Data movement perimeter monitoring

US 10,678,928 B1
Filed: 08/22/2016
Issued: 06/09/2020
Est. Priority Date: 04/20/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for improving the functioning of a computer for perimeter monitoring of data movement of data, the computer-implemented method comprising:

generating, by an electronic processor, a forwarding configuration associated with a mainframe event log, the forwarding configuration including specific data fields and file types that facilitate the perimeter monitoring of data movement;

reducing an amount of data contained in the mainframe event log to the specific data fields and file types based on the forwarding configuration;

ingesting, by the electronic processor, the specific data fields and file types into an operational intel tool in real-time to create raw data;

normalizing, by the electronic processor, the raw data, including standardizing the raw data from different computing environments, to create normalized data;

filtering, by the electronic processor, the normalized data to remove unwanted noise;

identifying a data movement anomaly in the filtered normalized data;

determining, by the electronic processor, whether the data movement anomaly meets an exception;

visually communicating, by the electronic processor, identification of the data movement anomaly on an electronic display, and saving the identification of the data movement anomaly in an electronic memory; and

issuing, by the electronic processor, an electronic alert if the identified data movement anomaly does not meet the exception,wherein filtering the normalized data to remove unwanted noise comprises filtering the normalized data to remove unwanted noise to reduce a number of false electronic alerts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methods for improving data movement perimeter monitoring and detecting non-compliant data movement within a computing environment include generating a forwarding configuration associated with activity logs, such as activity logs associated with a test environment. The forwarding configuration includes specific fields and file types or the contents of those specific fields and files that facilitate perimeter monitoring or otherwise determining which activity log data elements are needed by an operational intel tool to reduce the amount of data input or analyzed by the operational intel tool, and thus, to reduce its processing load. The forwarding configuration is input into the operational intel tool. Mainframe data is normalized and analyzed to identify abnormal data flows and to generate electronic alerts to facilitate perimeter monitoring. False positives are identified before the alerts are communicated.

Citations

25 Claims

1. A computer-implemented method for improving the functioning of a computer for perimeter monitoring of data movement of data, the computer-implemented method comprising:
- generating, by an electronic processor, a forwarding configuration associated with a mainframe event log, the forwarding configuration including specific data fields and file types that facilitate the perimeter monitoring of data movement;
  
  reducing an amount of data contained in the mainframe event log to the specific data fields and file types based on the forwarding configuration;
  
  ingesting, by the electronic processor, the specific data fields and file types into an operational intel tool in real-time to create raw data;
  
  normalizing, by the electronic processor, the raw data, including standardizing the raw data from different computing environments, to create normalized data;
  
  filtering, by the electronic processor, the normalized data to remove unwanted noise;
  
  identifying a data movement anomaly in the filtered normalized data;
  
  determining, by the electronic processor, whether the data movement anomaly meets an exception;
  
  visually communicating, by the electronic processor, identification of the data movement anomaly on an electronic display, and saving the identification of the data movement anomaly in an electronic memory; and
  
  issuing, by the electronic processor, an electronic alert if the identified data movement anomaly does not meet the exception,wherein filtering the normalized data to remove unwanted noise comprises filtering the normalized data to remove unwanted noise to reduce a number of false electronic alerts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein reducing the amount of data contained in the mainframe event log includes identifying and retaining first data which is relevant to the perimeter monitoring of data movement, and identifying and discarding second data which is not relevant to the perimeter monitoring of data movement.
  - 3. The computer-implemented method as set forth in claim 1, wherein normalizing the raw data to create the normalized data includes standardizing different files names and different file formats from different computing environments.
  - 4. The computer-implemented method of claim 1, wherein normalizing the raw data to create the normalized data includes standardizing data values provided by different computing environments.
  - 5. The computer-implemented method as set forth in claim 1, wherein filtering the normalized data includes searching the normalized data to identify and categorize data movement in order to identify the data movement anomaly.
  - 6. The computer-implemented method as set forth in claim 1, wherein the data movement anomaly is identified based on one or more of a source of the data, a destination of the data, a type of the data, an authorization of the source of the data, a time when the data was sent, and a program that sent the data.
  - 7. The computer-implemented method as set forth in claim 1, wherein the exception is based on one or more of a source of the data, a destination of the data, a type of the data, an authorization of the source of the data, a time when the data was sent, and a program that sent the data.
  - 8. The computer-implemented method as set forth in claim 1, wherein the identification of the data movement anomaly is visually communicated in the form of a dashboard report.
  - 9. The computer-implemented method as set forth in claim 7, wherein the dashboard report includes one or more of a source of the data, a destination of the data, a type of the data, an authorization of the source of the data, a time when the data was sent, and a program that sent the data.
  - 10. The computer-implemented method as set forth in claim 1, wherein the identification of the data movement anomaly is visually communicated in the form of a chart.
  - 11. The computer-implemented method as set forth in claim 9, wherein the chart includes one or more of a source of the data, a destination of the data, a type of the data, an authorization of the source of the data, a time when the data was sent, and a program that sent the data.
  - 12. The computer-implemented method as set forth in claim 1, further including saving the electronic alert in the electronic memory.

13. A computer-implemented method for improving the functioning of a computer for perimeter monitoring of data movement of data, the computer-implemented method comprising:
- generating, by an electronic processor, a forwarding configuration associated with a mainframe event log, the forwarding configuration including specific data fields and file types that facilitate the perimeter monitoring of data movement;
  
  reducing an amount of data contained in the mainframe event log to the specific data fields and file types based on the forwarding configuration;
  
  ingesting, by the electronic processor, the specific data fields and files types the into an operational intel tool in real-time to create raw data;
  
  normalizing, by the electronic processor, the raw data, including standardizing different files names, different file formats, and data values from different computing environments, to create normalized data;
  
  filtering, by the electronic processor, the normalized data to remove unwanted noise comprising identifying and categorizing data movement in the normalized data;
  
  identifying a data movement anomaly in the filtered normalized data;
  
  determining, by the electronic processor, whether the data movement anomaly meets an exception;
  
  visually communicating, by the electronic processor, identification of the data movement anomaly on an electronic display in the form of a dashboard report, and saving the identification of the data movement anomaly in an electronic memory; and
  
  issuing, by the electronic processor, an electronic alert if the identified data movement anomaly does not meet the exception, and saving the electronic alert in the electronic memory,wherein filtering the normalized data to remove unwanted noise comprises filtering the normalized data to remove unwanted noise to reduce a number of false electronic alerts.

14. A system for perimeter monitoring of data movement of data, the system comprising:
- an electronic memory element configured to store information; and
  
  an electronic processor configured to—
  
  generate a forwarding configuration associated with a mainframe event log, the forwarding configuration including specific data fields and file types that facilitate the perimeter monitoring of data movement;
  
  reduce an amount of data contained in the mainframe event log to the specific data fields and file types based on the forwarding configuration;
  
  ingest the specific data fields and file types into an operational intel tool in real-time to create raw data,normalize the raw data, including standardizing the raw data from different computing environments, to create normalized data,filter the normalized data to remove unwanted noise,identify a data movement anomaly in the filtered normalized data, determine whether the data movement anomaly meets an exception,visually communicate identification of the data movement anomaly on an electronic display, and saving the identification of the data movement anomaly in the electronic memory, andissue an electronic alert if the identified data movement anomaly does not meet the exception,wherein to filter the normalized data to remove unwanted noise comprises to filter the normalized data to remove unwanted noise to reduce a number of false electronic alerts.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The system as set forth in claim 14, wherein reducing the amount of data contained in the mainframe event log includes identifying and retaining first data which is relevant to the perimeter monitoring of data movement, and identifying and discarding second data which is not relevant to the perimeter monitoring of data movement.
  - 16. The system as set forth in claim 14, wherein normalizing the raw data to create the normalized data includes standardizing different files names and different file formats from different computing environments.
  - 17. The system as set forth in claim 14, wherein normalizing the raw data to create the normalized data includes standardizing data values provided by different computing environments.
  - 18. The system as set forth in claim 14, wherein filtering the normalized data includes searching the normalized data to identify and categorize data movement in order to identify the data movement anomaly.
  - 19. The system as set forth in claim 14, wherein the data movement anomaly is identified based on one or more of a source of the data, a destination of the data, a type of the data, an authorization of the source of the data, a time when the data was sent, and a program that sent the data.
  - 20. The system as set forth in claim 14, wherein the exception is based on one or more of a source of the data, a destination of the data, a type of the data, an authorization of the source of the data, a time when the data was sent, and a program that sent the data.
  - 21. The system as set forth in claim 14, wherein the identification of the data movement anomaly is visually communicated in the form of a dashboard report.
  - 22. The system as set forth in claim 21, wherein the dashboard report includes one or more of a source of the data, a destination of the data, a type of the data, an authorization of the source of the data, a time when the data was sent, and a program that sent the data.
  - 23. The system as set forth in claim 14, wherein the identification of the data movement anomaly is visually communicated in the form of a chart.
  - 24. The system as set forth in claim 23, wherein the chart includes one or more of a source of the data, a destination of the data, a type of the data, an authorization of the source of the data, a time when the data was sent, and a program that sent the data.
  - 25. The system as set forth in claim 14, further including saving the electronic alert in the electronic memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
State Farm Mutual Automobile Insurance Company (State Farm)
Original Assignee
State Farm Mutual Automobile Insurance Company (State Farm)
Inventors
Bush, Jr., Richard J., Black, Zebediah R.
Primary Examiner(s)
Wright, Bryan F

Application Number

US15/243,390
Time in Patent Office

1,387 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 16/166   File name conversion

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

H04L 63/145   the attack involving the pr...

Data movement perimeter monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Data movement perimeter monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links