INSIDER THREAT CORRELATION TOOL

US 20120023576A1
Filed: 07/22/2010
Published: 01/26/2012
Est. Priority Date: 07/22/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium comprising computer-executable instructions that when executed by a processor cause the processor to perform:

detecting activities associated with a plurality of user accounts involving a plurality of control groups;

determining that a threshold quantity of activities violated at least two controls in the control groups comprising;

detecting that a user account accessed a first storage device;

determining if the user account has permission rights to conduct the access to the first storage device;

wherein if the user account does not have permission rights to conduct the access, determining that an activity violation has occurred, wherein if the user account does have permission rights to conduct the access, determining that an authorized access occurred and storing an attribute value of the access;

determining that at least one activity violation has occurred; and

calculating a predictive threat rating for the first user account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a threat score representing a first time period may be calculated. The first threat score may be calculated from a quantification of a plurality of activity violations across a plurality of control groups. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further embodiments may be configured to consider additional indicators. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating.

Citations

20 Claims

1. A computer-readable medium comprising computer-executable instructions that when executed by a processor cause the processor to perform:
- detecting activities associated with a plurality of user accounts involving a plurality of control groups;
  
  determining that a threshold quantity of activities violated at least two controls in the control groups comprising;
  
  detecting that a user account accessed a first storage device;
  
  determining if the user account has permission rights to conduct the access to the first storage device;
  
  wherein if the user account does not have permission rights to conduct the access, determining that an activity violation has occurred, wherein if the user account does have permission rights to conduct the access, determining that an authorized access occurred and storing an attribute value of the access;
  
  determining that at least one activity violation has occurred; and
  
  calculating a predictive threat rating for the first user account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable medium of claim 1, further comprising instructions that when executed by the processor cause the processor to perform:
    - determining whether an indicator is associated with the first user account, wherein the additional indicator is selected from the group consisting of;
      
      a prior investigation of a user of the user account, a prior investigation of another individual, the volume or type of information accessible by the user account, whether the user account has an exception to a security policy, and combinations thereof.
  - 3. The computer-readable medium of claim 1, wherein the control groups comprise controls selected from the group consisting of:
    - removable media controls, unencrypted transmission controls, encrypted targeted communication controls, and combinations thereof.
  - 4. The computer-readable medium of claim 1, further comprising instructions that when executed by the processor cause the processor to perform:
    - receiving an indication that a first attribute value of an unblocked targeted communication from a first user account is similar to a first attribute value of a blocked transmission from the first user account.
  - 5. The computer-readable medium of claim 1, wherein an attribute of the access is selected from the group consisting of:
    - a filename accessed, a size of a file accessed, a location of a file accessed, metadata regarding a file accessed, or combinations thereof.
  - 6. The computer-readable medium of claim 5, wherein the computer-readable medium is operatively detachable from the processor.
  - 7. The computer-readable medium of claim 6, further comprising instructions that when executed by the processor cause the processor to perform:
    - detecting the presence of a removable computer-readable medium; and
      
      comparing a value identifying the removable computer-readable medium against a collection of identifiers.
  - 8. The computer-readable medium of claim 4, further comprising instructions that when executed by the processor cause the processor to perform:
    - comparing one or more attribute values against criteria to determine if an activity violation occurred.
  - 9. The computer-readable medium of claim 4, further comprising instructions that when executed by the processor cause the processor to perform:
    - quantifying a quantity of attribute values of authorized accesses during a first time period; and
      
      determining if an activity violation occurred.
  - 10. The computer-readable medium of claim 4, wherein the blocked transmission comprises a targeted communication and the first attribute relates to criteria selected from the group consisting of:
    - encryption status, attachment, recipient of a targeted communication, patterns, words, and combinations thereof.

11. An apparatus comprising:
- a processor;
  
  a control module configured to detecting activities associated with a plurality of user accounts in regards to a plurality of controls;
  
  a computer-readable medium comprising computer-executable instructions that when executed by the processor cause the apparatus to perform;
  
  determining that a threshold quantity of activities violated at least two controls in the control groups comprising;
  
  detecting that a user account accessed a first storage device;
  
  determining if the user account has permission rights to conduct the access to the first storage device;
  
  wherein if the user account does not have permission rights to conduct the access, determining that an activity violation has occurred, wherein if the user account does have permission rights to conduct the access, determining that an authorized access occurred and storing an attribute value of the access;
  
  determining that at least one activity violation has occurred; and
  
  calculating a predictive threat rating for the first user account.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The apparatus of claim 11, wherein the controls are selected from the groups consisting of:
    - removable media controls, unencrypted transmission controls, encrypted targeted communication controls, and combinations thereof.
  - 13. The apparatus of claim 11, wherein the controls consist essentially of:
    - removable media controls, unencrypted transmission controls, encrypted targeted communication controls, and combinations thereof.
  - 14. The apparatus of claim 11, wherein an attribute value of the access relates to an attribute selected from the group consisting of:
    - a filename accessed, a size of a file accessed, a location of a file accessed, metadata regarding a file accessed, or combinations thereof.
  - 15. The apparatus of claim 11, the instructions further comprising:
    - detecting the presence of a removable computer-readable medium; and
      
      comparing a value identifying the removable computer-readable medium against a collection of identifiers.
  - 16. The apparatus of claim 11, the instructions further comprising:
    - comparing one or more attribute values against criteria to determine if an activity violation occurred.
  - 17. The apparatus of claim 11, the instructions further comprising:
    - quantifying a quantity of attribute values of authorized accesses during a first time period; and
      
      determining if an activity violation occurred.
  - 18. The apparatus of claim 11, the instructions further comprising:
    - receiving an indication that a first attribute value of an unblocked targeted communication from a first user account is similar to a first attribute value of a blocked transmission from the first user account;
      
      wherein the blocked transmission comprises a targeted communication and the first attribute of the blocked transmission relates to criteria selected from the group consisting of;
      
      encryption status, attachment, recipient of a targeted communication, patterns, words, and combinations thereof.

19. A computer-readable medium comprising computer-executable instructions that when executed by a processor cause the processor to perform:
- detecting activities associated with a plurality of user accounts in regards to a plurality of control groups, wherein at least one of the control groups comprises a plurality of targeted communication controls;
  
  determining that a threshold quantity of activities violated at least two controls in the control groups comprising;
  
  detecting that a user account accessed a first storage device;
  
  determining if the user account has permission rights to conduct the access to the first storage device;
  
  wherein if the user account does not have permission rights to conduct the access, determining that an activity violation has occurred, wherein if the user account does have permission rights to conduct the access, determining that an authorized access occurred and storing an attribute value of the access;
  
  determining that at least one activity violation has occurred; and
  
  calculating a predictive threat rating for the first user account.
- View Dependent Claims (20)
- - 20. The computer-readable medium of claim 19, wherein an attribute value of the authorized access relates to an attribute selected from the group consisting of:
    - a filename accessed, a size of a file accessed, a location of a file accessed, metadata regarding a file accessed, and combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Sorensen, Amanda, Byers, Allan

Granted Patent

US 8,793,789 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 21/70   Protecting specific interna...

G06F 21/78   to assure secure storage of...

H04L 63/10   for controlling access to d...

INSIDER THREAT CORRELATION TOOL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INSIDER THREAT CORRELATION TOOL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links