Real-time detection and prevention of malicious activity

US 10,726,123 B1
Filed: 04/15/2020
Issued: 07/28/2020
Est. Priority Date: 04/18/2019
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor; and

a memory device comprising instructions that are executable by the processor for causing the processor to;

receive a request from a user to obtain access to an entity;

determine a plurality of data objects based on the request;

access a plurality of data-object network definitions corresponding to the plurality of data objects, each data-object network definition in the plurality of data-object network definitions representing an interconnected network of data-object nodes indicating interrelationships between a respective data object among the plurality of data objects and other data objects;

resolve an identity of the user by;

generating a combined data-object network by combining the plurality of data-object network definitions that correspond to the plurality of data objects in the request; and

identifying a data-object node in the combined data-object network that corresponds to the user; and

in response to resolving the identity of the user;

receive a profile for the user indicating behavioral information relating to the user;

determine a likelihood that the request is associated with malicious activity based on (i) the plurality of data objects, (ii) the profile, and (iii) the plurality of data-object network definitions; and

allow or deny the user access to the entity based on the likelihood that the request is associated with malicious activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious activity can be detected and prevented in real-time or otherwise. For example, a system of the present disclosure can receive a request from a user to obtain access to an entity, determine data objects based on the request, and access data-object network definitions corresponding to the determined data objects. The system can also receive a profile for the user indicating behavioral information relating to the user. The system can then determine a likelihood that the request is associated with malicious activity based on (i) the data objects, (ii) the profile, and (iii) the data-object network definitions. The system can allow or deny the user access to the entity based on the likelihood that the request is associated with malicious activity.

Citations

30 Claims

1. A system comprising:
- a processor; and
  
  a memory device comprising instructions that are executable by the processor for causing the processor to;
  
  receive a request from a user to obtain access to an entity;
  
  determine a plurality of data objects based on the request;
  
  access a plurality of data-object network definitions corresponding to the plurality of data objects, each data-object network definition in the plurality of data-object network definitions representing an interconnected network of data-object nodes indicating interrelationships between a respective data object among the plurality of data objects and other data objects;
  
  resolve an identity of the user by;
  
  generating a combined data-object network by combining the plurality of data-object network definitions that correspond to the plurality of data objects in the request; and
  
  identifying a data-object node in the combined data-object network that corresponds to the user; and
  
  in response to resolving the identity of the user;
  
  receive a profile for the user indicating behavioral information relating to the user;
  
  determine a likelihood that the request is associated with malicious activity based on (i) the plurality of data objects, (ii) the profile, and (iii) the plurality of data-object network definitions; and
  
  allow or deny the user access to the entity based on the likelihood that the request is associated with malicious activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the memory device further comprises instructions that are executable by the processor for causing the processor to:
    - receive contextual information associated with the request, the contextual information including one or more additional details relating to the request or the user, the one or more additional details being absent from the request; and
      
      resolve the identity of the user based on the contextual information.
  - 3. The system of claim 1, wherein the memory device further comprises instructions that are executable by the processor for causing the processor to, prior to receiving the request:
    - determine a plurality of relationships between data objects present in a plurality of previous requests, the plurality of previous requests being for obtaining access to a plurality of entities; and
      
      generate the plurality of data-object network definitions based on the plurality of relationships.
  - 4. The system of claim 1, wherein the memory device further comprises instructions that are executable by the processor for causing the processor to update at least one data-object network definition among the plurality of data-object network definitions to include a malicious activity indicator based on determining that the request is likely associated with malicious activity.
  - 5. The system of claim 4, wherein the memory device further comprises instructions that are executable by the processor for causing the processor to update a plurality of data-object nodes in the at least one data-object network definition to include malicious activity based on determining that the request is likely associated with malicious activity.
  - 6. The system of claim 1, wherein the memory device further comprises instructions that are executable by the processor for causing the processor to update the profile of the user to include a malicious activity indicator based on determining that the request is likely associated with malicious activity.
  - 7. The system of claim 1, wherein the memory device further comprises instructions that are executable by the processor for causing the processor to allow or deny the user access to the entity based on the likelihood by:
    - transmitting a signal to a remote computing device, the signal indicating that the request is likely associated with malicious activity and being configured for causing an operator of the remote computing device to analyze the request;
      
      receiving a response signal from the remote computing device indicating that the request is to be denied; and
      
      denying the user access to the entity based on the response signal.
  - 8. The system of claim 1, wherein the memory device further comprises instructions that are executable by the processor for causing the processor to:
    - receive a plurality of profiles for the plurality of data objects associated with the request, each profile among the plurality of profiles being unique to a respective data object among the plurality of data objects and including behavioral information corresponding to the respective data object; and
      
      determine the likelihood that the request is associated with malicious activity based on the plurality of profiles.
  - 9. The system of claim 1, wherein the entity is a computing system.
  - 10. The system of claim 1, wherein the memory device further comprises instructions that are executable by the processor for causing the processor to:
    - generate an input for a model, wherein the input is generated based on (i) the plurality of data objects, (ii) the profile, and (iii) the plurality of data-object network definitions; and
      
      provide the input to the model to obtain an output from the model indicating the likelihood that the request is associated with malicious activity.

11. A method comprising:
- receiving, by a processor device, a request from a user to obtain access to an entity;
  
  determining, by the processor device, a plurality of data objects based on the request;
  
  accessing, by the processor device, a plurality of data-object network definitions corresponding to the plurality of data objects, each data-object network definition in the plurality of data-object network definitions representing an interconnected network of data-object nodes indicating interrelationships between a respective data object among the plurality of data objects and other data objects;
  
  resolving, by the processor device, an identity of the user by;
  
  generating a combined data-object network by combining the plurality of data-object network definitions that correspond to the plurality of data objects in the request; and
  
  identifying a data-object node in the combined data-object network that corresponds to the user; and
  
  in response to resolving the identity of the user;
  
  receiving, by the processor device, a profile for the user indicating behavioral information relating to the user;
  
  determining, by the processor device, a likelihood that the request is associated with malicious activity based on (i) the plurality of data objects, (ii) the profile, and (iii) the plurality of data-object network definitions; and
  
  allowing or denying, by the processor device, the user access to the entity based on the likelihood that the request is associated with malicious activity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, further comprising:
    - receiving contextual information associated with the request, the contextual information including one or more additional details relating to the request or the user, the one or more additional details being absent from the request; and
      
      resolving the identity of the user based on the contextual information.
  - 13. The method of claim 11, further comprising, prior to receiving the request:
    - determining a plurality of relationships between data objects present in a plurality of previous requests, the plurality of previous requests being for obtaining access to a plurality of entities; and
      
      generating the plurality of data-object network definitions based on the plurality of relationships.
  - 14. The method of claim 11, further comprising updating at least one data-object network definition among the plurality of data-object network definitions to include a malicious activity indicator based on determining that the request is likely associated with malicious activity.
  - 15. The method of claim 14, further comprising update a plurality of data-object nodes in the at least one data-object network definition to include malicious activity indicators based on determining that the request is likely associated with malicious activity.
  - 16. The method of claim 11, further comprising updating the profile of the user to include a malicious activity indicator based on determining that the request is likely associated with malicious activity.
  - 17. The method of claim 11, further comprising allowing or denying the user access to the entity based on the likelihood by:
    - transmitting a signal to a remote computing device, the signal indicating that the request is likely associated with malicious activity and being configured for causing an operator of the remote computing device to analyze the request;
      
      receiving a response signal from the remote computing device indicating that the request is to be denied; and
      
      denying the user access to the entity based on the response signal.
  - 18. The method of claim 11, further comprising:
    - receiving a plurality of profiles for the plurality of data objects associated with the request, each profile among the plurality of profiles being unique to a respective data object among the plurality of data objects and including behavioral information corresponding to the respective data object; and
      
      determining the likelihood that the request is associated with malicious activity based on the plurality of profiles.
  - 19. The method of claim 11, wherein the entity is a computing system.
  - 20. The method of claim 11, further comprising:
    - generating an input for a model, wherein the input is generated based on (i) the plurality of data objects, (ii) the profile, and (iii) the plurality of data-object network definitions; and
      
      providing the input to the model to obtain an output from the model indicating the likelihood that the request is associated with malicious activity.

21. A non-transitory computer-readable medium comprising program code that is executable by a processor for causing the processor to:
- receive a request from a user to obtain access to an entity;
  
  determine a plurality of data objects based on the request;
  
  access a plurality of data-object network definitions corresponding to the plurality of data objects, each data-object network definition in the plurality of data-object network definitions representing an interconnected network of data-object nodes indicating interrelationships between a respective data object among the plurality of data objects and other data objects;
  
  resolve an identity of the user by;
  
  generating a combined data-object network by combining the plurality of data-object network definitions that correspond to the plurality of data objects in the request; and
  
  identifying a data-object node in the combined data-object network that corresponds to the user; and
  
  in response to resolving the identity of the user;
  
  receive a profile for the user indicating behavioral information relating to the user;
  
  determine a likelihood that the request is associated with malicious activity based on (i) the plurality of data objects, (ii) the profile, and (iii) the plurality of data-object network definitions; and
  
  allow or deny the user access to the entity based on the likelihood that the request is associated with malicious activity.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory computer-readable medium of claim 21, further comprising program code that is executable by a processor for causing the processor to:
    - receive contextual information associated with the request, the contextual information including one or more additional details relating to the request or the user, the one or more additional details being absent from the request; and
      
      resolve the identity of the user based on the contextual information.
  - 23. The non-transitory computer-readable medium of claim 21, further comprising program code that is executable by a processor for causing the processor to, prior to receiving the request:
    - determine a plurality of relationships between data objects present in a plurality of previous requests, the plurality of previous requests being for obtaining access to a plurality of entities; and
      
      generate the plurality of data-object network definitions based on the plurality of relationships.
  - 24. The non-transitory computer-readable medium of claim 21, further comprising program code that is executable by a processor for causing the processor to update at least one data-object network definition among the plurality of data-object network definitions to include a malicious activity indicator based on determining that the request is likely associated with malicious activity.
  - 25. The non-transitory computer-readable medium of claim 24, further comprising program code that is executable by a processor for causing the processor to update a plurality of data-object nodes in the at least one data-object network definition to include malicious activity indicators based on determining that the request is likely associated with malicious activity.
  - 26. The non-transitory computer-readable medium of claim 21, further comprising program code that is executable by a processor for causing the processor to update the profile of the user to include a malicious activity indicator based on determining that the request is likely associated with malicious activity.
  - 27. The non-transitory computer-readable medium of claim 21, further comprising program code that is executable by a processor for causing the processor to allow or deny the user access to the entity based on the likelihood by:
    - transmitting a signal to a remote computing device, the signal indicating that the request is likely associated with malicious activity and being configured for causing an operator of the remote computing device to analyze the request;
      
      receiving a response signal from the remote computing device indicating that the request is to be denied; and
      
      denying the user access to the entity based on the response signal.
  - 28. The non-transitory computer-readable medium of claim 21, further comprising program code that is executable by a processor for causing the processor to:
    - receive a plurality of profiles for the plurality of data objects associated with the request, each profile among the plurality of profiles being unique to a respective data object among the plurality of data objects and including behavioral information corresponding to the respective data object; and
      
      determine the likelihood that the request is associated with malicious activity based on the plurality of profiles.
  - 29. The non-transitory computer-readable medium of claim 21, wherein the entity is a computing system.
  - 30. The non-transitory computer-readable medium of claim 21, further comprising program code that is executable by a processor for causing the processor to:
    - generate an input for a model, wherein the input is generated based on (i) the plurality of data objects, (ii) the profile, and (iii) the plurality of data-object network definitions; and
      
      provide the input to the model to obtain an output from the model indicating the likelihood that the request is associated with malicious activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAS Institute Incorporated
Original Assignee
SAS Institute Incorporated
Inventors
Mookiah, Prathaban, Holmes, Ian, Watkins, John Robert, O'Connell, Thomas J.
Primary Examiner(s)
Gracia, Gary S

Application Number

US16/849,332
Time in Patent Office

104 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/54   by adding security routines...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Real-time detection and prevention of malicious activity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time detection and prevention of malicious activity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links