ANOMALOUS ACTIVITY DETECTION

US 20110202969A1
Filed: 04/27/2010
Published: 08/18/2011
Est. Priority Date: 02/15/2010
Status: Active Grant

First Claim

Patent Images

1. A tangible computer-readable medium comprising computer-executable instructions that when executed by a processor cause a system to perform:

receiving an indication relating to a plurality of controls being monitored in relation to activity events of a plurality of user accounts;

organizing at least a portion of the plurality of user accounts into a group based upon information relating to the user accounts;

receiving identification information associated with a responsible account that is responsible for a plurality of user accounts;

receiving instructions from a responsible account associated with the monitoring of thresholds for at least a portion of the controls being monitored; and

applying the instructions to at least one group of user accounts to create a dynamic security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure addresses the detection of anomalous activity. Some embodiments are directed towards a system for receiving an indication relating to a plurality of controls, identification information associated with a responsible account, and instructions from a responsible account associated with the monitoring of thresholds of controls being monitored. The plurality of user account may be organized into groups based upon information relating to the user accounts, and instructions may be applied to the groups to create a dynamic security policy.

Citations

20 Claims

1. A tangible computer-readable medium comprising computer-executable instructions that when executed by a processor cause a system to perform:
- receiving an indication relating to a plurality of controls being monitored in relation to activity events of a plurality of user accounts;
  
  organizing at least a portion of the plurality of user accounts into a group based upon information relating to the user accounts;
  
  receiving identification information associated with a responsible account that is responsible for a plurality of user accounts;
  
  receiving instructions from a responsible account associated with the monitoring of thresholds for at least a portion of the controls being monitored; and
  
  applying the instructions to at least one group of user accounts to create a dynamic security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-readable medium of claim 1, the instructions further comprising:
    - based upon the identification information, transmitting information to a responsible account regarding the plurality of controls being monitored in relation to activity events of the plurality of user accounts.
  - 3. The computer-readable medium of claim 2, wherein the information relating to the user accounts comprises a request to provide the instructions from a responsible account associated with the monitoring of thresholds.
  - 4. The computer-readable medium of claim 2, wherein the information relating to the user accounts comprises data regarding activity events of at least one of the user accounts for which the responsible account is responsible.
  - 5. The computer-readable medium of claim 2, wherein at least a portion of the identification information relating to the user accounts is received from a repository configured to be automatically updated with access rights and demographic information relating to users associated with the user accounts.
  - 6. The computer-readable medium of claim 1, the computer-readable instructions further comprising:
    - determining that a universal parameter applies to a user account, where the universal parameter applies to all user accounts regardless of whether the user account is within a group.
  - 7. The computer-readable medium of claim 1, wherein the grouping of the plurality of user accounts is determined by criterion selected from the group consisting of:
    - the user accounts predetermined security level, job responsibilities associated with the user accounts, division or organizational structures within an entity, supervisor information for the user accounts, and combinations thereof.
  - 8. The computer-readable medium of claim 1, wherein at least a portion of the controls are determined based upon capabilities of a security application.
  - 9. The computer-readable medium of claim 8, wherein the capabilities of the security application are extracted using the staging apparatus.
  - 10. The computer-readable medium of claim 1, wherein the thresholds relate to a category selected from a group consisting of:
    - extrusion violations, failed logins, sensitive field access, sensitive object access, escalation of privileges, activity during a first time frame of a first time period, and combinations thereof, wherein at least a portion of the threshold information is received from the responsible account.
  - 11. The computer-readable medium of claim 1, the instructions further comprising:
    - receiving an enrichment criteria from a responsible account associated with the monitoring of thresholds.

12. A system comprising:
- a processor in operative communication with at least one memory comprising;
  
  a staging module configured to receive from multiple data feeds, information regarding a plurality of activity events associated with a least one user account from a plurality of user accounts and conducted during a first time period;
  
  an identification module configured to;
  
  identify information relating to the plurality of user accounts;
  
  organize at least a portion of the plurality of user accounts into a group based upon information relating to the user accounts; and
  
  receive identification information associated with a responsible account that is responsible for a plurality of user accounts; and
  
  an output report feeds processing engine configured to store an output of a reports analysis engine.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, where the output report feeds processing engine comprises rules affecting reporting.
  - 14. The system of claim 12, where the identification module receives input from a knowledge database.
  - 15. The system of claim 14, where the information is used to identify status of the user of the user account from an event.
  - 16. The system of claim 12, wherein the first time period is between 45 and 50 hours.
  - 17. The system of claim 12, the at least one memory further comprising:
    - a de-duplication module configured to detect duplicate activity events that exist without technical or human error from the information to create de-duplicated activity events, wherein the de-duplication module is configured to generate data comprising comma separated values that represent a plurality of duplicative activity events organized into an aggregate event.an enrichment module configured to enrich the de-duplicated activity events with enrichment criteria from an updatable repository to create enriched activity events;
      
      an exclusion module in operative communication with the enrichment module, configured to compare known patterns relating to one or more user accounts stored in a repository to the information of the de-duplicated activity events, wherein in combination, the enrichment module and the exclusion module are configured to exclude at least a portion of de-duplicated activity events and enrich at least a portion of the de-duplicated activity events; and
      
      an actionable identification module configured to determine whether to escalate an activity event processed by an enrichment module to a notification.

18. A method performed at a staging apparatus, the method comprising:
- receiving, at an electronic processor of the staging apparatus, an indication relating to a plurality of controls being monitored in relation to activity events of a plurality of user accounts;
  
  organizing, using the processor, at least a portion of the plurality of user accounts into a group based upon information relating to the user accounts;
  
  receiving, at the processor, identification information associated with a responsible account that is responsible for a plurality of user accounts;
  
  receiving, at the processor, instructions from a responsible account associated with the monitoring of thresholds for at least a portion of the controls being monitored; and
  
  applying, using the processor, the instructions to at least one group of user accounts to create a dynamic security policy.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further comprising:
    - based upon the identification information, transmitting information to a responsible account regarding the plurality of controls being monitored in relation to activity events of the plurality of user accounts.
  - 20. The method of claim 18, wherein at least a portion of the identification information relating to the user accounts is received from a repository configured to be automatically updated with access rights and demographic information relating to users associated with the user accounts, and wherein the grouping of the plurality of user accounts is determined by criterion selected from the group consisting of:
    - the user accounts predetermined security level, job responsibilities associated with the user accounts, division or organizational structures within an entity, supervisor information for the user accounts, and combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Nuthi, Sireesh Kumar, Warn, Carmen Michael, Bhattaram, Praneeth Chandra

Granted Patent

US 8,595,789 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/6218   to a system of files or obj...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

ANOMALOUS ACTIVITY DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ANOMALOUS ACTIVITY DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links