Dynamic authorization of requested actions using adaptive context-based matching

US 10,642,715 B1
Filed: 02/21/2019
Issued: 05/05/2020
Est. Priority Date: 02/21/2019
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for context-based analysis of requested activity in a computing environment, the operations comprising:

building a plurality of dynamic context profiles for a plurality of processes in the computing environment, wherein the plurality of dynamic context profiles are based on monitoring and analyzing at least;

static parameters of the plurality of processes;

dynamic parameters of the plurality of processes; and

detected activity involving the plurality of processes, wherein each dynamic context profile comprises a number of steps;

receiving an indication of current runtime activity involving at least one identity in the computing environment;

matching the indication of current runtime activity to a dynamic context profile from the plurality of built dynamic context profiles, wherein the matching comprises;

analyzing previous steps of a first process of a plurality of processes associated with the current runtime activity; and

identifying, based on the previous steps, an automated action or a human action associated with at least one of the current runtime activity or the first process;

determining, based on the matching, a context-based probability that the current runtime activity is at least one of;

an anomalous activity, a suspicious activity, or non-valid with respect to the dynamic context profile, wherein the context-based probability has an associated confidence level where the confidence level increases as the number of steps in the dynamic context profile increases; and

performing a control action in association with either the current runtime activity or the first process based on the context-based probability and on whether the current runtime activity is determined to be at least one of;

an anomalous activity, a suspicious activity, or non-valid.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed embodiments relate to context-based analysis of requested activities. Techniques include building dynamic context profiles for processes based on static parameters of the processes, dynamic parameters of the processes, and detected activity involving the processes; receiving an indication of current runtime activity involving at least one identity; matching the indication of current runtime activity to a dynamic context profile; determining a context-based probability that the current runtime activity is anomalous, suspicious, or non-valid with respect to the dynamic context profile; and performing a control action in association with either the current runtime activity or the process based on whether the current runtime activity is determined to be anomalous, suspicious, or non-valid.

Citations

19 Claims

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for context-based analysis of requested activity in a computing environment, the operations comprising:
- building a plurality of dynamic context profiles for a plurality of processes in the computing environment, wherein the plurality of dynamic context profiles are based on monitoring and analyzing at least;
  
  static parameters of the plurality of processes;
  
  dynamic parameters of the plurality of processes; and
  
  detected activity involving the plurality of processes, wherein each dynamic context profile comprises a number of steps;
  
  receiving an indication of current runtime activity involving at least one identity in the computing environment;
  
  matching the indication of current runtime activity to a dynamic context profile from the plurality of built dynamic context profiles, wherein the matching comprises;
  
  analyzing previous steps of a first process of a plurality of processes associated with the current runtime activity; and
  
  identifying, based on the previous steps, an automated action or a human action associated with at least one of the current runtime activity or the first process;
  
  determining, based on the matching, a context-based probability that the current runtime activity is at least one of;
  
  an anomalous activity, a suspicious activity, or non-valid with respect to the dynamic context profile, wherein the context-based probability has an associated confidence level where the confidence level increases as the number of steps in the dynamic context profile increases; and
  
  performing a control action in association with either the current runtime activity or the first process based on the context-based probability and on whether the current runtime activity is determined to be at least one of;
  
  an anomalous activity, a suspicious activity, or non-valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The non-transitory computer readable medium of claim 1, wherein receiving the indication of current runtime activity includes identifying a request from the at least one identity to perform an action in the computing environment.
  - 3. The non-transitory computer readable medium of claim 1, wherein the plurality of dynamic context profiles are based on detected activity in a DevOps environment.
  - 4. The non-transitory computer readable medium of claim 1, wherein the plurality of dynamic context profiles are based on detected activity requiring access across development and production environments.
  - 5. The non-transitory computer readable medium of claim 1, wherein the plurality of dynamic context profiles are based on detected activity in a cross-platform environment.
  - 6. The non-transitory computer readable medium of claim 1, wherein the plurality of dynamic context profiles are based on detected activity in a cloud computing environment.
  - 7. The non-transitory computer readable medium of claim 1, wherein the plurality of dynamic context profiles are based on detected creation of identities in a cloud computing environment.
  - 8. The non-transitory computer readable medium of claim 1, wherein the plurality of dynamic context profiles are based on detected use of applications in a cloud computing environment.
  - 9. The non-transitory computer readable medium of claim 1, wherein the plurality of dynamic context profiles are based on human interventions involving the plurality of processes.
  - 10. The non-transitory computer readable medium of claim 1, wherein the first process is determined to have the lowest reliability of the plurality of processes through the matching, based on a number of process steps associated with the first process.
  - 11. The non-transitory computer readable medium of claim 1, wherein the first process is determined to involve automated processes requiring elevated privileges in order to access resources with no human involvement.
  - 12. The non-transitory computer readable medium of claim 1, wherein the first process is determined to involve receipt of credentials associated with a human or an application.
  - 13. The non-transitory computer readable medium of claim 1, wherein the first process is determined to be associated with a potential compromise or exploit based on the context-based probability.
  - 14. The non-transitory computer readable medium of claim 1, wherein matching the indication of current runtime activity to the dynamic context profile includes referencing a dependents-tree associated with the current runtime activity.
  - 15. The non-transitory computer readable medium of claim 1, wherein the operations further comprise updating a dynamic context profile from the plurality of dynamic context profiles based on the control action.

16. A computer-implemented method for context-based analysis of requested activity in a computing environment, the method comprising:
- building a plurality of dynamic context profiles for a plurality of processes in the computing environment, wherein the plurality of dynamic context profiles are based on monitoring and analyzing at least;
  
  static parameters of the plurality of processes;
  
  dynamic parameters of the plurality of processes; and
  
  detected activity involving the plurality of processes, wherein each dynamic context profile comprises a number of steps;
  
  receiving an indication of current runtime activity involving at least one identity in the computing environment;
  
  matching the indication of current runtime activity to a dynamic context profile from the plurality of built dynamic context profiles, wherein the matching comprises;
  
  analyzing previous steps of a first process of a plurality of processes associated with the current runtime activity; and
  
  identifying, based on the previous steps, an automated action or a human action associated with at least one of the current runtime activity or the first process;
  
  determining, based on the matching, a context-based probability that the current runtime activity is at least one of;
  
  an anomalous activity, a suspicious activity, or non-valid with respect to the dynamic context profile, wherein the context-based probability has an associated confidence level where the confidence level increases as the number of steps in the dynamic context profile increases; and
  
  performing a control action in association with either the current runtime activity or the first process based on the context-based probability and on whether the current runtime activity is determined to be at least one of;
  
  an anomalous activity, a suspicious activity, or non-valid.
- View Dependent Claims (17, 18, 19)
- - 17. The computer-implemented method of claim 16, wherein the plurality of dynamic context profiles are built based on data from a plurality of independent data sources.
  - 18. The computer-implemented method of claim 16, wherein the plurality of dynamic context profiles are based on detected creation or activity of identities in the cloud computing environment.
  - 19. The computer-implemented method of claim 16, wherein the plurality of dynamic context profiles are based on detected use of applications in the cloud computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
CyberArk Software Ltd.
Inventors
Simca, Dor, Kandel, Tal, Gelman, Alex, Schwartzer, Daniel
Primary Examiner(s)
Aponte, Francisco J

Application Number

US16/281,313
Time in Patent Office

439 Days
Field of Search

717100, 717124
US Class Current
CPC Class Codes

G06F 11/3409   for performance assessment

G06F 11/3438   monitoring of user actions ...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 11/3612   by runtime analysis perform...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2141   Access rights, e.g. capabil...

Dynamic authorization of requested actions using adaptive context-based matching

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic authorization of requested actions using adaptive context-based matching

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links