Database attack detection tool

US 10,587,631 B2
Filed: 05/11/2017
Issued: 03/10/2020
Est. Priority Date: 03/11/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

identifying, by a threat detection tool executing in an access management system that manages private data for multiple end-user accounts, a single employee account that is authorized to access the private data, wherein each of the multiple end-user accounts stores end-user attributes of an associated end-user;

processing, by the threat detection tool, a log of multiple accesses of the private data to identify multiple accesses of the private data initiated by the single employee account;

identifying, by the threat detection tool, a subset of the multiple accesses initiated by the single employee account that involve specific end-user accounts;

identifying the end-user attributes common to two or more of the specific end-user accounts by;

identifying, for each of the two or more of the specific end-user accounts, an associated value of an end-user attribute; and

determining that the associated values of the end-user attribute for the two or more of the specific end-user accounts are common;

calculating a measure of commonality for the two or more of the specific end-user accounts based on;

a quantity of the end-user attributes common to the two or more of the specific end-user accounts; and

a weighted importance of one or more of the end-user attributes;

determining, by the threat detection tool, that the subset of the multiple accesses initiated by the single employee account are suspicious in response to the measure of commonality being greater than a predetermined threshold; and

triggering, by the threat detection tool, an alarm based on a determination that the subset of the multiple accesses initiated by the single employee account are suspicious.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed techniques provide systems and methods for detecting coordinated attacks on social networking databases containing personal end-user data. More specifically, various advanced persistent threat (APT) detection procedures are described that explore the commonality between specific targets of various private data accesses. In one embodiment, a threat detection tool is configured to process various private data accesses initiated by a source user account in order to identify associated query structures. The tool then applies one or more filters to the private data accesses to identify a subset of the private data accesses that have query structures indicating specific targets and processes these specific targets to determine if an access pattern exists. The access pattern can indicate, for example, a measure of commonality among two or more of the specific targets. If an access pattern exists, the threat detection tool can trigger an alarm.

49 Citations

20 Claims

1. A computer-implemented method, comprising:
- identifying, by a threat detection tool executing in an access management system that manages private data for multiple end-user accounts, a single employee account that is authorized to access the private data, wherein each of the multiple end-user accounts stores end-user attributes of an associated end-user;
  
  processing, by the threat detection tool, a log of multiple accesses of the private data to identify multiple accesses of the private data initiated by the single employee account;
  
  identifying, by the threat detection tool, a subset of the multiple accesses initiated by the single employee account that involve specific end-user accounts;
  
  identifying the end-user attributes common to two or more of the specific end-user accounts by;
  
  identifying, for each of the two or more of the specific end-user accounts, an associated value of an end-user attribute; and
  
  determining that the associated values of the end-user attribute for the two or more of the specific end-user accounts are common;
  
  calculating a measure of commonality for the two or more of the specific end-user accounts based on;
  
  a quantity of the end-user attributes common to the two or more of the specific end-user accounts; and
  
  a weighted importance of one or more of the end-user attributes;
  
  determining, by the threat detection tool, that the subset of the multiple accesses initiated by the single employee account are suspicious in response to the measure of commonality being greater than a predetermined threshold; and
  
  triggering, by the threat detection tool, an alarm based on a determination that the subset of the multiple accesses initiated by the single employee account are suspicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented method of claim 1, wherein the alarm indicates a potential advanced persistent threat.
  - 3. The computer-implemented method of claim 1, wherein the specific end-user accounts include a specified set of the multiple end-user accounts associated with the access management system.
  - 4. The computer-implemented method of claim 1, wherein the end-user attributes common to the two or more of the specific end-user accounts comprise one or more of:
    - an organization attribute;
      
      ora group attribute.
  - 5. The computer-implemented method of claim 1, wherein the end-user attributes common to the two or more of the specific end-user accounts comprise one or more of:
    - a location attribute;
      
      an event attribute;
      
      ora purpose attribute.
  - 6. The computer-implemented method of claim 1, wherein:
    - the end-user attributes comprise a location attribute;
      
      identifying the end-user attributes common to the two or more of the specific end-user accounts comprises;
      
      identifying, for each of the two or more of the specific end-user accounts, an associated value of the location attribute; and
      
      determining that the associated values of the location attribute for the two or more of the specific end-user accounts are common.
  - 7. The computer-implemented method of claim 1, wherein:
    - the end-user attributes comprise a group attribute;
      
      identifying the end-user attributes common to the two or more of the specific end-user accounts comprises;
      
      identifying, for each of the two or more of the specific end-user accounts, an associated value of the group attribute; and
      
      determining that the associated values of the group attribute for the two or more of the specific end-user accounts are common.
  - 8. The computer-implemented method of claim 1 further comprising marking, by the threat detection tool, the subset of the multiple accesses of the private data initiated by the single employee account as suspicious.
  - 9. The computer-implemented method of claim 1, wherein determining that the subset of the multiple accesses initiated by the single employee account are suspicious is based at least in part on all of the subset of the multiple accesses initiated by the single employee account having occurred over a specified duration of time.
  - 10. The computer-implemented method of claim 9, wherein the specified duration of time is expanded if the measure of commonality for the two or more of the specific end-user accounts exceeds an additional predetermined threshold.
  - 11. The computer-implemented method of claim 1 further comprising sending, by the threat detection tool, a notification of the alarm to the single employee account.
  - 12. The computer-implemented method of claim 11, wherein the notification includes a threat severity.
  - 13. The computer-implemented method of claim 11, wherein the notification includes an indication of the subset of the multiple accesses.
  - 14. The computer-implemented method of claim 13 further comprising receiving, by the threat detection tool, a response to the notification, the response originating from the single employee account and indicating whether an employee intended to initiate the subset of the multiple accesses that involve the specific end-user accounts.

15. A non-transitory computer-readable storage medium storing computer-readable instructions, comprising:
- instructions for identifying, in an access management system that manages private data for multiple end-user accounts, a single employee account that is authorized to access the private data, wherein each of the multiple end-user accounts stores end-user attributes of an associated end-user;
  
  instructions for processing, in the access management system, a log of multiple accesses of the private data to identify multiple accesses of the private data initiated by the single employee account;
  
  instructions for identifying a subset of the multiple accesses of the private data initiated by the single employee account that involve specific end-user accounts;
  
  instructions for identifying the end-user attributes common to two or more of the specific end-user accounts by;
  
  identifying, for each of the two or more of the specific end-user accounts, an associated value of an end-user attribute; and
  
  determining that the associated values of the end-user attribute for the two or more of the specific end-user accounts are common;
  
  instructions for calculating a measure of commonality for the two or more of the specific end-user accounts based on;
  
  a quantity of the end-user attributes common to the two or more of the specific end-user accounts; and
  
  a weighted importance of one or more of the end-user attributes;
  
  instructions for triggering a pre-alarm in response to the measure of commonality being greater than a predetermined threshold, wherein the pre-alarm indicates a potential threat;
  
  instructions for sending a notification of the pre-alarm to the single employee account; and
  
  instructions for triggering, in response to receiving a confirmation of legitimacy of the pre-alarm, an alarm indicating the threat.
- View Dependent Claims (16, 17, 18)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the alarm indicates a potential advanced persistent threat.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein:
    - the access management system is a social networking system; and
      
      the specific end-user accounts are of one or more individuals, groups, organizations, or communities.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the notification of the pre-alarm includes a threat severity and an indication of the subset of the multiple accesses.

19. A system, comprising at least one physical processor configured to executes:
- a source identification module configured to identify a single employee account that is authorized to access private data managed by an access management system for multiple end-user accounts, wherein each of the multiple end-user accounts stores end-user attributes of an associated end-user;
  
  a query identification module configured to process a log of multiple accesses of the private data to identify multiple accesses of the private data initiated by the single employee account;
  
  a filter module configured to identify a subset of the multiple accesses initiated by the single employee account that involve specific end-user accounts;
  
  a pattern detection module configured to;
  
  identify the end-user attributes common to two or more of the specific end-user accounts by;
  
  identifying, for each of the two or more of the specific end-user accounts, an associated value of an end-user attribute; and
  
  determining that the associated values of the end-user attribute for the two or more of the specific end-user accounts are common;
  
  calculate a measure of commonality for the two or more of the specific end-user accounts based on;
  
  a quantity of the end-user attributes common to the two or more of the specific end-user accounts; and
  
  a weighted importance of one or more of the end-user attributes; and
  
  determine that the subset of the multiple accesses initiated by the single employee account are suspicious in response to the measure of commonality being greater than a predetermined threshold; and
  
  a threat trigger module configured to generate an alarm based on a determination that the subset of the multiple accesses initiated by the single employee account are suspicious.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the end-user attributes common to the two or more of the specific end-user accounts comprise one or more of:
    - a location attribute;
      
      an organization attribute;
      
      a group attribute;
      
      an event attribute;
      
      ora purpose attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Inventors
Anantharaju, Srinath, Greene, Chad
Primary Examiner(s)
Pearson, David J
Assistant Examiner(s)
Champakesan, Badri

Application Number

US15/593,052
Publication Number

US 20170251000A1
Time in Patent Office

1,034 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/6227   where protection concerns t...

G06N 5/04   Inference or reasoning models

H04L 2463/141   Denial of service attacks a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Database attack detection tool

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Database attack detection tool

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others