Detecting Behavioral Patterns and Anomalies Using Activity Data
First Claim
1. A method of managing information of a system comprising:
- providing a plurality of information management rules;
providing an activity database;
gathering activity data from a first target in the activity database;
gathering activity data from a second target in the activity database;
associating at least a first rule of the information management rules to the first target;
evaluating the data stored in the activity database according to a detection algorithm;
based on the detection algorithm, associating a second rule to the first target; and
for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule.
3 Assignments
0 Petitions
Accused Products
Abstract
Activity data is analyzed or evaluated to detect behavioral patterns and anomalies. When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task. This activity data may be collected in an information management system, which may be policy based. Notification may be by way e-mail, report, pop-up message, or system message. Some tasks to perform upon detection may include implementing a policy in the information management system, disallowing a user from connecting to the system, and restricting a user from being allowed to perform certain actions. To detect a pattern, activity data may be compared to a previously defined or generated activity profile.
-
Citations
68 Claims
-
1. A method of managing information of a system comprising:
-
providing a plurality of information management rules; providing an activity database; gathering activity data from a first target in the activity database; gathering activity data from a second target in the activity database; associating at least a first rule of the information management rules to the first target; evaluating the data stored in the activity database according to a detection algorithm; based on the detection algorithm, associating a second rule to the first target; and for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method of operating a system comprising:
-
providing a plurality of devices; providing an activity database; collecting information usage data from the plurality of devices in the activity database; analyzing the information usage data in the activity database to detect a condition; and when the condition is detected, generating a notification of the condition. - View Dependent Claims (22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
26. The method in claim 26 wherein the data collected during rule evaluation comprises at least one of the time at which rule evaluation occurs, the outcome of evaluating at least one rule, the event that triggers a rule evaluation operation, a rule identifier indicating a particular rule being evaluated, information about a resource associated with an evaluated rule, information about a user related to a rule evaluation operation, information about an application program associated with a rule evaluation operation, or information about a device associated with a rule evaluation operation.
-
41. A method of an information management system comprising:
-
providing a plurality of devices; providing an activity database; providing a first activity profile; collecting information usage data from the plurality of devices and storing in the activity database; analyzing the information usage data in the activity database to generate a second activity profile; comparing the second activity profile with first activity profile to determine a set of differences; using the set of differences, detecting whether a condition has occurred; and when the condition has occurred, generating a notification of the condition. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
-
-
42. The method in claim 42 wherein the information usage data includes data collected during evaluation of a rule at a device.
-
43. The method in claim 43 wherein the data collected during the rule evaluation comprises at least one of the time at which rule evaluation occurs, the outcome of evaluating at least one rule, the event that triggers a rule evaluation operation, a rule identifier indicating a particular rule being evaluated, information about a resource associated with an evaluated rule, information about a user related to a rule evaluation operation, information about an application program associated with a rule evaluation operation, or information about a device associated with a rule evaluation operation.
Specification