Detecting Behavioral Patterns and Anomalies Using Activity Data

US 20070156696A1
Filed: 12/22/2006
Published: 07/05/2007
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of managing information of a system comprising:

providing a plurality of information management rules;

providing an activity database;

gathering activity data from a first target in the activity database;

gathering activity data from a second target in the activity database;

associating at least a first rule of the information management rules to the first target;

evaluating the data stored in the activity database according to a detection algorithm;

based on the detection algorithm, associating a second rule to the first target; and

for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Activity data is analyzed or evaluated to detect behavioral patterns and anomalies. When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task. This activity data may be collected in an information management system, which may be policy based. Notification may be by way e-mail, report, pop-up message, or system message. Some tasks to perform upon detection may include implementing a policy in the information management system, disallowing a user from connecting to the system, and restricting a user from being allowed to perform certain actions. To detect a pattern, activity data may be compared to a previously defined or generated activity profile.

Citations

68 Claims

1. A method of managing information of a system comprising:
- providing a plurality of information management rules;
  
  providing an activity database;
  
  gathering activity data from a first target in the activity database;
  
  gathering activity data from a second target in the activity database;
  
  associating at least a first rule of the information management rules to the first target;
  
  evaluating the data stored in the activity database according to a detection algorithm;
  
  based on the detection algorithm, associating a second rule to the first target; and
  
  for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein the activity database is stored on the first target.
  - 3. The method of claim 1 wherein the activity database is stored on a server where the plurality of information management rules is stored.
  - 4. The method of claim 1 wherein the activity database is stored on an intelligence server and the plurality of information management rules are stored on a policy server, where the policy and intelligence servers are separate.
  - 5. The method of claim 1 further comprising:
    - based on the detection algorithm, adding the second rule to the plurality of information management rules.
  - 6. The method of claim 1 further comprising:
    - based on the detection algorithm, activating the second rule of the plurality of information management rules.
  - 7. The method of claim 1 wherein the based on the detection algorithm, associating a second rule to the first target is replaced bybased on the detection algorithm, altering a second rule of the plurality of information management rules and associating the second rule to the first target.
  - 8. The method of claim 1 wherein the based on the detection algorithm, associating a second rule to the first target is replaced bybased on the detection algorithm, altering a value of a variable incorporated in an expression of a second rule of the plurality of information management rules;
    - andassociating the second rule to the first target.
  - 9. The method of claim 1 wherein the detection algorithm comprises executing an OLAP task of the first target.
  - 10. The method of claim 1 wherein the detection algorithm detects the first target has attempted to access information more than X times in a Y time period.
  - 11. The method of claim 10 wherein the values of X and Y are user selectable.
  - 12. The method of claim 11 wherein the value of X is an integer.
  - 13. The method of claim 1 wherein the detection algorithm detects the first target has attempted to transfer a document classified as confidential to the second target.
  - 14. The method of claim 1 wherein the detection algorithm detects the first target has attempted to transfer a document classified as confidential to a removable media.
  - 15. The method of claim 14 wherein the removable media includes at least one of CDROM, CD-RW, DVD-ROM, DVD-RW, USB device, and floppy disk.
  - 16. The method of claim 1 wherein the detection algorithm detects the first target has attempted to transfer a document classified as confidential to a recipient outside the information management system.
  - 17. The method of claim 1 further comprising:
    - logging in the activity database a denial of access at the first target for an attempt to access information of the system by the first target.
  - 18. The method of claim 1 further comprising:
    - generating a report based on the detection algorithm.
  - 19. The method of claim 1 wherein the detection algorithm comprises at least one rule.
  - 20. The method of claim 1 wherein the evaluating the data stored in the activity database according to a detection algorithm detects at least one of information fraud, information misuse, operational inefficiency, potential improvement in workforce productivity, potential improvement in resource utilization, abnormal or suspicious activity pattern, or policy effectiveness.

21. A method of operating a system comprising:
- providing a plurality of devices;
  
  providing an activity database;
  
  collecting information usage data from the plurality of devices in the activity database;
  
  analyzing the information usage data in the activity database to detect a condition; and
  
  when the condition is detected, generating a notification of the condition.
- View Dependent Claims (22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The method of claim 21 wherein the information usage data comprises data associated with at least one of application program operation or document access.
  - 23. The method of claim 22 wherein the application program operation comprises at least one of sending an e-mail message, forwarding an e-mail message, attaching a file to an e-mail message, opening a file, saving a file, deleting a file, moving a file, changing file attribute, cutting application data to a clipboard, pasting application data from a clipboard, editing a cell in a spreadsheet, changing a formula associated with a cell in a spreadsheet, creating a macro, or editing a script.
  - 24. The method of claim 21 wherein the information usage data comprises at least one of time, duration, a resource identifier, type of resource, resource attributes, file name, file path, file attribute, e-mail sender, e-mail recipient, e-mail attachment, user, user attribute, name of application program, application program version information, type of application program host name, IP address, type of computer, computer configuration, application program command, application program function, application program event, file operation, database operation, or any other application program or operating system event.
  - 25. The method in claim 22 wherein the information usage data comprises data collected during evaluation of a rule at a device.
  - 27. The method of claim 21 wherein the generating a notification of the condition comprises sending an e-mail.
  - 28. The method of claim 21 wherein the generating a notification of the condition comprises adding an entry to a log.
  - 29. The method of claim 21 wherein the notification is at least one of an e-mail, pop-up message on a computer screen, and SNMP message.
  - 30. The method of claim 21 further comprising:
    - when the condition is detected, sending the notification to an application program.
  - 31. The method of claim 21 further comprising:
    - when the condition is detected, sending the notification to another device.
  - 32. The method of claim 21 wherein the condition is detected when a device has attempted to access a unit of information more than X times in a Y time period.
  - 33. The method of claim 21 wherein the condition is detected when a user logged on a device has attempted to access a unit of information more than X times in a Y time period.
  - 34. The method of claim 21 wherein the condition is detected when a username has connected to the system from a first location X at a first time T1 and the username has connected to the system from a second location Y at second time T2 and a distance between X and Y divided by (T2−
    - T1) is greater than Z.
  - 35. The method of claim 21 wherein the condition is detected when a username has accessed information of the system from a first location X at a first time T1 and the username has accessed information of the system from a second location Y at second time T2 and a distance between X and Y divided by (T2−
    - T1) is greater than Z.
  - 36. The method of claim 21 wherein the analyzing the information usage data in the activity database to detect a condition is replaced bycollecting external event data collected outside the system;
    - andanalyzing the information usage data and the external event data to detect a condition.
  - 37. The method of claim 21 wherein the devices comprise at least one of a file server, network attached storage (NAS) device, virtual file server, file gateway, e-mail server, messaging server, collaboration server, document management system (DMS), content management system, digital rights management server, Web server, portal server, application server, database server, integration server, customer relation management (CRM) system, enterprise resource (ERP) planning system, supply chain management system, any file-based or nonfile document repositories, desktop computer, laptop computer, personal digital assistant (PDA), smart phone, thin clients, an instance of client operating environment running on a terminal server, a guest operating system running on a virtual machine, a server making information resource operation request (acting as a client in the context of the request), information kiosk, or any computing device and computing environment from which an information resource operation request originates.
  - 38. The method of claim 21 wherein the collecting information usage data comprises:
    - associating an interceptor program with an application program; and
      
      using the interceptor program, while the application program is executing, gathering information about operations of the application program.
  - 39. The method of claim 21 wherein the analyzing the information usage data in the activity database further comprises generating a report.
  - 40. The method of claim 21 wherein the condition includes at least one of information fraud, information misuse, operational inefficiency, potential improvement in workforce productivity, potential improvement in resource utilization, or abnormal or suspicious activity pattern.

26. The method in claim 26 wherein the data collected during rule evaluation comprises at least one of the time at which rule evaluation occurs, the outcome of evaluating at least one rule, the event that triggers a rule evaluation operation, a rule identifier indicating a particular rule being evaluated, information about a resource associated with an evaluated rule, information about a user related to a rule evaluation operation, information about an application program associated with a rule evaluation operation, or information about a device associated with a rule evaluation operation.

41. A method of an information management system comprising:
- providing a plurality of devices;
  
  providing an activity database;
  
  providing a first activity profile;
  
  collecting information usage data from the plurality of devices and storing in the activity database;
  
  analyzing the information usage data in the activity database to generate a second activity profile;
  
  comparing the second activity profile with first activity profile to determine a set of differences;
  
  using the set of differences, detecting whether a condition has occurred; and
  
  when the condition has occurred, generating a notification of the condition.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 44. The method of claim 41 wherein the information usage data comprises at least one of time, duration, a resource identifier, type of resource, resource attributes, file name, file path, file attribute, e-mail sender, e-mail recipient, e-mail attachment, user, user attribute, name of application program, application program version information, type of application program host name, IP address, type of computer, computer configuration, application program command, application program function, application program event, file operation, database operation, any other application program or operating system event, or type of connectivity a user used to connect to a device.
  - 45. The method of claim 41 wherein the information usage data comprises data associated with at least one of application program operation or document access.
  - 46. The method of claim 45 wherein the application program operation includes sending an e-mail message, forwarding an e-mail message, attaching a file to an e-mail message, opening a file, saving a file, deleting a file, moving a file, changing file attributes, cutting application data to a clipboard, pasting application data from a clipboard, editing a cell in a spreadsheet, changing a formula associated with a cell in a spreadsheet, creating a macro, or editing a script.
  - 47. The method of claim 41 wherein when the set of difference is zero, the condition will not have occurred.
  - 48. The method of claim 41 wherein the condition occurs when (X−
    - Y) is greater than a threshold value Z, where X is a value in the first activity profile and Y is a value in the second activity profile.
  - 49. The method of claim 41 wherein the condition occurs when (X−
    - Y) is greater than a threshold value Z, where X is a value derived from the first activity profile and Y is a value derived from the second activity profile.
  - 50. The method of claim 41 wherein the first activity profile comprises a threshold value X and the condition occurs when a value Y derived from the second activity profile is greater than X.
  - 51. The method of claim 49 wherein the X and Y times represent times spent in an application program.
  - 52. The method of claim 49 wherein the X and Y times represent typing rate.
  - 53. The method of claim 41 wherein the condition which is satisfied when the second activity profile indicates a user using instant messenger more than an amount of time specified in the first activity profile.
  - 54. The method of claim 41 wherein the first activity profile is generated from information usage data in the activity database.
  - 55. The method of claim 54 wherein first activity profile comprises data collected based on two or more users and the second activity profile comprises data collected based on one user.
  - 56. The method of claim 54 wherein first activity profile comprises information derived from data collected based on two or more users and the second activity profile comprises information derived from data collected based on one user.
  - 57. The method of claim 56 where the first activity profile includes an average productivity index of a group of users and the second activity profile includes a productivity index of a user in the group of users.
  - 58. The method of claim 56 where the first activity profile includes an average productivity index of a group of users and the second activity profile includes a productivity of a user not in the group of users.
  - 59. The method of claim 41 wherein the generating a notification of the condition comprises sending an e-mail.
  - 60. The method of claim 41 wherein the generating a notification of the condition comprises adding an entry to a log.
  - 61. The method of claim 41 wherein the notification is at least one of an e-mail, pop-up message on a computer screen, and SNMP message.
  - 62. The method of claim 41 further comprising:
    - when the condition is detected, sending the notification to an application program.
  - 63. The method of claim 41 further comprising:
    - when the condition is detected, sending the notification to another device.
  - 64. The method of claim 41 wherein the analyzing the information usage data in the activity database to detect a condition is replaced bygathering external event data collected outside the system;
    - andanalyzing the information usage data and the external event data to detect a condition.
  - 65. The method of claim 41 wherein the devices comprise at least one of a file server, network attached storage (NAS) device, virtual file server, file gateway, e-mail server, messaging server, collaboration server, document management system (DMS), content management system, digital rights management server, Web server, portal server, application server, database server, integration server, customer relation management (CRM) system, enterprise resource (ERP) planning system, supply chain management system, any file-based or nonfile document repositories, desktop computer, laptop computer, personal digital assistant (PDA), smart phone, thin clients, an instance of client operating environment running on a terminal server, a guest operating system running on a virtual machine, a server making information resource operation request (acting as a client in the context of the request), information kiosk, or any computing device and computing environment from which an information resource operation request originates.
  - 66. The method of claim 41 wherein the collecting information usage data comprises:
    - associating an interceptor program with an application program; and
      
      using the interceptor program, while the application program is executing, gathering information about operations of the application program.
  - 67. The method of claim 41 wherein the analyzing the information usage data in the activity database further comprises generating a report.
  - 68. The method of claim 41 wherein the condition includes at least one of information fraud, information misuse, operational inefficiency, potential improvement in workforce productivity, potential improvement in resource utilization, a change in user behavior, a change in group behavior, a change in application program behavior, change in resource utilization, or abnormal or suspicious activity pattern.

42. The method in claim 42 wherein the information usage data includes data collected during evaluation of a rule at a device.

43. The method in claim 43 wherein the data collected during the rule evaluation comprises at least one of the time at which rule evaluation occurs, the outcome of evaluating at least one rule, the event that triggers a rule evaluation operation, a rule identifier indicating a particular rule being evaluated, information about a resource associated with an evaluated rule, information about a user related to a rule evaluation operation, information about an application program associated with a rule evaluation operation, or information about a device associated with a rule evaluation operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Blue Jungle
Inventors
Lim, Keng

Granted Patent

US 8,862,551 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 16/122   using management policies b...

G06F 16/13   File access structures, e.g...

G06F 16/176   Support for shared access t...

G06F 16/93   Document management systems

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Detecting Behavioral Patterns and Anomalies Using Activity Data

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Behavioral Patterns and Anomalies Using Activity Data

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links