INSIDER THREAT CORRELATION TOOL

US 20110185056A1
Filed: 01/26/2010
Published: 07/28/2011
Est. Priority Date: 01/26/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

calculating a first threat score corresponding to a first time period for a plurality of user accounts, each user account having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, the calculations of the first threat score for each user account comprising;

receiving at least one of an indication of activity through the first network for the presence of a security threat, an ethics threat, or combinations thereof;

receiving an indication indicative of any blocked transmissions and non-blocked transmissions through a targeted communication application associated with the user account that meet a predefined criterion; and

determining if a transmission through the first network is transmitted or received through an unauthorized protocol; and

comparing the first threat score with a second threat score corresponding to a second time period to create an overall threat score.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.

Citations

20 Claims

1. A computer-implemented method comprising:
- calculating a first threat score corresponding to a first time period for a plurality of user accounts, each user account having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, the calculations of the first threat score for each user account comprising;
  
  receiving at least one of an indication of activity through the first network for the presence of a security threat, an ethics threat, or combinations thereof;
  
  receiving an indication indicative of any blocked transmissions and non-blocked transmissions through a targeted communication application associated with the user account that meet a predefined criterion; and
  
  determining if a transmission through the first network is transmitted or received through an unauthorized protocol; and
  
  comparing the first threat score with a second threat score corresponding to a second time period to create an overall threat score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - applying a weight to at least one user account of the plurality of user accounts, wherein the weight is assigned to the at least one user account if the user account is in the group consisting of;
      
      granted access rights to a specific collection of data, exempt from having at least one software application, the at least one software application is absent;
      
      access rights to at least one service has been deactivated, and combinations thereof.
  - 3. The method of claim 2, further comprising:
    - receiving an indication whether at least one security application is associated with the user account, wherein if the at least one software application is associated with the user account, then;
      
      monitoring illegal storage attempts; and
      
      recording a filename associated with illegal storage attempts; and
      
      if the at least one security application is not associated with the user account, then applying a first weight to the user account; and
      
      wherein if the at least one security application is disabled for the user account, then applying a second weight to the user account.
  - 4. The method claim 1, wherein the first time period is less than about 3 days and the second time period is more than about 40 days.
  - 5. The method of claim 1, further comprising:
    - applying an activity weight to at least one activity selected from the group consisting of;
      
      a security threat, an ethics threat, blocked transmission of the targeted communication application, transmission through the targeted communication application meeting the predefined criterion, attempted access to the centralized store, an attempted illegal storage attempt, and combinations thereof.
  - 6. The method of claim 5, further comprising:
    - applying a second activity weight to at least one activity if the at least one activity occurred during a first time frame within either the first or second time period.
  - 7. The method of claim 6, wherein the first time frame is selected from a predefined quantity of time before a user associated with the user account is scheduled to utilize a network, a predefined quantity of time before or after an average time frame the user account is active on a network, a specific date, and combinations thereof.
  - 8. The method of claim 5, further comprising:
    - applying a second activity weight to at least one activity if an incidence of activity is above a predetermined threshold.
  - 9. The method of claim 8, wherein the predetermined threshold is based upon, the user account'"'"'s average activity, average activity of other user accounts, or combinations thereof.
  - 10. The method of claim 7, wherein the activities that occurred during the first time period are weighted differently than the activities that occurred during the second time period.
  - 11. The method of claim 10, wherein the activities that occurred during the first time period and the second time period are weighted according to the values set forth in Table 1.
  - 12. The method of claim 9, further comprising:
    - assigning a weight to at least one user account of the plurality of user accounts, wherein a weight is assigned to the at least one user account if classified in the group consisting of;
      
      access rights to a specific collection of data, exempt from having the at least one software application, the at least one software application is absent;
      
      access rights to at least one service has been deactivated, and combinations thereof.
  - 13. The method of claim 12, wherein the user accounts are weighted according to the values set forth in Table 2.
  - 14. The method of claim 1, wherein a software application from the at least one software application is configured to perform an action selected from the group consisting of:
    - preventing unauthorized writing of data to a specific location, monitor a transfer of data through the first network, monitor a transfer of data using the communication protocol.

15. A computer-implemented method comprising:
- calculating a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, comprising, for each user account determining an overall threat score (f_overall), wherein
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein spike_xis assigned a first integer if the first threshold level of spike_xis about 40% great than the average of the same user account during the second time period.
  - 17. The method of claim 15, wherein the aboveavg_xis assigned a first integer if the first threshold level of aboveavg_xis above about 30% greater than the activity of the plurality of user accounts for the same time period.
  - 18. The method of claim 15, wherein the offhours_xis assigned a first integer if the activity level is detected about 6 hours before or after the average start or end time for that user account.
  - 19. The method of claim 15, wherein an activity is selected from the group consisting of:
    - a security threat, an ethics threat, blocked transmission through the targeted communication application, transmission through the targeted communication application meeting the predefined criterion, attempted access of the centralized store, an attempted illegal storage attempt, and combinations thereof.
  - 20. The method of claim 15, wherein f_personis calculated according to:
    - f_person=1+Σ
      
      _x=0ⁿ(category_x)(weight_category).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
McHugh, Brian, Metzger, Timothy C., Ramcharran, Ronald, Langsam, Peter J.

Granted Patent

US 8,782,209 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2117   User registration

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

INSIDER THREAT CORRELATION TOOL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INSIDER THREAT CORRELATION TOOL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links