System And Method For Detecting Behavior Anomaly In Information Access

US 20100122120A1
Filed: 04/29/2009
Published: 05/13/2010
Est. Priority Date: 11/12/2008
Status: Active Grant

First Claim

Patent Images

1. A system for detecting anomalous behavior in information access, comprising:

a network interface unit for receiving data packets containing an information access request;

a memory for storing a database containing historical behavior information, the historical behavior information being implemented through a plurality of bitmap tables and counters, the content of each counter being derived from the bitmap tables, each counter having a threshold; and

a controller for analyzing the information access request and modeling the information access request into a plurality of basic elements,wherein the controller compares the information access request with the plurality of bitmap tables and counters and issues an alert if the information access request exceed the threshold in at least one counter.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system and method for identifying anomaly in information requests. The information requests are modeled into a plurality of basic elements and association among the basic elements are tracked. The association of one information request is compared with a plurality of bitmap tables and counters representing a baseline information from a historical behavior information. If the association of this information request differs from the baseline information, an alert is issued.

Citations

20 Claims

1. A system for detecting anomalous behavior in information access, comprising:
- a network interface unit for receiving data packets containing an information access request;
  
  a memory for storing a database containing historical behavior information, the historical behavior information being implemented through a plurality of bitmap tables and counters, the content of each counter being derived from the bitmap tables, each counter having a threshold; and
  
  a controller for analyzing the information access request and modeling the information access request into a plurality of basic elements,wherein the controller compares the information access request with the plurality of bitmap tables and counters and issues an alert if the information access request exceed the threshold in at least one counter.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the controller further updates the historical behavior information according to the information access request.
  - 3. The system of claim 1, wherein the alert is associated with a level and the controller further decreases the level for the alert.
  - 4. The system of claim 1, wherein the controller further tracks association among basic elements.
  - 5. The system of claim 1, wherein the controller retrieves the information access request if an alert is issued.
  - 6. The system of claim 1, wherein the plurality of bitmap tables include a bitmap table depicting a relationship between a file and times when the file has been accessed.

7. A method for detecting anomalous information access, comprising the steps of:
- receiving by a network interface unit data packets containing an information access request;
  
  parsing by a controller contents of the information access request into a plurality of basic elements;
  
  comparing by the controller each basic element of the information access request with a bitmap table representing a historical behavior information stored in a database;
  
  modifying a counter according to a comparison result; and
  
  issuing an alert if the counter exceeds a threshold set for the counter.
- View Dependent Claims (8, 9, 10, 11)
- - 8. A method of claim 7, further comprising the steps of:
    - checking if the alert is acceptable; and
      
      if the alert is acceptable, updating by the controller at least one bitmap table representing the historical behavior information according to the contents of the information access request.
  - 9. The method of claim 7, further comprising the step of decreasing a level associated with the alert.
  - 10. The method of claim 7, further comprising the step of tracking association among the basic elements.
  - 11. The method of claim 7, wherein the historical behavior information further comprises a plurality of bitmap tables, each bitmap table depicting a relationship between two basic elements.

12. A method for detecting anomalous information access, comprising the steps of:
- receiving an information access request at a network interface;
  
  disassembling the information access request into a plurality of basic elements;
  
  comparing each basic element with at least one bitmap table and at least one counter stored in a memory; and
  
  if an anomaly is detected through the comparing step, issuing an alert.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, further comprising the step of retrieving the information access request.
  - 14. The method of claim 12, wherein the plurality of basic elements include who, when, how, what, and where.
  - 15. The method of claim 12, further comprising the step of checking a timer associated with the at least one bitmap table.
  - 16. The method of claim 12, further comprising the step of checking an access counter associated with the at least one bitmap table.
  - 17. The method of claim 12, further comprising the steps of:
    - checking if the alert is acceptable; and
      
      updating the at least one bitmap table according to the basic element if the alert is acceptable.
  - 18. The method of claim 17, wherein the step of updating the at least one bitmap table further comprising the step of determining if the alert is acceptable by a system administrator.
  - 19. The method of claim 12, wherein the step of issuing an alert further comprising the steps of:
    - retrieving the information access request; and
      
      collecting additional information from the information access request.

20. A computer-readable medium on which is stored a computer program for assigning system resources to connections associated with an originating server and a destination server in a communication network, the computer program comprising computer instructions that when executed by a computing device performs the steps for:
- receiving by a network interface unit data packets containing an information access request;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Datiphy Inc.
Original Assignee
Yeejang James Lin
Inventors
Lin, Yeejang James

Granted Patent

US 8,572,736 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/47
CPC Class Codes

G06F 11/0706   the processing taking place...

G06F 11/076   by exceeding a count or rat...

G06F 21/55   Detecting local intrusion o...

H04L 41/06   Management of faults, event...

H04L 63/1425   Traffic logging, e.g. anoma...

System And Method For Detecting Behavior Anomaly In Information Access

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System And Method For Detecting Behavior Anomaly In Information Access

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links