CYBER-SEMANTIC ACCOUNT MANAGEMENT SYSTEM

US 20140143873A1
Filed: 11/20/2013
Published: 05/22/2014
Est. Priority Date: 11/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method for identifying anomalous behavior of an entity, the method comprising:

receiving raw data, wherein the raw data comprises recorded activity for the entity;

generating a behavior profile for the entity based on the raw data, wherein the behavior profile defines a pattern of behavior for the entity;

receiving comparison data;

determining whether the comparison data deviates from the pattern of behavior defined in the behavior profile; and

when the comparison data deviates from the pattern of behavior, identifying the comparison data as anomalous behavior.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus for identifying anomalous behavior are provided. For example, a method may include receiving raw data, generating a behavior profile for the entity based on the raw data, receiving comparison data, determining whether the comparison data deviates from a pattern of behavior defined in the behavior profile, and identifying the comparison data as anomalous behavior when the comparison data deviates from the pattern of behavior. In one embodiment, the raw data includes recorded activity for the entity. In one embodiment, the behavior profile defines a pattern of behavior for the entity. In one embodiment, a countermeasure is performed upon identifying anomalous behavior. The countermeasure may include at least one of revoking the entity'"'"'s credentials, denying the entity access to a resource, shutting down access to a port, and denying access to the entity. The method may further include providing a report of the anomalous behavior.

28 Citations

View as Search Results

20 Claims

1. A method for identifying anomalous behavior of an entity, the method comprising:
- receiving raw data, wherein the raw data comprises recorded activity for the entity;
  
  generating a behavior profile for the entity based on the raw data, wherein the behavior profile defines a pattern of behavior for the entity;
  
  receiving comparison data;
  
  determining whether the comparison data deviates from the pattern of behavior defined in the behavior profile; and
  
  when the comparison data deviates from the pattern of behavior, identifying the comparison data as anomalous behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising providing a report of the anomalous behavior.
  - 3. The method of claim 1, further comprising upon identifying anomalous behavior, performing a countermeasure.
  - 4. The method of claim 3, wherein the countermeasure comprises at least one of:
    - revoking the entity'"'"'s credentials;
      
      denying the entity access to a resource;
      
      shutting down access to a port; and
      
      denying access to the entity.
  - 5. The method of claim 1, wherein the raw data is weblog data, and wherein the weblog data comprises at least one of:
    - IP address information;
      
      browsing history;
      
      download data; and
      
      time information.
  - 6. The method of claim 1, wherein the raw data comprises at least one of:
    - web service endpoints;
      
      mission role data;
      
      system transactions; and
      
      resource access.
  - 7. The method of claim 1, wherein generating the behavior profile further comprises:
    - transforming the raw data into one or more relational database objects; and
      
      constructing the behavior profile using relational algebra.
  - 8. The method of claim 7, wherein generating the behavior profile further comprises normalizing data in the behavior profile.
  - 9. The method of claim 1, wherein the behavior profile is constructed for a specific date range.
  - 10. The method of claim 1, wherein determining whether the comparison data deviates from the pattern of behavior further comprises:
    - comparing the comparison data to the behavior profile; and
      
      identifying a first portion of the comparison data that does not exist in the behavior profile as anomalous behavior.
  - 11. The method of claim 1, wherein determining whether the comparison data deviates from the pattern of behavior is based upon statistical analysis, wherein portions of the comparison data that lie outside a standard deviation of the behavior profile are identified as anomalous behavior.

12. A computer storage medium encoding computer executable instructions that, when executed by at least one processor, perform a method for identifying anomalous behavior of an entity, the method comprising:
- receiving raw data, wherein the raw data comprises recorded activity for the entity;
  
  generating a behavior profile for the entity based on the raw data, wherein the behavior profile defines a pattern of behavior for the entity;
  
  receiving comparison data;
  
  comparing the comparison data to the behavior profile; and
  
  identifying a first portion of the comparison data that does not exist in the behavior profile as anomalous behavior.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer storage medium of claim 12, wherein comparing the comparison data to the behavior data further comprises performing a statistical analysis on the behavior profile, wherein portions of the comparison data that lie outside a standard deviation of the behavior profile are identified as anomalous behavior.
  - 14. The computer storage medium of claim 12, wherein generating the behavior profile further comprises:
    - transforming the raw data into one or more relational database objects; and
      
      constructing the behavior profile using relational algebra.
  - 15. The computer storage medium of claim 12, wherein the method further comprises providing a report of the anomalous behavior.
  - 16. The computer storage medium of claim 12, wherein the method further comprises, upon identifying anomalous behavior, performing a countermeasure, wherein the countermeasure comprises at least one of:
    - revoking the entity'"'"'s credentials;
      
      denying the entity access to a resource;
      
      shutting down access to a port; and
      
      denying access to the entity.
  - 17. The computer storage medium of claim 12, wherein the raw data is weblog data, and wherein the weblog data comprises at least one of:
    - IP address information;
      
      browsing history;
      
      download data; and
      
      time information.

18. A system comprising:
- a server comprising;
  
  at least one processor; and
  
  memory encoding computer executable instructions that, when executed by at least one processor, perform a method for identifying anomalous behavior of an entity, the method comprising;
  
  receiving raw data, wherein the raw data comprises past recorded activity for the entity;
  
  generating a behavior profile for the entity based on the raw data, the behavior profile defining a pattern of behavior for the entity, wherein the behavior profile is generated using relational algebra;
  
  receiving comparison data;
  
  comparing the comparison data to the behavior profile;
  
  identifying a first portion of the comparison data that does not exist in the behavior profile as anomalous behavior; and
  
  generating a report of the anomalous behavior.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the method further comprises generating a cache table to store the behavior profile.
  - 20. The system of claim 18, further comprising:
    - a client in communication with the sever, wherein the client receives and displays the report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tautuk Incorporated
Original Assignee
Securboration, Inc.
Inventors
Stirtzinger, Anthony, Shapiro, Keith, Warhover, Brian, McQueary, Bruce

Granted Patent

US 9,686,305 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04W 12/12   Detection or prevention of ...

H04W 12/126   Anti-theft arrangements, e....

CYBER-SEMANTIC ACCOUNT MANAGEMENT SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CYBER-SEMANTIC ACCOUNT MANAGEMENT SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links