Insider threat detection under user-resource bi-partite graphs

US 10,686,816 B1
Filed: 09/28/2017
Issued: 06/16/2020
Est. Priority Date: 09/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method for detecting anomalous user-file access patterns in relation to a group of users and files, the group including at least a first user, a second user, and a file, the method being performed by one or more computing devices comprising at least one processor, the method comprising:

evaluating a bi-partite mapping comprising nodes and edges connecting the nodes, wherein the nodes represent the users and files of the group and the edges represent network links between the users and files, and wherein the nodes comprise a first node representing the first user, a second node representing the second user, and a third node representing the file;

computing a first file access frequency probability distribution for the first user over a first temporal period based at least in part on evaluating the bi-partite mapping;

computing a second file access frequency probability distribution for the first user over a second temporal period, the first and second file access frequency probability distributions each comprising a probability of the first user accessing the file;

computing a variation between the first file access frequency probability distribution and the second file access frequency probability distribution; and

identifying anomalous activity in relation to the group based at least in part on the variation exceeding a pre-configured threshold.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for insider threat detection under user-resource bi-partite graphs is described. A computing device evaluates a bi-partite mapping of a set of users and a set of files, and performs a random-walk procedure initiating from a selected user of the set of users. The computing device computes a probability distribution associated with the access frequency of each alternate user and file of the random-walk procedure, and compares the probability distribution to one or more distributions associated with temporal periods prior to the initiated procedure. Based on the comparison, the computing device identifies points of maximum variance of the distribution. The computing device identifies the files of the set of files and users of the set of users associated with the points of maximum variance and access raw data to identify activity associated with the selected user and the identified resources.

11 Citations

View as Search Results

20 Claims

1. A method for detecting anomalous user-file access patterns in relation to a group of users and files, the group including at least a first user, a second user, and a file, the method being performed by one or more computing devices comprising at least one processor, the method comprising:
- evaluating a bi-partite mapping comprising nodes and edges connecting the nodes, wherein the nodes represent the users and files of the group and the edges represent network links between the users and files, and wherein the nodes comprise a first node representing the first user, a second node representing the second user, and a third node representing the file;
  
  computing a first file access frequency probability distribution for the first user over a first temporal period based at least in part on evaluating the bi-partite mapping;
  
  computing a second file access frequency probability distribution for the first user over a second temporal period, the first and second file access frequency probability distributions each comprising a probability of the first user accessing the file;
  
  computing a variation between the first file access frequency probability distribution and the second file access frequency probability distribution; and
  
  identifying anomalous activity in relation to the group based at least in part on the variation exceeding a pre-configured threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the second temporal period precedes the first temporal period.
  - 3. The method of claim 1,wherein the nodes are weighted and grouped into a first set representing the users of the group and a second set representing the files of the group and the first and second sets are disjoint.
  - 4. The method of claim 1, wherein evaluating the bipartite mapping further comprises:
    - partitioning the bi-partite mapping into one or more discrete subsets; and
      
      selecting a subset of the one or more discrete subsets, the subset comprising the first node representing the first user.
  - 5. The method of claim 1, wherein the probability of the first user accessing the file is based at least in part on (i) a number of edges connected to the first node, and (ii) a number of other nodes connected to the edges connected to the first node.
  - 6. The method of claim 5, wherein the value of the first file access frequency probability distribution comprises a vector norm.
  - 7. The method of claim 1, wherein computing the first file access frequency probability distribution further comprises:
    - performing, using the bi-partite mapping, a first iterative random-walk procedure from the first node to the second node or the third node, andwherein the first file access frequency probability distribution is based at least in part on the performing the first iterative random-walk procedure.
  - 8. The method of claim 7, further comprising:
    - determining that a value of the first file access frequency probability distribution exceeds a pre-configured threshold; and
      
      performing, using the bi-partite mapping, a second iterative random-walk procedure from the first node to the second node or the third node, wherein computing the second file access frequency probability distribution is based at least in part on the performing the second iterative random-walk procedure.
  - 9. The method of claim 1, wherein computing the variation further comprises:
    - determining that the first file access frequency probability distribution converges; and
      
      determining a maximum variation distance between the first file access frequency probability distribution and the second file access frequency probability distribution, the maximum variation distance exceeding the pre-configured threshold;
      
      identifying the anomolous activity further comprises identifying the second user or the file as being associated with the maximum variation distance; and
      
      the method further comprises performing a security action to protect against the anomolous activity.
  - 10. The method of claim 9, wherein performing the security action comprises classifying the second user or the file associated with the maximum variation distance as anomalous.
  - 11. The method of claim 9, wherein the second user or the file associated with the maximum variation distance indicates one or more arguments of maxima associated with a function of a bipartite mapping.
  - 12. The method of claim 9, wherein identifying the anomolous activity further comprises:
    - correlating the second user or the file associated with the maximum variation distance to specific file access activity;
      
      identifying the specific file access activity as anomalous activity;
      
      identifying potential risks or threats to the group based at least in part on the correlating; and
      
      determining one or more causes of the anomalous activity.
  - 13. The method of claim 1, wherein identifying the anomolous activity further comprises identifying one or more anomalous files and/or users;
    - andthe method further comprises performing a security action to protect against the anomolous activity based at least in part on identifying the one or more anomalous files and/or users.

14. A computing device configured for detecting anomalous user-file access patterns in relation to a group of users and files, the group including at least a first user, a second user, and a file, the computing device comprising:
- one or more processors;
  
  memory in electronic communication with the one or more processors, wherein the memory stores computer executable instructions that when executed by the one or more processors cause the one or more processors to;
  
  evaluate a bi-partite mapping comprising nodes and edges connecting the nodes, wherein the nodes represent the users and files of the group and the edges represent network links between the users and files, and wherein the nodes comprise a first node representing the first user, a second node representing the second user, and a third node representing the file;
  
  compute a first file access frequency probability distribution for the first user over a first temporal period based at least in part on evaluating the bi-partite mapping;
  
  compute a second file access frequency probability distribution for the first user over a second temporal period, the first and second file access frequency probability distributions each comprising a probability of the first user accessing the file;
  
  compute a variation between the first file access frequency probability distribution and the second file access frequency probability distribution; and
  
  identify anomalous activity in relation to the group based at least in part on the variation exceeding a pre-configured threshold.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computing device of claim 14,wherein the nodes are weighted and grouped into a first set representing the users of the group and a second set representing the files of the group and the first and second sets are disjoint.
  - 16. The computing device of claim 15, wherein compute the first file access frequency probability distribution further comprises:
    - perform, using the bi-partite mapping, a first iterative random-walk procedure from the first node to the second node or the third node,wherein the first file access frequency probability distribution is based at least in part on the performing the first iterative random-walk procedure.
  - 17. The computing device of claim 16, wherein when executed by the one or more processors, the computer executable instructions further cause the one or more processors to:
    - determine that a value of the first file access frequency probability distribution exceeds a preconfigured threshold; and
      
      perform, using the bi-partite mapping, a second iterative random-walk procedure from the first node to the second node or the third node, wherein computing the second file access frequency probability distribution is based at least in part on the performing the second iterative random-walk procedure.
  - 18. The computing device of claim 14, wherein compute the variation further comprises:
    - determine that the first file access frequency probability distribution converges; and
      
      determine a maximum variation distance between the first file access frequency probability distribution and the second file access frequency probability distribution the maximum variation distance exceeding the pre-configured threshold;
      
      and wherein identify the anomolous activity further comprises identify the second user or file as being associated with the maximum variation distance; and
      
      when executed by the one or more processors, the computer executable instructions further cause the one or more processors to perform a security action to protect against the anomolous activity.
  - 19. The computing device of claim 18, wherein perform the security action further comprises:
    - correlate the second user or the file associated with the maximum variation distance to specific file access activity;
      
      identify the specific file access activity as anomalous activity;
      
      identify potential risks or threats to the group based at least in part on the correlating; and
      
      determine one or more causes of the anomalous activity.

20. A non-transitory computer-readable medium storing computer executable instructions that when executed by one or more processors cause the one or more processors to:
- evaluate a bi-partite mapping comprising nodes and edges connecting the nodes, wherein the nodes represent the users and files of the group and the edges represent network links between the users and files, and wherein the nodes comprise a first node representing the first user, a second node representing the second user, and a third node representing the file;
  
  compute a first file access frequency probability distribution for a first user over a first temporal period based at least in part on evaluating the bi-partite mapping;
  
  compute a second file access frequency probability distribution for the first user over a second temporal period, the first and second file access frequency probability distributions each comprising a probability of the first user accessing a file, wherein the first user, the second user, and the file are included in a group of users and files;
  
  compute a variation between the first file access frequency probability distribution and the second file access frequency probability distribution; and
  
  identify anomalous activity in relation to the group based at least in part on the variation exceeding a pre-configured threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
NortonLifeLock Inc.
Inventors
Shintre, Saurabh, Bhatkar, Sandeep, Kayyoor, Ashwin Kumar
Primary Examiner(s)
Bechtel, Kevin
Assistant Examiner(s)
Farooqui, Quazi

Application Number

US15/718,691
Time in Patent Office

992 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06N 5/022   Knowledge engineering; Know...

G06N 7/01   Probabilistic graphical mod...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Insider threat detection under user-resource bi-partite graphs

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Insider threat detection under user-resource bi-partite graphs

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others