Database attack detection tool
First Claim
1. A computer-implemented method, comprising:
- identifying, by a threat detection tool executing in an access management system that manages private data for multiple end-user accounts, a single employee account that is authorized to access the private data, wherein each of the multiple end-user accounts stores end-user attributes of an associated end-user;
processing, by the threat detection tool, a log of multiple accesses of the private data to identify multiple accesses of the private data initiated by the single employee account;
identifying, by the threat detection tool, a subset of the multiple accesses initiated by the single employee account that involve specific end-user accounts;
identifying the end-user attributes common to two or more of the specific end-user accounts by;
identifying, for each of the two or more of the specific end-user accounts, an associated value of an end-user attribute; and
determining that the associated values of the end-user attribute for the two or more of the specific end-user accounts are common;
calculating a measure of commonality for the two or more of the specific end-user accounts based on;
a quantity of the end-user attributes common to the two or more of the specific end-user accounts; and
a weighted importance of one or more of the end-user attributes;
determining, by the threat detection tool, that the subset of the multiple accesses initiated by the single employee account are suspicious in response to the measure of commonality being greater than a predetermined threshold; and
triggering, by the threat detection tool, an alarm based on a determination that the subset of the multiple accesses initiated by the single employee account are suspicious.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed techniques provide systems and methods for detecting coordinated attacks on social networking databases containing personal end-user data. More specifically, various advanced persistent threat (APT) detection procedures are described that explore the commonality between specific targets of various private data accesses. In one embodiment, a threat detection tool is configured to process various private data accesses initiated by a source user account in order to identify associated query structures. The tool then applies one or more filters to the private data accesses to identify a subset of the private data accesses that have query structures indicating specific targets and processes these specific targets to determine if an access pattern exists. The access pattern can indicate, for example, a measure of commonality among two or more of the specific targets. If an access pattern exists, the threat detection tool can trigger an alarm.
49 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
identifying, by a threat detection tool executing in an access management system that manages private data for multiple end-user accounts, a single employee account that is authorized to access the private data, wherein each of the multiple end-user accounts stores end-user attributes of an associated end-user; processing, by the threat detection tool, a log of multiple accesses of the private data to identify multiple accesses of the private data initiated by the single employee account; identifying, by the threat detection tool, a subset of the multiple accesses initiated by the single employee account that involve specific end-user accounts; identifying the end-user attributes common to two or more of the specific end-user accounts by; identifying, for each of the two or more of the specific end-user accounts, an associated value of an end-user attribute; and determining that the associated values of the end-user attribute for the two or more of the specific end-user accounts are common; calculating a measure of commonality for the two or more of the specific end-user accounts based on; a quantity of the end-user attributes common to the two or more of the specific end-user accounts; and a weighted importance of one or more of the end-user attributes; determining, by the threat detection tool, that the subset of the multiple accesses initiated by the single employee account are suspicious in response to the measure of commonality being greater than a predetermined threshold; and triggering, by the threat detection tool, an alarm based on a determination that the subset of the multiple accesses initiated by the single employee account are suspicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium storing computer-readable instructions, comprising:
-
instructions for identifying, in an access management system that manages private data for multiple end-user accounts, a single employee account that is authorized to access the private data, wherein each of the multiple end-user accounts stores end-user attributes of an associated end-user; instructions for processing, in the access management system, a log of multiple accesses of the private data to identify multiple accesses of the private data initiated by the single employee account; instructions for identifying a subset of the multiple accesses of the private data initiated by the single employee account that involve specific end-user accounts; instructions for identifying the end-user attributes common to two or more of the specific end-user accounts by; identifying, for each of the two or more of the specific end-user accounts, an associated value of an end-user attribute; and determining that the associated values of the end-user attribute for the two or more of the specific end-user accounts are common; instructions for calculating a measure of commonality for the two or more of the specific end-user accounts based on; a quantity of the end-user attributes common to the two or more of the specific end-user accounts; and a weighted importance of one or more of the end-user attributes; instructions for triggering a pre-alarm in response to the measure of commonality being greater than a predetermined threshold, wherein the pre-alarm indicates a potential threat; instructions for sending a notification of the pre-alarm to the single employee account; and instructions for triggering, in response to receiving a confirmation of legitimacy of the pre-alarm, an alarm indicating the threat. - View Dependent Claims (16, 17, 18)
-
-
19. A system, comprising at least one physical processor configured to executes:
-
a source identification module configured to identify a single employee account that is authorized to access private data managed by an access management system for multiple end-user accounts, wherein each of the multiple end-user accounts stores end-user attributes of an associated end-user; a query identification module configured to process a log of multiple accesses of the private data to identify multiple accesses of the private data initiated by the single employee account; a filter module configured to identify a subset of the multiple accesses initiated by the single employee account that involve specific end-user accounts; a pattern detection module configured to; identify the end-user attributes common to two or more of the specific end-user accounts by; identifying, for each of the two or more of the specific end-user accounts, an associated value of an end-user attribute; and determining that the associated values of the end-user attribute for the two or more of the specific end-user accounts are common; calculate a measure of commonality for the two or more of the specific end-user accounts based on; a quantity of the end-user attributes common to the two or more of the specific end-user accounts; and a weighted importance of one or more of the end-user attributes; and determine that the subset of the multiple accesses initiated by the single employee account are suspicious in response to the measure of commonality being greater than a predetermined threshold; and a threat trigger module configured to generate an alarm based on a determination that the subset of the multiple accesses initiated by the single employee account are suspicious. - View Dependent Claims (20)
-
Specification