Insider threat detection
First Claim
1. A method for insider threat detection in a network, comprising:
- monitoring the network to collect network traffic associated with a set of network protocols;
generating information-use events based on the collected network traffic;
generating contextual information associated with the network;
processing the information-use events in view of the generated contextual information to generate alerts for a user of the network when network activity of said user substantially matches one or more types of targeted behaviors;
processing the generated alerts to determine a threat score for said user.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior. Embodiments provide a user threat ranking system and a user interface to examine user threat scores and analyze user activity.
-
Citations
24 Claims
-
1. A method for insider threat detection in a network, comprising:
-
monitoring the network to collect network traffic associated with a set of network protocols; generating information-use events based on the collected network traffic; generating contextual information associated with the network; processing the information-use events in view of the generated contextual information to generate alerts for a user of the network when network activity of said user substantially matches one or more types of targeted behaviors; processing the generated alerts to determine a threat score for said user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for insider threat detection in a network, comprising:
-
a plurality of network sensors configured to collect network traffic associated with a set of protocols; a plurality of context sensors configured to collect contextual information associated with the network; a plurality of protocol decoders configured to generate information-use events based on said collected network traffic; a database configured to maintain an analysis data set, wherein said analysis data set includes said information-use events and contextual information; a plurality of detectors configured to generate alerts when behavior hypothesized to be malicious is detected based on said analysis data set; and a Bayesian network module configured to receive the generated alerts and to generate threat scores for users of the network. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer program product comprising a computer useable medium having computer program logic recorded thereon for enabling a processor to detect insider threats in a network, the computer program logic comprising:
-
monitoring means for enabling a processor to monitor the network to collect network traffic associated with a set of network protocols; first generating means for enabling a processor to generate information-use events based on the collected network traffic; second generating means for enabling a processor to generate contextual information associated with the network; first processing means for enabling a processor to process the information-use events in view of the generated contextual information to generate alerts for users of the network when network activity of said users substantially matches one or more types of anomalous behaviors; and second processing means for enabling a processor to process the generated alerts to determine threat scores for said users. - View Dependent Claims (23, 24)
-
Specification