Automatic determination of user roles and asset types based on network monitoring

US 10,742,677 B1
Filed: 09/04/2019
Issued: 08/11/2020
Est. Priority Date: 09/04/2019
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network monitoring computers, comprising:

monitoring network traffic to determine a plurality of users and a plurality of assets based on one or more characteristics of the network traffic;

employing a user role model to assign a user role and provide a role confidence score to each of the plurality of users based on a portion of the network traffic associated with the plurality of users, wherein one or more previously determined inferences for the user role or previously determined inferences for the role confidence score are associated with the user role model;

employing an asset model to assign an asset type and provide an asset confidence score to each of the plurality of assets based on another portion of the network traffic associated with the plurality of assets, wherein one or more previously determined inferences for the asset type or previously determined inferences for the asset confidence score are associated with the asset model;

associating one or more users of the plurality of users with one or more assets of the plurality of assets based on the network traffic;

comparing the one or more previously determined inferences of the user role to the one or more previously determined inferences of the asset type;

modifying the role confidence score provided to the one or more users based on the asset type assigned to the one or more assets associated with the one or more users and a result of the comparison;

modifying the asset confidence score provided to the one or more assets based on the user role assigned to the one or more users associated with the one or more assets and the result of the comparison; and

employing geolocation information provided by a global positioning system (GPS) device to select one or more features, including a time zone, spoken language, or calendar format that is used in or more of monitoring network traffic, user interfaces, or databases to provide a report that includes information about the result of the comparison, the one or more user roles, and the one or more asset types.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic to determine users and assets based on the network traffic. A user role model may assign a user role and provide a role confidence score for the users based on network traffic associated with the users. An asset model may assign an asset type and provide an asset confidence score the assets based on network traffic associated with the assets. The users may be associated with assets based on the network traffic. The role confidence scores provided for the users may be modified based on the asset type assigned to assets associated with the users. The asset confidence score provided for the assets may be modified based on the user role assigned to the users associated with the assets. A report that includes information about the user roles and the asset types may be provided.

442 Citations

28 Claims

1. A method for monitoring network traffic using one or more network monitoring computers, comprising:
- monitoring network traffic to determine a plurality of users and a plurality of assets based on one or more characteristics of the network traffic;
  
  employing a user role model to assign a user role and provide a role confidence score to each of the plurality of users based on a portion of the network traffic associated with the plurality of users, wherein one or more previously determined inferences for the user role or previously determined inferences for the role confidence score are associated with the user role model;
  
  employing an asset model to assign an asset type and provide an asset confidence score to each of the plurality of assets based on another portion of the network traffic associated with the plurality of assets, wherein one or more previously determined inferences for the asset type or previously determined inferences for the asset confidence score are associated with the asset model;
  
  associating one or more users of the plurality of users with one or more assets of the plurality of assets based on the network traffic;
  
  comparing the one or more previously determined inferences of the user role to the one or more previously determined inferences of the asset type;
  
  modifying the role confidence score provided to the one or more users based on the asset type assigned to the one or more assets associated with the one or more users and a result of the comparison;
  
  modifying the asset confidence score provided to the one or more assets based on the user role assigned to the one or more users associated with the one or more assets and the result of the comparison; and
  
  employing geolocation information provided by a global positioning system (GPS) device to select one or more features, including a time zone, spoken language, or calendar format that is used in or more of monitoring network traffic, user interfaces, or databases to provide a report that includes information about the result of the comparison, the one or more user roles, and the one or more asset types.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein modifying the role confidence score further comprises:
    - comparing a trust level associated with the one or more user roles with a restriction level associated with the one or more asset types;
      
      increasing the role confidence score when comparison indicates that the trust level is consistent with the restriction level; and
      
      decreasing the role confidence score when the comparison indicates that the trust level is inconsistent with the confidence score.
  - 3. The method of claim 1, wherein modifying the asset confidence score further comprises:
    - comparing a trust level associated with the one or more user roles with a restriction level associated with the one or more asset types;
      
      increasing the asset confidence score when comparison indicates that the trust level is consistent with the restriction level; and
      
      decreasing the asset confidence score when the comparison indicates that the trust level is inconsistent with the confidence score.
  - 4. The method of claim 1, further comprising:
    - determining one or more interactions between one or more of the plurality of users or the plurality of assets based on the monitored network traffic;
      
      determining the portion of the network traffic associated with the plurality of users based on the one or more interactions; and
      
      determining the other portion of the network traffic associated with the plurality of assets based on the one or more interactions.
  - 5. The method of claim 1, further comprising:
    - determining one or more interactions between one or more administrative users and the plurality of assets based on the monitored network traffic;
      
      determining one or more other interactions between one or more non-administrative users and the plurality of assets based on the monitored network traffic; and
      
      determining one or more administrative assets based on the one or more interactions between the one or more administrative users and the plurality of assets, wherein the one or more interactions associated with the one or more administrative assets are associated with the one or more administrative users.
  - 6. The method of claim 1, further comprising, determining an asset type for an asset based on a similarity of one or more characteristics of the asset to one or more characteristics of the one or more other assets, wherein the asset type for the asset is determined based on the asset type of the similar one or more other assets.
  - 7. The method of claim 1, wherein the plurality of assets further comprise one or more of entities, documents, directories, APIs, REST endpoints, micro-services, MSRPC/DCOM interfaces, database tables, media files or streams, or file systems.

8. A network monitoring computer (NMC) for monitoring network traffic between one or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  monitoring network traffic to determine a plurality of users and a plurality of assets based on one or more characteristics of the network traffic;
  
  employing a user role model to assign a user role and provide a role confidence score to each of the plurality of users based on a portion of the network traffic associated with the plurality of users, wherein one or more previously determined inferences for the user role or previously determined inferences for the role confidence score are associated with the user role model;
  
  employing an asset model to assign an asset type and provide an asset confidence score to each of the plurality of assets based on another portion of the network traffic associated with the plurality of assets, wherein one or more previously determined inferences for the asset type or previously determined inferences for the asset confidence score are associated with the asset model;
  
  associating one or more users of the plurality of users with one or more assets of the plurality of assets based on the network traffic;
  
  comparing the one or more previously determined inferences of the user role to the one or more previously determined inferences of the asset type;
  
  modifying the role confidence score provided to the one or more users based on the asset type assigned to the one or more assets associated with the one or more users and a result of the comparison;
  
  modifying the asset confidence score provided to the one or more assets based on the user role assigned to the one or more users associated with the one or more assets and the result of the comparison; and
  
  employing geolocation information provided by a global positioning system (GPS) device to select one or more features, including a time zone, spoken language, or calendar format that is used in or more of monitoring network traffic, user interfaces, or databases to provide a report that includes information about the result of the comparison, the one or more user roles, and the one or more asset types.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The NMC of claim 8, wherein modifying the role confidence score further comprises:
    - comparing a trust level associated with the one or more user roles with a restriction level associated with the one or more asset types;
      
      increasing the role confidence score when comparison indicates that the trust level is consistent with the restriction level; and
      
      decreasing the role confidence score when the comparison indicates that the trust level is inconsistent with the confidence score.
  - 10. The NMC of claim 8, wherein modifying the asset confidence score further comprises:
    - comparing a trust level associated with the one or more user roles with a restriction level associated with the one or more asset types;
      
      increasing the asset confidence score when comparison indicates that the trust level is consistent with the restriction level; and
      
      decreasing the asset confidence score when the comparison indicates that the trust level is inconsistent with the confidence score.
  - 11. The NMC of claim 8, further comprising:
    - determining one or more interactions between one or more of the plurality of users or the plurality of assets based on the monitored network traffic;
      
      determining the portion of the network traffic associated with the plurality of users based on the one or more interactions; and
      
      determining the other portion of the network traffic associated with the plurality of assets based on the one or more interactions.
  - 12. The NMC of claim 8, further comprising:
    - determining one or more interactions between one or more administrative users and the plurality of assets based on the monitored network traffic;
      
      determining one or more other interactions between one or more non-administrative users and the plurality of assets based on the monitored network traffic; and
      
      determining one or more administrative assets based on the one or more interactions between the one or more administrative users and the plurality of assets, wherein the one or more interactions associated with the one or more administrative assets are associated with the one or more administrative users.
  - 13. The NMC of claim 8, further comprising, determining an asset type for an asset based on a similarity of one or more characteristics of the asset to one or more characteristics of the one or more other assets, wherein the asset type for the asset is determined based on the asset type of the similar one or more other assets.
  - 14. The NMC of claim 8, wherein the plurality of assets further comprise one or more of entities, documents, directories, APIs, REST endpoints, micro-services, MSRPC/DCOM interfaces, database tables, media files or streams, or file systems.

15. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers (NMC), wherein execution of the instructions by the one or more NMCs perform the method comprising:
- monitoring network traffic to determine a plurality of users and a plurality of assets based on one or more characteristics of the network traffic;
  
  employing a user role model to assign a user role and provide a role confidence score to each of the plurality of users based on a portion of the network traffic associated with the plurality of users, wherein one or more previously determined inferences for the user role or previously determined inferences for the role confidence score are associated with the user role model;
  
  employing an asset model to assign an asset type and provide an asset confidence score to each of the plurality of assets based on another portion of the network traffic associated with the plurality of assets, wherein one or more previously determined inferences for the asset type or previously determined inferences for the asset confidence score are associated with the asset model;
  
  associating one or more users of the plurality of users with one or more assets of the plurality of assets based on the network traffic;
  
  comparing the one or more previously determined inferences of the user role to the one or more previously determined inferences of the asset type;
  
  modifying the role confidence score provided to the one or more users based on the asset type assigned to the one or more assets associated with the one or more users and a result of the comparison;
  
  modifying the asset confidence score provided to the one or more assets based on the user role assigned to the one or more users associated with the one or more assets and the result of the comparison; and
  
  employing geolocation information provided by a global positioning system (GPS) device to select one or more features, including a time zone, spoken language, or calendar format that is used in or more of monitoring network traffic, user interfaces, or databases to provide a report that includes information about the result of the comparison, the one or more user roles, and the one or more asset types.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The media of claim 15, wherein modifying the role confidence score further comprises:
    - comparing a trust level associated with the one or more user roles with a restriction level associated with the one or more asset types;
      
      increasing the role confidence score when comparison indicates that the trust level is consistent with the restriction level; and
      
      decreasing the role confidence score when the comparison indicates that the trust level is inconsistent with the confidence score.
  - 17. The media of claim 15, wherein modifying the asset confidence score further comprises:
    - comparing a trust level associated with the one or more user roles with a restriction level associated with the one or more asset types;
      
      increasing the asset confidence score when comparison indicates that the trust level is consistent with the restriction level; and
      
      decreasing the asset confidence score when the comparison indicates that the trust level is inconsistent with the confidence score.
  - 18. The media of claim 15, further comprising:
    - determining one or more interactions between one or more of the plurality of users or the plurality of assets based on the monitored network traffic;
      
      determining the portion of the network traffic associated with the plurality of users based on the one or more interactions; and
      
      determining the other portion of the network traffic associated with the plurality of assets based on the one or more interactions.
  - 19. The media of claim 15, further comprising:
    - determining one or more interactions between one or more administrative users and the plurality of assets based on the monitored network traffic;
      
      determining one or more other interactions between one or more non-administrative users and the plurality of assets based on the monitored network traffic; and
      
      determining one or more administrative assets based on the one or more interactions between the one or more administrative users and the plurality of assets, wherein the one or more interactions associated with the one or more administrative assets are associated with the one or more administrative users.
  - 20. The media of claim 15, further comprising, determining an asset type for an asset based on a similarity of one or more characteristics of the asset to one or more characteristics of the one or more other assets, wherein the asset type for the asset is determined based on the asset type of the similar one or more other assets.
  - 21. The media of claim 15, wherein the plurality of assets further comprise one or more of entities, documents, directories, APIs, REST endpoints, micro-services, MSRPC/DCOM interfaces, database tables, media files or streams, or file systems.

22. A system for monitoring network traffic in a network:
- one or more network monitoring computers (NMCs), comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  monitoring network traffic to determine a plurality of users and a plurality of assets based on one or more characteristics of the network traffic;
  
  employing a user role model to assign a user role and provide a role confidence score to each of the plurality of users based on a portion of the network traffic associated with the plurality of users, wherein one or more previously determined inferences for the user role or previously determined inferences for the role confidence score are associated with the user role model;
  
  employing an asset model to assign an asset type and provide an asset confidence score to each of the plurality of assets based on another portion of the network traffic associated with the plurality of assets, wherein one or more previously determined inferences for the asset type or previously determined inferences for the asset confidence score are associated with the asset model;
  
  associating one or more users of the plurality of users with one or more assets of the plurality of assets based on the network traffic;
  
  comparing the one or more previously determined inferences of the user role to the one or more previously determined inferences of the asset type;
  
  modifying the role confidence score provided to the one or more users based on the asset type assigned to the one or more assets associated with the one or more users and a result of the comparison;
  
  modifying the asset confidence score provided to the one or more assets based on the user role assigned to the one or more users associated with the one or more assets and the result of the comparison; and
  
  employing geolocation information provided by a global positioning system (GPS) device to select one or more features, including a time zone, spoken language, or calendar format that is used in or more of monitoring network traffic, user interfaces, or databases to provide a report that includes information about the result of the comparison, the one or more user roles, and the one or more asset types; and
  
  one or more client computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more portions of the portion of the network traffic associated with the plurality of users.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The system of claim 22, wherein modifying the role confidence score further comprises:
    - comparing a trust level associated with the one or more user roles with a restriction level associated with the one or more asset types;
      
      increasing the role confidence score when comparison indicates that the trust level is consistent with the restriction level; and
      
      decreasing the role confidence score when the comparison indicates that the trust level is inconsistent with the confidence score.
  - 24. The system of claim 22, wherein modifying the asset confidence score further comprises:
    - comparing a trust level associated with the one or more user roles with a restriction level associated with the one or more asset types;
      
      increasing the asset confidence score when comparison indicates that the trust level is consistent with the restriction level; and
      
      decreasing the asset confidence score when the comparison indicates that the trust level is inconsistent with the confidence score.
  - 25. The system of claim 22, further comprising:
    - determining one or more interactions between one or more of the plurality of users or the plurality of assets based on the monitored network traffic;
      
      determining the portion of the network traffic associated with the plurality of users based on the one or more interactions; and
      
      determining the other portion of the network traffic associated with the plurality of assets based on the one or more interactions.
  - 26. The system of claim 22, further comprising:
    - determining one or more interactions between one or more administrative users and the plurality of assets based on the monitored network traffic;
      
      determining one or more other interactions between one or more non-administrative users and the plurality of assets based on the monitored network traffic; and
      
      determining one or more administrative assets based on the one or more interactions between the one or more administrative users and the plurality of assets, wherein the one or more interactions associated with the one or more administrative assets are associated with the one or more administrative users.
  - 27. The system of claim 22, further comprising, determining an asset type for an asset based on a similarity of one or more characteristics of the asset to one or more characteristics of the one or more other assets, wherein the asset type for the asset is determined based on the asset type of the similar one or more other assets.
  - 28. The system of claim 22, wherein the plurality of assets further comprise one or more of entities, documents, directories, APIs, REST endpoints, micro-services, MSRPC/DCOM interfaces, database tables, media files or streams, or file systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Wu, Xue Jun, Higgins, Benjamin Thomas, Montague, Michael Kerber Krause, Lee, Po-Shen, Chen, Songqian, Tabony, Jade Alexi, Porterfield, Katherine Megan
Primary Examiner(s)
Pearson, David J

Application Number

US16/560,886
Time in Patent Office

342 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Automatic determination of user roles and asset types based on network monitoring

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

442 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Automatic determination of user roles and asset types based on network monitoring

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

442 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others