PRIVILEGED ANALYTICS SYSTEM
First Claim
1. A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network, comprising:
- identifying, by a computer system, a behavioral anomaly of an entity on the computer network;
classifying, by the computer system, the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold;
updating, by the computer system, an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly;
updating, by the computer system, a system status based on at least the incident, and assigning a system status score to the system status; and
determining, by the computer system, whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network. The computer-implemented method comprises identifying a behavioral anomaly of an entity on the computer network, classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold, updating an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly, updating a system status based on at least the incident, and assigning a system status score to the system status, and, determining whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.
78 Citations
19 Claims
-
1. A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network, comprising:
-
identifying, by a computer system, a behavioral anomaly of an entity on the computer network; classifying, by the computer system, the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold; updating, by the computer system, an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly; updating, by the computer system, a system status based on at least the incident, and assigning a system status score to the system status; and determining, by the computer system, whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method for calculating a profile of entity behavior, comprising:
-
obtaining, by a computer system, input data representative of information on actions in computer network; building, by the computer system, a first behavior profile for an entity associated with the computer network, the first behavioral profile built based on a statistical analysis of the input data; obtaining, by the computer system, additional input data representative of information on actions in computer network; analyzing, by the computer system, the additional input data against the first behavioral profile to detect anomalies or deviations from the first behavioral profile; building, by the computer system, a second behavior profile, if such anomalies or deviations were found, the second behavior profile different from the first behavior profile; and selecting, by the computer system, based on pre-defined logic, a leading profile, the leading profile being either the first behavioral profile or the second behavioral profile or a combination thereof. - View Dependent Claims (8, 9)
-
-
10. A computer system for determining whether a computer network is compromised by unauthorized activity on the computer network, comprising:
-
an input module configured for receiving input data representative of information on actions in a computer network; a profile building module configured for building a behavior profile for an entity associated with the computer network, the profile built based on at least one of a statistical analysis or a rules based analysis of the input data; and
,an analytics module configured for;
1) analyzing the input data against the behavioral profile and determining anomalies based on the analysis,
2) classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold;
3) classifying the system event as an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly;
4) classifying a system status based on number and score of the incidents currently existing in the system, and assigning a system status score to the system status. - View Dependent Claims (11, 12)
-
-
13. A computer program product for determining whether a computer network is compromised by unauthorized activity on the computer network, the computer program product comprising a non transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause one or more servers to:
-
identify a behavioral anomaly of an entity on the computer network; classify the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold; update an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly; update a system status based on at least the incident, and assigning a system status score to the system status; and
,determine whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification