ANOMALOUS ACTIVITY DETECTION

US 20110202500A1
Filed: 04/27/2010
Published: 08/18/2011
Est. Priority Date: 02/15/2010
Status: Active Grant

First Claim

Patent Images

15. A tangible computer-readable medium comprising computer-executable instructions that when executed by a processor cause a system to perform:

receiving a plurality of data feeds comprising information regarding activity events associated with at least one of a plurality of user accounts during a first time period;

removing duplicate activity events that exist without technical or human error from the electronic information to create de-duplicated activity events, wherein the electronic information of at least one duplicate activity event generated by a first data feed and the electronic information of at least another activity event was generated by a second application;

enriching the de-duplicated activity events with enrichment criteria to create enriched activity events;

receiving exclusion criteria comprising for at least one activity event of at least one user account; and

determining whether to transmit an actionable alert, andtransmitting an actionable alert.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure addresses the detection of anomalous activity. Some embodiments are directed towards consolidating information from multiple data feeds. Exemplary information may relate to: extrusion violations, failed logins, sensitive fields access, sensitive objects access, escalation of privileges, or activity during a specific time frame within a time period, and combinations of one or more of these. In one embodiment, duplicate data may be removed or consolidated.

Citations

21 Claims

15. A tangible computer-readable medium comprising computer-executable instructions that when executed by a processor cause a system to perform:
- receiving a plurality of data feeds comprising information regarding activity events associated with at least one of a plurality of user accounts during a first time period;
  
  removing duplicate activity events that exist without technical or human error from the electronic information to create de-duplicated activity events, wherein the electronic information of at least one duplicate activity event generated by a first data feed and the electronic information of at least another activity event was generated by a second application;
  
  enriching the de-duplicated activity events with enrichment criteria to create enriched activity events;
  
  receiving exclusion criteria comprising for at least one activity event of at least one user account; and
  
  determining whether to transmit an actionable alert, andtransmitting an actionable alert.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20)
- - 1. A system comprising:
    - a processor in operative communication with at least one memory comprising;
      
      a staging module configured to receive from multiple data feeds, information regarding a plurality of activity events associated with a least one user account from a plurality of user accounts and conducted during a first time period; and
      
      a de-duplication module configured to detect duplicate activity events that exist without technical or human error from the information to create de-duplicated activity events, the de-duplication module comprising;
      
      a key component configured to detect values within the information to detect a duplicate activity event;
      
      a non-key component configured to detect a time value within the information of the plurality of activity events to detect a duplicate activity event;
      
      a sum component configured to detect repetitive electronic information among different activity events during a time frame within the time period; and
      
      an append component configured to append a value onto one or more de-duplicated activity events relating to the electronic information of a plurality of activity events.
  - 2. The system of claim 1, wherein the first time period is between 45 and 50 hours.
  - 3. The system of claim 2, wherein the de-duplication module is configured to remove at least 98% of the activity events that occurred during the first time period.
  - 4. The system of claim 1, wherein the de-duplication module is configured to generate data comprising comma separated values that represent a plurality of duplicative activity events organized into an aggregate event.
  - 5. The system of claim 1, the at least one memory further comprising:
    - an enrichment module configured to enrich the de-duplicated activity events with enrichment criteria from an updatable repository to create enriched activity events; and
      
      an exclusion module in operative communication with the enrichment module, configured to compare known patterns relating to one or more user accounts stored in the repository to the information of the de-duplicated activity events;
      
      wherein in combination, the enrichment module and the exclusion module are configured to exclude at least a portion of de-duplicated activity events and enrich at least a portion of the de-duplicated activity events.
  - 6. The system of claim 5, wherein the enrichment module is configured to apply enrichment criteria to at least a first portion of the de-duplicated activity events and, based at least in part upon the applied enrichment criteria, the exclusion module is configured to exclude at least one de-duplicated activity event of the first portion from further enrichment by the enrichment module.
  - 7. The system of claim 6, wherein the enrichment module is configured to further enrich the first portion of activity events that were not excluded by the enrichment module.
  - 8. The system of claim 5, wherein at least one of the exclusion module and the enrichment module is configured to receive information regarding user account threshold information.
  - 9. The system of claim 8, wherein the threshold information relates to a category selected from the group consisting of:
    - extrusion violations, failed logins, sensitive field access, sensitive object access, escalation of privileges, activity during a first time frame of a first time period, and combinations thereof.
  - 10. The system of claim 9, wherein at least a portion of the threshold information is received from a responsible user account.
  - 11. The system of claim 9, wherein at least a portion of the threshold information is determined, at least in part, from historical data obtained from the a knowledge base.
  - 12. The system of claim 9, wherein the enrichment module is configured to receive information from the knowledge base selected from the group consisting of:
    - a common name of a user associated with a user account, a common name of a network asset, and combinations thereof.
  - 13. The system of claim 9, the at least one memory further comprising:
    - an actionable identification module configured to determine whether to escalate an activity event processed by the enrichment module to a notification.
  - 14. The system of claim 9, wherein the system is configured to determine if a new pattern is detected within a de-duplicated activity event, and if so, the system is further configured to transmit a notification of the new pattern.
  - 16. The computer-readable medium of claim 15, wherein the detection of duplicate activity events is configured to perform at least two actions selected from the group consisting of:
    - detecting values within the information of the plurality of activity events to detect duplicate activity events; and
      
      detecting time values within the information of the plurality of activity events to detect duplicate activity events;
  - 17. The computer-readable medium of claim 16, wherein at least a portion of the duplicate activity events are removed and a least a portion of the duplicate activity events are aggregated into an aggregate activity event.
  - 18. The computer-readable medium of claim 17, wherein the formation of the aggregate event comprises:
    - detecting information indicative of repetitive activity events over a time frame within the time period; and
      
      appending a value onto one or more de-duplicated activity events relating to the information regarding to the repetitive activity events.
  - 19. The computer-readable medium of claim 18, the instructions further comprising:
    - updating a knowledge base with the new pattern.
  - 20. The computer-readable medium of claim 16, wherein at least a portion of the enrichment criteria is received from a first responsible user account and at least a portion of the enrichment criteria is received from a second responsible user account.

18-1. The computer-readable medium of claim 16, the instructions further comprising:
- determining if a new pattern exists within the enriched activity events.

21. A system comprising:
- a processor in operative communication with at least one memory comprising a staging module, a de-duplication module, an enrichment module, an exclusion, whereinthe staging module is configured to receive electronic information generated from a plurality of data feeds regarding activity events for about a 48 hour period regarding plurality of user accounts;
  
  wherein the electronic information comprises information selected from the group consisting of;
  
  extrusion violations, failed logins, sensitive field access, sensitive object access, escalation of privileges;
  
  wherein the de-duplication module is configured to remove duplicate activity events that exist without technical or human error from the electronic information to create de-duplicated activity events, comprising;
  
  a key component configured to detect values within the electronic information of the plurality of activity events to detect duplicates a single activity event;
  
  a non-key component configured to detect time values within the electronic information of the plurality of activity events to detect duplicates of a single activity event;
  
  a sum component configured to detect repetitive electronic information among different activity events over a time frame within the time period; and
  
  an append component configured to append a value onto one or more de-duplicated activity events relating to the electronic information of a plurality of activity events;
  
  wherein the enrichment module is configured to enrich the de-duplicated activity events with enrichment criteria from an updatable knowledge base to create enriched activity events;
  
  wherein the exclusion module is in operative communication with the enrichment module, configured to detect known patterns within the electronic information relating to one or more user accounts, wherein at least a portion of the known patterns are received from the knowledge base, wherein in combination the enrichment module and the exclusion module are configured to exclude at least a portion of de-duplicated activity events and enrich at least a portion of the de-duplicated activity events; and
  
  a mechanism for transmitting transmit an actionable alert comprising information regarding a plurality of enriched activity events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Nuthi, Sireesh Kumar, Warn, Carmen Michael, Bhattaram, Praneeth Chandra

Granted Patent

US 8,280,844 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/607
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/6218   to a system of files or obj...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

ANOMALOUS ACTIVITY DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

ANOMALOUS ACTIVITY DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links