Gracefully handling endpoint feedback when starting to monitor

US 10,664,614 B2
Filed: 03/07/2019
Issued: 05/26/2020
Est. Priority Date: 07/26/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implementable method for adaptively assessing risk associated with an endpoint, comprising:

determining a risk level corresponding to an entity associated with an endpoint;

selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval;

collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint;

processing the user behavior to generate a current risk score for the entity, the processing comprising applying a risk-adaptive security policy to the user behavior, the risk-adaptive policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior;

comparing the current risk score of the entity to a historical risk score of the entity to determine whether a risk score of a user has changed; and

changing the risk score of the entity to the current risk score when the risk score of the entity has changed; and

whereinthe risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by less than 20% over the historical risk score; and

,the risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval and the duration of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by more than 20% over the historical risk score.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer-usable medium for adaptively assessing risk associated with an endpoint, comprising: determining a risk level corresponding to an entity associated with an endpoint; selecting a frequency and a duration of an endpoint monitoring interval; collecting user behavior to collect user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint; processing the user behavior to generate a current risk score for the entity; comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed; and changing the risk score of the user to the current risk score when the risk score of the user has changed.

Citations

14 Claims

1. A computer-implementable method for adaptively assessing risk associated with an endpoint, comprising:
- determining a risk level corresponding to an entity associated with an endpoint;
  
  selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval;
  
  collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint;
  
  processing the user behavior to generate a current risk score for the entity, the processing comprising applying a risk-adaptive security policy to the user behavior, the risk-adaptive policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior;
  
  comparing the current risk score of the entity to a historical risk score of the entity to determine whether a risk score of a user has changed; and
  
  changing the risk score of the entity to the current risk score when the risk score of the entity has changed; and
  
  whereinthe risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by less than 20% over the historical risk score; and
  
  ,the risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval and the duration of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by more than 20% over the historical risk score.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein:
    - the risk adaptive security policy is revised via a security analytics system.
  - 3. The method of claim 1, wherein:
    - the endpoint comprises a risk-adaptive feature pack, the risk-adaptive feature pack comprising at least one of an event data detector module, an event data collector module and the risk-adaptive security policy.
  - 4. The method of claim 1 further comprising:
    - decreasing the duration of the endpoint monitoring interval when the current risk score of the entity declines over a plurality of endpoint monitoring intervals; and
      
      ,decreasing the frequency of the endpoint monitoring interval when the current risk score of the entity remains substantially the same over a plurality of endpoint monitoring intervals.

5. A system comprising:
- a processor;
  
  a data bus coupled to the processor; and
  
  a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for;
  
  determining a risk level corresponding to an entity associated with an endpoint;
  
  selecting a frequency of when to perform an endpoint monitoring interval and a duration of the endpoint monitoring interval;
  
  collecting user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint;
  
  processing the user behavior to generate a current risk score for the entity, the processing comprising applying a risk-adaptive security policy to the user behavior, the risk-adaptive policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior;
  
  comparing the current risk score of the entity to a historical risk score of the entity to determine whether a risk score of a user has changed; and
  
  changing the risk score of the entity to the current risk score when the risk score of the entity has changed; and
  
  whereinthe risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by less than 20% over the historical risk score; and
  
  ,the risk adaptive policy is revised to increase the frequency of the endpoint monitoring interval and the duration of the endpoint monitoring interval when the current risk score of the entity increases over a plurality of endpoint monitoring intervals, the current risk score increasing being when the current risk score increases by more than 20% over the historical risk score.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, wherein:
    - the risk adaptive security policy is revised via a security analytics system.
  - 7. The system of claim 5, wherein:
    - the endpoint comprises a risk-adaptive feature pack, the risk-adaptive feature pack comprising at least one of an event data detector module, an event data collector module and the risk-adaptive security policy.
  - 8. The system of claim 5, wherein the instructions executable by the processor are further configured for:
    - decreasing the duration of the endpoint monitoring interval when the current risk score of the entity declines over a plurality of endpoint monitoring intervals; and
      
      ,decreasing the frequency of the endpoint monitoring interval when the current risk score of the entity remains substantially the same over a plurality of endpoint monitoring intervals.

9. A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for:
- determining a risk level corresponding to an entity associated with an endpoint;
  
  collecting user behavior associated with the entity via the endpoint;
  
  processing the user behavior to generate a current risk score for the entity, the processing comprising applying a risk-adaptive security policy to the user behavior, the risk-adaptive policy comprising a security policy implemented to be revised to adaptively remediate risk associated with a user behavior;
  
  comparing the current risk score of the entity to a historical risk score of the entity to determine whether a risk score of a user has changed; and
  
  changing the risk score of the entity to the current risk score when the risk score of the entity has changed.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The non-transitory, computer-readable storage medium of claim 9, wherein:
    - the risk adaptive security policy is revised via a security analytics system.
  - 11. The non-transitory, computer-readable storage medium of claim 9, wherein:
    - the endpoint comprises a risk-adaptive feature pack, the risk-adaptive feature pack comprising at least one of an event data detector module, an event data collector module and the risk-adaptive security policy.
  - 12. The non-transitory, computer-readable storage medium of claim 9, wherein the computer executable instructions are further configured for:
    - decreasing the duration of the endpoint monitoring interval when the current risk score of the entity declines over a plurality of endpoint monitoring intervals; and
      
      ,decreasing the frequency of the endpoint monitoring interval when the current risk score of the entity remains substantially the same over a plurality of endpoint monitoring intervals.
  - 13. The non-transitory, computer-readable storage medium of claim 9, wherein:
    - the computer executable instructions are deployable to a client system from a server system at a remote location.
  - 14. The non-transitory, computer-readable storage medium of claim 9, wherein:
    - the computer executable instructions are provided by a service provider to a user on an on-demand basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Francisco Partners Management LLC)
Original Assignee
Forcepoint LLC (Francisco Partners Management LLC)
Inventors
Ford, Richard A., Irvine, Ann, Reeve, Adam, Snyder, Russell, Shih, Benjamin
Primary Examiner(s)
Schwartz, Darren B

Application Number

US16/295,429
Publication Number

US 20190213327A1
Time in Patent Office

446 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3072   where the reporting involve...

G06F 11/3438   monitoring of user actions ...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/602   Providing cryptographic fac...

G06F 21/6245   Protecting personal data, e...

G06F 21/6254   by anonymising data, e.g. d...

G06F 21/84   output devices, e.g. displa...

G06F 2201/86   Event-based monitoring

G06F 2221/031   Protect user input by softw...

G06F 2221/032   Protect output to user by s...

G06F 2221/034   Test or assess a computer o...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/025   for remote control or remot...

H04L 67/141   Setup of application sessio...

H04L 67/146 : Markers for unambiguous ide...

H04L 67/289 : Intermediate processing fun...

H04L 67/306 : User profiles

H04L 67/535 : Tracking the activity of th...

View All

Gracefully handling endpoint feedback when starting to monitor

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Gracefully handling endpoint feedback when starting to monitor

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links