PRIVILEGED ANALYTICS SYSTEM

US 20150121518A1
Filed: 10/27/2014
Published: 04/30/2015
Est. Priority Date: 10/27/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network, comprising:

identifying, by a computer system, a behavioral anomaly of an entity on the computer network;

classifying, by the computer system, the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold;

updating, by the computer system, an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly;

updating, by the computer system, a system status based on at least the incident, and assigning a system status score to the system status; and

determining, by the computer system, whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network. The computer-implemented method comprises identifying a behavioral anomaly of an entity on the computer network, classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold, updating an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly, updating a system status based on at least the incident, and assigning a system status score to the system status, and, determining whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.

78 Citations

View as Search Results

19 Claims

1. A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network, comprising:
- identifying, by a computer system, a behavioral anomaly of an entity on the computer network;
  
  classifying, by the computer system, the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold;
  
  updating, by the computer system, an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly;
  
  updating, by the computer system, a system status based on at least the incident, and assigning a system status score to the system status; and
  
  determining, by the computer system, whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, additionally comprising, adding user feedback obtained through an interface to additionally determine whether the computer network is compromised.
  - 3. The computer-implemented method of claim 1, wherein the at least one parameter is selected from the group consisting of a user, an application used on the computer network, an internet protocol used on the computer network, source machine, target machine and a time.
  - 4. The computer-implemented method of claim 1, further comprising:
    - obtaining input data representative of information on actions in the computer network,building a first behavior profile for the entity, the first behavioral profile built based on a statistical analysis of the input data;
      
      obtaining additional input data representative of information on actions in the computer network;
      
      wherein the behavioral anomaly is identified by an analysis of the additional input data against the first behavioral profile to detect anomalies or deviations from the first behavioral profile.
  - 5. The computer-implemented method of claim 4, further comprising building a second behavior profile when the behavioral anomaly is identified found, the second behavior profile different from the first behavior profile;
    - andselecting based on pre-defined logic, a leading profile from a group consisting of the first behavioral profile, the second behavioral profile, and a combination of the first behavioral profile and the second behavioral profile.
  - 6. The computer-implemented method of claim 5, wherein the leading profile is used to calculate a score of events and incidents.

7. A computer implemented method for calculating a profile of entity behavior, comprising:
- obtaining, by a computer system, input data representative of information on actions in computer network;
  
  building, by the computer system, a first behavior profile for an entity associated with the computer network, the first behavioral profile built based on a statistical analysis of the input data;
  
  obtaining, by the computer system, additional input data representative of information on actions in computer network;
  
  analyzing, by the computer system, the additional input data against the first behavioral profile to detect anomalies or deviations from the first behavioral profile;
  
  building, by the computer system, a second behavior profile, if such anomalies or deviations were found, the second behavior profile different from the first behavior profile; and
  
  selecting, by the computer system, based on pre-defined logic, a leading profile, the leading profile being either the first behavioral profile or the second behavioral profile or a combination thereof.
- View Dependent Claims (8, 9)
- - 8. The computer-implemented method of claim 7, wherein the leading profile is used to calculate a score of events and incidents in the system.
  - 9. The computer-implemented method of claim 7, wherein the entity is a member of a group consisting of:
    - a human user, application, client machine, device type, target machine, account, and command.

10. A computer system for determining whether a computer network is compromised by unauthorized activity on the computer network, comprising:
- an input module configured for receiving input data representative of information on actions in a computer network;
  
  a profile building module configured for building a behavior profile for an entity associated with the computer network, the profile built based on at least one of a statistical analysis or a rules based analysis of the input data; and
  
  ,an analytics module configured for;
  
       1) analyzing the input data against the behavioral profile and determining anomalies based on the analysis,
  
       2) classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold;
  
       3) classifying the system event as an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly;
  
       4) classifying a system status based on number and score of the incidents currently existing in the system, and assigning a system status score to the system status.
- View Dependent Claims (11, 12)
- - 11. The system of claim 10, additionally comprising a user interface module configured for providing a graphical user interface for presenting the system status, the incidents and the events to users.
  - 12. The system of claim 11, wherein the input module is additionally configured for receiving feedback from the users responding to at least one of the system status, the incidents and the events, presented by the graphical user interface, the feedback to additionally determine whether the computer network is compromised.

13. A computer program product for determining whether a computer network is compromised by unauthorized activity on the computer network, the computer program product comprising a non transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause one or more servers to:
- identify a behavioral anomaly of an entity on the computer network;
  
  classify the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold;
  
  update an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly;
  
  update a system status based on at least the incident, and assigning a system status score to the system status; and
  
  ,determine whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer program product of claim 13, wherein the program instructions are adapted to cause one or more servers to add user feedback obtained through an interface to additionally determine whether the computer network is compromised.
  - 15. The computer program product of claim 13, wherein the at least one parameter is selected from the group consisting of a user, an application used on the computer network, an internet protocol used on the computer network, source machine, target machine and a time.
  - 16. The computer program product of claim 13, wherein the program instructions are adapted to:
    - obtain input data representative of information on actions in the computer network;
      
      build a first behavior profile for an entity associated with the computer network, the first behavioral profile built based on a statistical analysis of the input data;
      
      obtain additional input data representative of information on actions in the computer network;
      
      wherein the behavioral anomaly is identified by an analysis of the additional input data against the first behavioral profile to detect anomalies or deviations from the first behavioral profile.
  - 17. The computer program product of claim 13, wherein the program instructions are adapted to:
    - build a second behavior profile when the behavioral anomaly is identified found, the second behavior profile different from the first behavior profile; and
      
      select based on pre-defined logic, a leading profile from a group consisting of the first behavioral profile, the second behavioral profile, and a combination of the first behavioral profile and the second behavioral profile.
  - 18. The computer program product of claim 17, wherein the leading profile is used to calculate a score of events and incidents.
  - 19. The computer program product of claim 13, wherein the entity is a member of a group consisting of:
    - a human user, application, client machine, device type, target machine, account, and command.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Original Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Inventors
DULKIN, Andrey, SADE, Yair, SHMUELI, Aviram, WEISS, Assaf

Granted Patent

US 9,712,548 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

PRIVILEGED ANALYTICS SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

PRIVILEGED ANALYTICS SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others