Insider threat detection

US 20080271143A1
Filed: 04/24/2007
Published: 10/30/2008
Est. Priority Date: 04/24/2007
Status: Active Grant

First Claim

Patent Images

1. A method for insider threat detection in a network, comprising:

monitoring the network to collect network traffic associated with a set of network protocols;

generating information-use events based on the collected network traffic;

generating contextual information associated with the network;

processing the information-use events in view of the generated contextual information to generate alerts for a user of the network when network activity of said user substantially matches one or more types of targeted behaviors;

processing the generated alerts to determine a threat score for said user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior. Embodiments provide a user threat ranking system and a user interface to examine user threat scores and analyze user activity.

Citations

24 Claims

1. A method for insider threat detection in a network, comprising:
- monitoring the network to collect network traffic associated with a set of network protocols;
  
  generating information-use events based on the collected network traffic;
  
  generating contextual information associated with the network;
  
  processing the information-use events in view of the generated contextual information to generate alerts for a user of the network when network activity of said user substantially matches one or more types of targeted behaviors;
  
  processing the generated alerts to determine a threat score for said user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein said step of generating information-use events comprises:
    - applying protocol decoders to the collected network traffic; and
      
      attributing the generated information-use events to associated users.
  - 3. The method of claim 1, wherein said step of generating contextual information comprises:
    - generating contextual information associated with at least one of users of the network, groups of users of the network, and all users of the network.
  - 4. The method of claim 1, wherein said step of generating contextual information comprises:
    - retrieving information associated with users of the network; and
      
      collecting information related to at least one of past and current network activity of users of the network.
  - 5. The method of claim 1, wherein said step of generating contextual information comprises:
    - generating contextual information associated with information located on the network.
  - 6. The method of claim 5, further comprising:
    - using meta-data associated with said information to generate said contextual information.
  - 7. The method of claim 1, wherein said step of generating contextual information comprises:
    - generating contextual information associated with an organization employing the network, wherein said contextual information includes information associated with organization-specific properties, rules, and policies.
  - 8. The method of claim 1, wherein said step of generating contextual information is performed periodically.
  - 9. The method of claim 1, wherein said step of processing the information-use events comprises:
    - processing the information-use events to determine at least one of volumetric anomalies, suspicious and evasive behavior.
  - 10. The method of claim 1, further comprising:
    - further examining the network activity of said user when the threat score associated with said user is above a pre-determined threshold.
  - 11. The method of claim 1, wherein said step of processing the information-use events comprises:
    - receiving a time period; and
      
      providing the information-use events associated with said user during said time period and appropriate context to a set of detectors, wherein each of said detectors is configured to detect a respective type of anomalous behavior.

12. A system for insider threat detection in a network, comprising:
- a plurality of network sensors configured to collect network traffic associated with a set of protocols;
  
  a plurality of context sensors configured to collect contextual information associated with the network;
  
  a plurality of protocol decoders configured to generate information-use events based on said collected network traffic;
  
  a database configured to maintain an analysis data set, wherein said analysis data set includes said information-use events and contextual information;
  
  a plurality of detectors configured to generate alerts when behavior hypothesized to be malicious is detected based on said analysis data set; and
  
  a Bayesian network module configured to receive the generated alerts and to generate threat scores for users of the network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The system of claim 12, further comprising:
    - a user interface configured to control said network sensors, context sensors, protocol decoders, database, detectors, and Bayesian network.
  - 14. The system of claim 12, further comprising:
    - a user interface configured to present events, context, alerts, threat scores, and analysis results in textual, numeric, and graphical forms.
  - 15. The system of claim 12, wherein said network sensors are located between clients and servers of the network.
  - 16. The system of claim 12, wherein each of said plurality of detectors is configured to detect a respective targeted behavior.
  - 17. The system of claim 12, wherein said detectors are configured to process the generated information-use events associated with users of the network in view of the collected contextual information to detect at least one of volumetric anomalies, suspicious and evasive behavior in said each user'"'"'s activity.
  - 18. The system of claim 12, wherein one or more of said detectors are developed based on a priori knowledge of at least one of typical user behavior in the network, consultation with insider threat experts, and public information about past cases of malicious insiders.
  - 19. The system of claim 12, wherein at least one of said detectors is a rule-based detector that is configured to determine whether a respective behavior occurs in the network.
  - 20. The system of claim 12, wherein at least one of said detectors is a statistics-based detector that is configured to determine whether an observed behavior is anomalous based on a statistical distribution function associated with the behavior.
  - 21. The system of claim 12, wherein the Bayesian network module is configured to generate for a user of the network the probability that said user is a malicious insider given the generated alerts associated with the user.

22. A computer program product comprising a computer useable medium having computer program logic recorded thereon for enabling a processor to detect insider threats in a network, the computer program logic comprising:
- monitoring means for enabling a processor to monitor the network to collect network traffic associated with a set of network protocols;
  
  first generating means for enabling a processor to generate information-use events based on the collected network traffic;
  
  second generating means for enabling a processor to generate contextual information associated with the network;
  
  first processing means for enabling a processor to process the information-use events in view of the generated contextual information to generate alerts for users of the network when network activity of said users substantially matches one or more types of anomalous behaviors; and
  
  second processing means for enabling a processor to process the generated alerts to determine threat scores for said users.
- View Dependent Claims (23, 24)
- - 23. The computer program product of claim 22, wherein the computer program logic further comprises:
    - decoding means for enabling a processor to apply protocol decoders to the collected network traffic; and
      
      attributing means for enabling a processor to attribute the generated information-use events to their associated users.
  - 24. The computer program product of claim 22, wherein the computer program logic further comprises:
    - third generating means for enabling a processor to generate contextual information associated with at least one of users of the network, groups of users of the network, and all users of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitre Corporation
Original Assignee
Mitre Corporation
Inventors
Maloof, Marcus A., Stephens, Gregory D.

Granted Patent

US 8,707,431 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 41/5061   characterised by the intera...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Insider threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Insider threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links