprising:
-
obtaining, with one or more processors, a log of user interactions with one or more client computing devices; training, with one or more processors, an anomaly detection model based on the log of user interactions; after training the anomaly detection model, with one or more processors, receiving a stream of events indicating user interactions with a given client computing device; classifying, with one or more processors, the stream of events as indicating anomalous behavior based on the trained anomaly detection model; and in response to the classification, adjusting, with one or more processors, network access privileges of the given client computing device, wherein; training the anomaly detection model comprises; determining candidate parameter values of the anomaly detection model; comparing predictions of the anomaly detection model based on the candidate parameters to the log data to determine a measure of mismatch; and adjusting the candidate parameters based on the measure of mismatch to reduce an amount of the mismatch; classifying the stream of events as indicating anomalous behavior based on the trained anomaly detection model comprises determining a risk score and comparing the risk score to a threshold; adjusting network access privileges of the given client computing device comprises; sending a command to the given client computing device configured to cause the given client computing device to prompt the user for a credential value; receiving the credentials from the given client computing device; and determining that the credential value is incorrect and, in response, terminating network access to the given client computing device to at least some resources; and classifying the stream of events as indicating anomalous behavior based on the trained anomaly detection model comprises comparing received events to predictions of time-series machine learning model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
-
obtaining, with one or more processors, a log of user interactions with one or more client computing devices; training, with one or more processors, an anomaly detection model based on the log of user interactions; after training the anomaly detection model, with one or more processors, receiving a stream of events indicating user interactions with a given client computing device; classifying, with one or more processors, the stream of events as indicating anomalous behavior based on the trained anomaly detection model; and in response to the classification, adjusting, with one or more processors, network access privileges of the given client computing device, wherein; training the anomaly detection model comprises; determining candidate parameter values of the anomaly detection model; comparing predictions of the anomaly detection model based on the candidate parameters to the log data to determine a measure of mismatch; and adjusting the candidate parameters based on the measure of mismatch to reduce an amount of the mismatch; classifying the stream of events as indicating anomalous behavior based on the trained anomaly detection model comprises determining a risk score and comparing the risk score to a threshold; adjusting network access privileges of the given client computing device comprises; sending a command to the given client computing device configured to cause the given client computing device to prompt the user for a credential value; receiving the credentials from the given client computing device; and determining that the credential value is incorrect and, in response, terminating network access to the given client computing device to at least some resources; and classifying the stream of events as indicating anomalous behavior based on the trained anomaly detection model comprises comparing received events to predictions of time-series machine learning model. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification