Method and apparatus to detect unauthorized information disclosure via content anomaly detection
First Claim
1. Method for content-level monitoring, auditing, trending, and detection of anomalies in access to information, said information including electronic data on computers, said method comprising the steps of:
- a) Capturing of packets on the network b) Filtering packets to detect meaningful packets representing information content c) Decoding packets based on semantics of the application or protocol d) Analyzing packets to map message information contained in the packet into a quantitative representation e) Deriving a content signature from the quantitative representation f) Storing the content, along with the signature and attributes into a database g) Mining the content database to derive prototypical model of content, users, and time h) Detecting anomalies by finding strong deviations from the prototypical model i) Processing anomalies to minimize false alarms and increase the precision of anomalies
11 Assignments
0 Petitions
Accused Products
Abstract
Method and apparatus to monitor and detect anomalies of information content flows, the method comprising the steps of capturing information access packets, filtering packets to extract information, decoding packets to determine information content, deriving content signatures, trending prototypical behavior, and detecting anomalies of information access, and said apparatus comprising a computing device comprising a network based device that captures the information and produces anomaly information.
-
Citations
48 Claims
-
1. Method for content-level monitoring, auditing, trending, and detection of anomalies in access to information, said information including electronic data on computers, said method comprising the steps of:
-
a) Capturing of packets on the network b) Filtering packets to detect meaningful packets representing information content c) Decoding packets based on semantics of the application or protocol d) Analyzing packets to map message information contained in the packet into a quantitative representation e) Deriving a content signature from the quantitative representation f) Storing the content, along with the signature and attributes into a database g) Mining the content database to derive prototypical model of content, users, and time h) Detecting anomalies by finding strong deviations from the prototypical model i) Processing anomalies to minimize false alarms and increase the precision of anomalies - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
- 25. A method, where anomaly detection is used for real-time protection of information
-
29. A method for correlating content, users, time, and space at the ‘
- information’
level, developing trends based on information access, and detecting anomalies of information access from confidential information repositories without requiring to know the specific type of information being accessed - View Dependent Claims (30, 31, 32, 33, 34, 35)
- information’
- 36. A method for content or information level anomaly detection that works when the content itself may be changing
- 38. A method for monitoring and auditing access to confidential information based on monitoring access behavior, characterizing access based on dimensions including user identity, location, time, and content, and detecting anomalies.
-
41. An apparatus for monitoring, trending, and detection of anomalies in access to information, said critical information including electronic data on computers, comprises:
a network based computing device that is used to capture packets, filter data content, decode packets based on protocol and application, derive content signatures, generate historical trends, detect anomalies, and provide real-time access control - View Dependent Claims (42, 43, 44, 45, 46, 47, 48)
Specification