Gracefully handling endpoint feedback when starting to monitor

US 10,642,997 B2
Filed: 07/25/2018
Issued: 05/05/2020
Est. Priority Date: 07/26/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implementable method for adaptively assessing risk associated with an endpoint, comprising:

determining a risk level corresponding to an entity associated with an endpoint;

selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval;

collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint;

processing the user behavior to generate a current risk score for the entity;

comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed;

changing the risk score of the user to the current risk score when the risk score of the user has changed; and

,decreasing the frequency of the endpoint monitoring interval when the current risk scores of the user remain substantially the same over a plurality of endpoint monitoring intervals, the current risk scores remaining substantially the same being when the current risk scores are within +/−

10% of the historical risk scores.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer-usable medium for adaptively assessing risk associated with an endpoint, comprising: determining a risk level corresponding to an entity associated with an endpoint; selecting a frequency and a duration of an endpoint monitoring interval; collecting user behavior to collect user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint; processing the user behavior to generate a current risk score for the entity; comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed; and changing the risk score of the user to the current risk score when the risk score of the user has changed.

42 Citations

17 Claims

1. A computer-implementable method for adaptively assessing risk associated with an endpoint, comprising:
- determining a risk level corresponding to an entity associated with an endpoint;
  
  selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval;
  
  collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint;
  
  processing the user behavior to generate a current risk score for the entity;
  
  comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed;
  
  changing the risk score of the user to the current risk score when the risk score of the user has changed; and
  
  ,decreasing the frequency of the endpoint monitoring interval when the current risk scores of the user remain substantially the same over a plurality of endpoint monitoring intervals, the current risk scores remaining substantially the same being when the current risk scores are within +/−
  
  10% of the historical risk scores.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein:
    - the endpoint comprises a risk-adaptive feature pack.
  - 3. The method of claim 2, wherein:
    - the risk-adaptive feature pack comprises at least one of an event data detector module, an event data collector module and a risk-adaptive security policy.
  - 4. The method of claim 1, further comprising:
    - decreasing the duration of the endpoint monitoring interval when the current risk scores of the user decline over a plurality of endpoint monitoring intervals.
  - 5. The method of claim 1, further comprising:
    - increasing the frequency of the endpoint monitoring interval when the current risk scores of the user increase over a plurality of endpoint monitoring intervals.

6. A system comprising:
- a processor;
  
  a data bus coupled to the processor; and
  
  a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for;
  
  determining a risk level corresponding to an entity associated with an endpoint;
  
  selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval;
  
  collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint;
  
  processing the user behavior to generate a current risk score for the entity;
  
  comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed;
  
  changing the risk score of the user to the current risk score when the risk score of the user has changed; and
  
  ,decreasing the frequency of the endpoint monitoring interval when the current risk scores of the user remain substantially the same over a plurality of endpoint monitoring intervals, the current risk scores remaining substantially the same being when the current risk scores are within +/−
  
  10% of the historical risk scores.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein:
    - the endpoint comprises a risk-adaptive feature pack.
  - 8. The system of claim 7, wherein:
    - the risk-adaptive feature pack comprises at least one of an event data detector module, an event data collector module and a risk-adaptive security policy.
  - 9. The system of claim 6, wherein the instructions executable by the processor are further configured for:
    - decreasing the duration of the endpoint monitoring interval when the current risk scores of the user decline over a plurality of endpoint monitoring intervals.
  - 10. The system of claim 6, wherein the instructions executable by the processor are further configured for:
    - increasing the frequency of the endpoint monitoring interval when the current risk scores of the user increase over a plurality of endpoint monitoring intervals.

11. A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for:
- determining a risk level corresponding to an entity associated with an endpoint;
  
  selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval;
  
  collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint;
  
  processing the user behavior to generate a current risk score for the entity;
  
  comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed;
  
  changing the risk score of the user to the current risk score when the risk score of the user has changed; and
  
  ,decreasing the frequency of the endpoint monitoring interval when the current risk scores of the user remain substantially the same over a plurality of endpoint monitoring intervals, the current risk scores remaining substantially the same being when the current risk scores are within +/−
  
  10% of the historical risk scores.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The non-transitory, computer-readable storage medium of claim 11, wherein:
    - the endpoint comprises a risk-adaptive feature pack.
  - 13. The non-transitory, computer-readable storage medium of claim 12, wherein:
    - the risk-adaptive feature pack comprises at least one of an event data detector module, an event data collector module and a risk-adaptive security policy.
  - 14. The non-transitory, computer-readable storage medium of claim 11, wherein the computer executable instructions are further configured for:
    - decreasing the duration of the endpoint monitoring interval when the current risk scores of the user decline over a plurality of endpoint monitoring intervals.
  - 15. The non-transitory, computer-readable storage medium of claim 11, wherein the computer executable instructions are further configured for:
    - increasing the frequency of the endpoint monitoring interval when the current risk scores of the user increase over a plurality of endpoint monitoring intervals.
  - 16. The non-transitory, computer-readable storage medium of claim 11, wherein:
    - the computer executable instructions are deployable to a client system from a server system at a remote location.
  - 17. The non-transitory, computer-readable storage medium of claim 11, wherein:
    - the computer executable instructions are provided by a service provider to a user on an on-demand basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Forcepoint LLC
Inventors
Ford, Richard A., Irvine, Ann, Reeve, Adam, Snyder, Russell, Shih, Benjamin
Primary Examiner(s)
Schwartz, Darren B

Application Number

US16/045,297
Publication Number

US 20190034625A1
Time in Patent Office

650 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3072   where the reporting involve...

G06F 11/3438   monitoring of user actions ...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/602   Providing cryptographic fac...

G06F 21/6245   Protecting personal data, e...

G06F 21/6254   by anonymising data, e.g. d...

G06F 21/84   output devices, e.g. displa...

G06F 2201/86   Event-based monitoring

G06F 2221/031   Protect user input by softw...

G06F 2221/032   Protect output to user by s...

G06F 2221/034   Test or assess a computer o...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/025   for remote control or remot...

H04L 67/141   Setup of application sessio...

H04L 67/146 : Markers for unambiguous ide...

H04L 67/289 : Intermediate processing fun...

H04L 67/306 : User profiles

H04L 67/535 : Tracking the activity of th...

View All

Gracefully handling endpoint feedback when starting to monitor

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Gracefully handling endpoint feedback when starting to monitor

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links