Identifying security risks via analysis of multi-level analytical records
First Claim
1. One or more devices, comprising:
- one or more memories,one or more processors, communicatively coupled to the one or more memories, to;
receive data associated with a plurality of data objects from a plurality of computing resources,the plurality of computing resources being connected via a computer network,the plurality of computing resources including one or more applications,the plurality of data objects identifying values relating to a plurality of entities for which a security risk indicator is to be determined,the plurality of data objects being associated with user generated content including one or more of;
a document,a webpage,a weblog post,a social media account post,an email,an image file,an audio file, ora video file,the plurality of entities being associated with one or more computing resources, of the plurality of computing resources;
process the plurality of data objects to generate a multi-level analytical record,the multi-level analytical record identifying relationships between respective values of different data objects of the plurality of data objects, andthe multi-level analytical record being based on one or more types of entities associated with the plurality of entities, the plurality of data objects, and one or more hierarchical relationships between the plurality of entities;
determine the security risk indicator based on the multi-level analytical record,the security risk indicator corresponding to one or more entities of the plurality of entities, andthe security risk indicator being determined based on one or more tests including at least one of;
a comparison between the multi-level analytical record and a data structure that identifies expected values of one or more data objects of the plurality of data objects,an identification of a group of entities, of the plurality of entities, and an outlier from the group of entities based on the multi-level analytical record, oran identification of a change in behavior of the one or more entities based on the multi-level analytical record;
identify a security risk contribution score for a particular entity, of the plurality of entities, based on the security risk indicator and frequency of interactions with related entities,the security risk contribution score indicating that the particular entity is a central entity in a risky behavior pattern associated with the related entities,the central entity being associated with a highest security vulnerability compared to other entities, of the plurality of entities; and
automatically perform, based on identifying the security risk contribution score, a remediation action,the remediation action including at least one of;
deactivating the particular entity,performing a security process with regard to the particular entity,reconfiguring the particular entity, orblocking the other entities from interacting with the particular entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive, from sources, data objects identifying values relating to entities for which a risk indicator is to be determined, and may process the data objects to generate an analytical record that identifies relationships between values of different data objects. The device may determine, based on the analytical record, the risk indicator corresponding to one or more entities. The risk indicator may be determined based on at least one of: a comparison between the analytical record and a data structure that identifies expected values of one or more of the data objects; an identification of a group of the entities, and an outlier from the group of the entities based on the analytical record; or an identification of a change in behavior of the one or more entities based on the analytical record. The device may perform an action based on determining the risk indicator.
83 Citations
20 Claims
-
1. One or more devices, comprising:
-
one or more memories, one or more processors, communicatively coupled to the one or more memories, to; receive data associated with a plurality of data objects from a plurality of computing resources, the plurality of computing resources being connected via a computer network, the plurality of computing resources including one or more applications, the plurality of data objects identifying values relating to a plurality of entities for which a security risk indicator is to be determined, the plurality of data objects being associated with user generated content including one or more of; a document, a webpage, a weblog post, a social media account post, an email, an image file, an audio file, or a video file, the plurality of entities being associated with one or more computing resources, of the plurality of computing resources; process the plurality of data objects to generate a multi-level analytical record, the multi-level analytical record identifying relationships between respective values of different data objects of the plurality of data objects, and the multi-level analytical record being based on one or more types of entities associated with the plurality of entities, the plurality of data objects, and one or more hierarchical relationships between the plurality of entities; determine the security risk indicator based on the multi-level analytical record, the security risk indicator corresponding to one or more entities of the plurality of entities, and the security risk indicator being determined based on one or more tests including at least one of; a comparison between the multi-level analytical record and a data structure that identifies expected values of one or more data objects of the plurality of data objects, an identification of a group of entities, of the plurality of entities, and an outlier from the group of entities based on the multi-level analytical record, or an identification of a change in behavior of the one or more entities based on the multi-level analytical record; identify a security risk contribution score for a particular entity, of the plurality of entities, based on the security risk indicator and frequency of interactions with related entities, the security risk contribution score indicating that the particular entity is a central entity in a risky behavior pattern associated with the related entities, the central entity being associated with a highest security vulnerability compared to other entities, of the plurality of entities; and automatically perform, based on identifying the security risk contribution score, a remediation action, the remediation action including at least one of; deactivating the particular entity, performing a security process with regard to the particular entity, reconfiguring the particular entity, or blocking the other entities from interacting with the particular entity. - View Dependent Claims (2, 3, 4, 16, 19)
-
-
5. A method, comprising:
-
receiving, by a device, data associated with a plurality of data objects from a plurality of computing resources, the plurality of computing resources being connected via a computer network, the plurality of computing resources including one or more applications, the plurality of data objects identifying values relating to a plurality of entities for which a security risk indicator is to be determined, the plurality of data objects being associated with user generated content including one or more of; a document, a webpage, a weblog post, a social media account post, an email, an image file, an audio file, or a video file, and the plurality of entities being associated with one or more computing resources, of the plurality of computing resources; processing, by the device, the plurality of data objects to generate a multi-level analytical record, the multi-level analytical record identifying relationships between respective values of different data objects of the plurality of data objects, and the multi-level analytical record being based on one or more types of entities associated with the plurality of entities, the plurality of data objects, and one or more hierarchical relationships between the plurality of entities; determining, by the device, the security risk indicator based on the multi-level analytical record, the security risk indicator identifying a probability of occurrence of a condition with regard to one or more entities of the plurality of entities, and the security risk indicator being determined based on one or more tests including at least one of; a comparison between the multi-level analytical record and a data structure that identifies expected values of one or more data objects of the plurality of data objects, an identification of a group of entities, of the plurality of entities, and an outlier from the group of entities based on the multi-level analytical record, or an identification of a change in behavior of the one or more entities based on the multi-level analytical record; identifying, by the device, a security risk contribution score for a particular entity, of the plurality of entities, based on the security risk indicator and frequency of interactions with related entities, the security risk contribution score indicating that the particular entity is a central entity in a risky behavior pattern associated with the related entities, the central entity being associated with a highest security vulnerability compared to other entities, of the one or more entities; and automatically performing, by the device and based on identifying the security risk contribution score, a remediation action, the remediation action including at least one of; deactivating the particular entity, performing a security process with regard to the particular entity, reconfiguring the particular entity, or blocking the other entities from interacting with the particular entity. - View Dependent Claims (6, 7, 8, 9, 10, 11, 17)
-
-
12. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; receive data associated with a plurality of data objects from a plurality of computing resources, the plurality of computing resources being connected via a computer network, the plurality of computing resources including one or more applications, the plurality of data objects identifying values relating to a plurality of entities for which a security risk indicator is to be determined, the plurality of data objects being associated with user generated content including one or more of; a document, a webpage, a weblog post, a social media account post, an email, an image file, an audio file, or a video file, and the plurality of entities being associated with one or more computing resources, of the plurality of computing resources; process the plurality of data objects to generate a multi-level analytical record, the multi-level analytical record identifying relationships between respective values of different data objects of the plurality of data objects, and the multi-level analytical record being based on one or more types of entities associated with the plurality of entities, the plurality of data objects, and one or more hierarchical relationships between the plurality of entities; determine the security risk indicator based on the multi-level analytical record, the security risk indicator identifying a probability of occurrence of a condition with regard to one or more entities of the plurality of entities, and the security risk indicator being determined based on one or more tests including at least one of; a comparison between the multi-level analytical record and a data structure that identifies expected values of one or more objects of the plurality of data objects, an identification of a group of entities, of the plurality of entities, and an outlier from the group of entities based on the multi-level analytical record, or an identification of a change in behavior of the one or more entities based on the multi-level analytical record; identify a security risk contribution score for a particular entity, of the plurality of entities, based on the security risk indicator and frequency of interactions with related entities, the security risk contribution score indicating that the particular entity is a central entity in a risky behavior pattern associated with the related entities, the central entity being associated with a highest security vulnerability compared to other entities, of the plurality of entities; and automatically perform, based on identifying the security risk contribution score, a remediation action, the remediation action including at least one of; deactivating the particular entity, performing a security process with regard to the particular entity, reconfiguring the particular entity, or blocking the other entities from interacting with the particular entity. - View Dependent Claims (13, 14, 15, 18, 20)
Specification