SYSTEMS AND METHODS FOR DETECTING AND INVESTIGATING INSIDER FRAUD

US 20110225650A1
Filed: 11/19/2010
Published: 09/15/2011
Est. Priority Date: 03/11/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting and investigating insider fraud, comprising:

identifying one or more insider threat detection rules for an enterprise, the enterprise associated with a plurality of enterprise insiders;

obtaining, from a plurality of behavioral data sources, behavioral data for a first enterprise insider of the plurality of enterprise insiders, the behavioral data for the first enterprise insider describing at least an action of the first enterprise insider;

determining a threat score for the first enterprise insider based on the behavioral data for the first enterprise insider and one or more of the insider threat detection rules; and

initiating, when the threat score satisfies a threat threshold, one or more protective actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer programs encoded on computer storage media, for detecting insider fraud. One method includes identifying one or more insider threat detection rules for an enterprise and obtaining behavioral data for an enterprise insider from multiple behavioral data sources. The enterprise is associated with a plurality of enterprise insiders, and the behavioral data describes at least one action of the first enterprise insider. The method further includes determining a threat score for the first enterprise insider based on the behavioral data for the first enterprise insider and one or more of the insider threat detection rules and initiating, when the threat score satisfies a threat threshold, one or more protective actions.

Citations

30 Claims

1. A computer-implemented method for detecting and investigating insider fraud, comprising:
- identifying one or more insider threat detection rules for an enterprise, the enterprise associated with a plurality of enterprise insiders;
  
  obtaining, from a plurality of behavioral data sources, behavioral data for a first enterprise insider of the plurality of enterprise insiders, the behavioral data for the first enterprise insider describing at least an action of the first enterprise insider;
  
  determining a threat score for the first enterprise insider based on the behavioral data for the first enterprise insider and one or more of the insider threat detection rules; and
  
  initiating, when the threat score satisfies a threat threshold, one or more protective actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the threat score represents a likelihood that the actions of the first enterprise insider represent insider fraud.
  - 3. The computer-implemented method of claim 1, further comprising:
    - receiving first feedback from the enterprise; and
      
      updating one or more of the insider threat detection rules in response to the received first feedback.
  - 4. The computer-implemented method of claim 3, wherein the insider threat detection rules include one or more industry-specific threat detection rules for an industry associated with the enterprise, the method further comprising:
    - receiving second feedback from a plurality of entities associated with the industry; and
      
      updating one or more of the industry-specific threat detection rules based on the second feedback.
  - 5. The computer-implemented method of claim 1, wherein initiating the one or more protective actions comprises:
    - opening a case corresponding to the first enterprise insider;
      
      generating a workflow associated with the case; and
      
      alerting an analyst that the case has been opened.
  - 6. The computer-implemented method of claim 1, wherein initiating the one or more protective actions comprises:
    - initiating monitoring of the first enterprise insider.
  - 7. The computer-implemented method of claim 1, wherein initiating the one or more protective actions comprises:
    - limiting an access of the first enterprise insider to one or more enterprise resources.
  - 8. The computer-implemented method of claim 1, wherein the one or more insider threat detection rules include one or more of an industry-specific rule, a general rule, and an enterprise-specific rule.
  - 9. The computer-implemented method of claim 1, wherein the plurality of behavioral data sources include two or more of a desktop activity source, a network activity source, a server activity source, an application activity source, a web activity source, a personnel activity source, a human intelligence source, a firewall activity source, and a physical activity source.
  - 10. The computer-implemented method of claim 1, wherein the behavioral data further includes data describing an action of a second enterprise insider, the method further comprising:
    - identifying behavioral data corresponding to the second enterprise insider.

11. A system for detecting and investigating insider fraud, comprising:
- at least one memory to store data and instructions; and
  
  at least one processor configured to access the at least one memory and, when executing the instructions, to;
  
  identify one or more insider threat detection rules for an enterprise, the enterprise associated with a plurality of enterprise insiders;
  
  obtain, from a plurality of behavioral data sources, behavioral data for a first enterprise insider, the behavioral data for the first enterprise insider describing at least an action of the first enterprise insider;
  
  determine a threat score for first enterprise insider based on the behavioral data for the first enterprise insider and one or more of the insider threat detection rules; and
  
  initiating, when the threat score satisfies a threat threshold, one or more protective actions.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the threat score represents a likelihood that the actions of the first enterprise insider represent insider fraud.
  - 13. The system of claim 11, wherein the at least one processor is further configured to:
    - receive first feedback from the enterprise; and
      
      update one or more of the insider threat detection rules in response to the received first feedback.
  - 14. The system of claim 13, wherein the insider threat detection rules include one or more industry-specific threat detection rules for an industry associated with the enterprise, and the at least one processor is further configured to:
    - receive second feedback from a plurality of entities associated with the industry; and
      
      update one or more of the industry-specific threat detection rules based on the second feedback.
  - 15. The system of claim 11, wherein when the at least one processor is configured to initiate the one or more protective actions, the at least one processor is further configured to:
    - open a case corresponding to the first enterprise insider;
      
      generate a workflow associated with the case; and
      
      alert an analyst that the case has been opened.
  - 16. The system of claim 11, wherein when the at least one processor is configured to initiate the one or more protective actions, the at least one processor is further configured to:
    - initiate monitoring of the first enterprise insider.
  - 17. The system of claim 11, wherein when the at least one processor is configured to initiate the one or more protective actions, the at least one processor is further configured to:
    - limit an access of the first enterprise insider to one or more enterprise resources.
  - 18. The system of claim 11, wherein the one or more insider threat detection rules include one or more of an industry-specific rule, a general rule, and an enterprise-specific rule.
  - 19. The system of claim 11, wherein the plurality of behavioral data sources include two or more of a desktop activity source, a network activity source, a server activity source, an application activity source, a web activity source, a personnel activity source, a human intelligence source, a firewall activity source, and a physical activity source.
  - 20. The system of claim 11, wherein the behavioral data further includes data describing an action of a second enterprise insider, and wherein the at least one processor is further configured to:
    - identify behavioral data corresponding to the second enterprise insider.

21. A computer storage medium encoded with a computer program, the computer program comprising instructions operable to cause data processing apparatus to perform operations for detecting and investigating insider fraud, comprising:
- identifying one or more insider threat detection rules for an enterprise, the enterprise associated with a plurality of enterprise insiders;
  
  obtaining, from a plurality of behavioral data sources, behavioral data for a first enterprise insider of the plurality of enterprise insiders, the behavioral data for the first enterprise insider describing at least an action of the first enterprise insider;
  
  determining a threat score for the first enterprise insider based on the behavioral data for the first enterprise insider and one or more of the insider threat detection rules; and
  
  initiating, when the threat score satisfies a threat threshold, one or more protective actions.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer storage medium of claim 21, wherein the threat score represents a likelihood that the actions of the first enterprise insider represent insider fraud.
  - 23. The computer storage medium of claim 21, wherein the instructions are further operable to cause the data processing apparatus to perform operations comprising:
    - receiving first feedback from the enterprise; and
      
      updating one or more of the insider threat detection rules in response to the received first feedback.
  - 24. The computer storage medium of claim 23, wherein the insider threat detection rules include one or more industry-specific threat detection rules for an industry associated with enterprise, and wherein the instructions are further operable to cause the data processing apparatus to perform operations comprising:
    - receiving second feedback from a plurality of entities associated with the industry; and
      
      updating one or more of the industry-specific threat detection rules based on the second feedback.
  - 25. The computer storage medium of claim 21, wherein initiating the one or more protective actions comprises:
    - opening a case corresponding to the first enterprise insider;
      
      generating a workflow associated with the case; and
      
      alerting an analyst that the case has been opened.
  - 26. The computer storage medium of claim 21, wherein initiating the one or more protective actions comprises:
    - initiating monitoring of the first enterprise insider.
  - 27. The computer storage medium of claim 21, wherein initiating the one or more protective actions comprises:
    - limiting an access of the first enterprise insider to one or more enterprise resources.
  - 28. The computer storage medium of claim 21, wherein the one or more insider threat detection rules include one or more of an industry-specific rule, a general rule, and an enterprise-specific rule.
  - 29. The computer storage medium of claim 21, wherein the plurality of behavioral data sources include two or more of a desktop activity source, a network activity source, a server activity source, an application activity source, a web activity source, a personnel activity source, a human intelligence source, a firewall activity source, and a physical activity source.
  - 30. The computer storage medium of claim 21, wherein the behavioral data further includes data describing an action of a second enterprise insider, and wherein the instructions are further operable to cause the data processing apparatus to perform operations comprising:
    - identifying behavioral data corresponding to the second enterprise insider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Krull, Joseph Eric, Lippiatt, Keith Gregory, Margolies, Jeffrey M.

Granted Patent

US 8,868,728 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

G06Q 10/06 Resources, workflows, human...

SYSTEMS AND METHODS FOR DETECTING AND INVESTIGATING INSIDER FRAUD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DETECTING AND INVESTIGATING INSIDER FRAUD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links