METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR

US 20160182545A1
Filed: 02/29/2016
Published: 06/23/2016
Est. Priority Date: 12/02/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting attacks on devices, the method comprising:

receiving, using a hardware processor, a first plurality of user actions in a computing environment associated with a user account, wherein the first plurality of user actions includes a user selection of one or more particular documents in the computing environment;

generating a model of user behavior based at least in part on the first plurality of user actions, wherein the model of user behavior is associated with the user account;

receiving a second plurality of user actions in the computing environment that correspond to the user account;

determining whether at least one of the second plurality of user actions deviates from the generated model of user behavior, wherein the determination further comprises determining whether the second plurality of user actions includes accessing the one or more particular documents in the computing environment;

identifying whether the second plurality of user actions is an attack based at least in part on the determination that at least one of the second plurality of user actions deviates from the generated model of user behavior and that the one or more particular documents in the computing environment has been accessed; and

generating an alert of the attack in response to the identification.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring, using a hardware processor, a first plurality of user actions in a computing environment; generating a user intent model based on the first plurality of user actions; monitoring a second plurality of user actions in the computing environment; determining whether at least one of the second plurality of user actions deviates from the generated user intent model; determining whether the second plurality of user actions include performing an action on a file in the computing environment that contains decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model; and generating an alert in response to determining that the second plurality of user actions include performing an action on a file in the computing environment that contains decoy information.

15 Citations

View as Search Results

32 Claims

1. A method for detecting attacks on devices, the method comprising:
- receiving, using a hardware processor, a first plurality of user actions in a computing environment associated with a user account, wherein the first plurality of user actions includes a user selection of one or more particular documents in the computing environment;
  
  generating a model of user behavior based at least in part on the first plurality of user actions, wherein the model of user behavior is associated with the user account;
  
  receiving a second plurality of user actions in the computing environment that correspond to the user account;
  
  determining whether at least one of the second plurality of user actions deviates from the generated model of user behavior, wherein the determination further comprises determining whether the second plurality of user actions includes accessing the one or more particular documents in the computing environment;
  
  identifying whether the second plurality of user actions is an attack based at least in part on the determination that at least one of the second plurality of user actions deviates from the generated model of user behavior and that the one or more particular documents in the computing environment has been accessed; and
  
  generating an alert of the attack in response to the identification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising searching through the computing environment to identify the one or more particular documents.
  - 3. The method of claim 2, further comprising identifying the one or more particular documents by determining that the one or more particular documents from a plurality of documents are commonly accessed by a user corresponding to the user account.
  - 4. The method of claim 2, further comprising identifying the one or more particular documents by determining that the one or more particular documents from a plurality of documents are commonly accessed by a plurality of user accounts associated with the computing environment.
  - 5. The method of claim 1, further comprising:
    - generating decoy documents that are similar to the one or more particular documents; and
      
      inserting the decoy documents into the computing environment, wherein identifying that the second plurality of user actions is the attack includes detecting that at least one of the generated decoy documents has been accessed.
  - 6. The method of claim 1, further comprising:
    - generating documents that are similar to the one or more particular documents;
      
      inserting decoy information into each of the generated documents; and
      
      inserting the generated documents into the computing environment, wherein identifying that the second plurality of user actions is the attack includes detecting that at least one of the generated documents has been accessed.
  - 7. The method of claim 6, wherein the decoy information further comprises a beacon that is configured to indicate when a document associated with the beacon has been accessed.
  - 8. The method of claim 6, further comprising transmitting a monitoring instruction to a monitoring application that monitors a beacon in the decoy information to detect when a document associated with the beacon has been accessed.
  - 9. The method of claim 1, further comprisingclassifying each of the first plurality of user actions into a category of a plurality of categories of user actions;
    - andgenerating the model of user behavior based on user actions in at least one category of the plurality of categories of user actions.
  - 10. The method of claim 9, further comprising receiving a selection of at least one category of the plurality of categories of user actions for generating the model of user behavior.
  - 11. The method of claim 1, further comprising assigning a category type to each of a plurality of user commands, applications, registry-based activities, and dynamic link library (DLL) activities in the computing environment.
  - 12. The method of claim 11, further comprising:
    - generating a taxonomy of categories based on the category type;
      
      selecting one or more categories from the taxonomy;
      
      extracting a plurality of features for each category; and
      
      generating the model of user behavior by using the first plurality of user actions with respect to the extracted features.
  - 13. The method of claim 1, further comprising calculating a first distance between a first distribution that models the first plurality of user actions and a second distribution that models the second plurality of user actions.
  - 14. The method of claim 13, further comprising determining that at least one of the second plurality of user actions deviates from the model of user behavior in response to the first distance being greater than a threshold distance value.
  - 15. The method of claim 13, further comprising:
    - calculating a second distance between the second distribution that models the second plurality of user actions and a third distribution that models a third plurality of user actions; and
      
      comparing the second distance with the first distance to determine whether the third plurality of user actions corresponds to the attack.
  - 16. The method of claim 1, further comprising associating the model of user behavior with at least one of:
    - a particular user, the computing environment, a network, and a user type.

17. A method for detecting attacks on devices, the method comprising:
- receiving, using a hardware processor, a first plurality of user actions in a computing environment associated with a user account;
  
  generating a model of user behavior based on the first plurality of user actions, wherein the model of user behavior is associated with the user account;
  
  receiving additional user actions in the computing environment that correspond to the user account;
  
  determining whether at least one of the additional user actions deviates from the generated model of user behavior; and
  
  in response to determining that at least one of the additional user actions deviates from the generated model of user behavior, generating an alert that includes information associated with the user account.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The method of claim 17, further comprising determining that the additional user actions include performing search activities in the computing environment, wherein the alert is generated in response to determining that the additional user actions include the search activities in the computing environment.
  - 19. The method of claim 18, wherein the search activities include a number of search actions conducted in the computing environment in a given period of time.
  - 20. The method of claim 17, further comprising:
    - classifying each of the first plurality of user actions into a category of a plurality of categories of user actions; and
      
      generating the model of user behavior based on user actions in at least one category of the plurality of categories of user actions.
  - 21. The method of claim 17, further comprising assigning a category type to each of a plurality of user commands, applications, registry-based activities, and dynamic link library (DLL) activities in the computing environment.
  - 22. The method of claim 21, further comprising receiving a selection of at least one category of the plurality of categories of user actions for generating the model of user behavior.
  - 23. The method of claim 21, further comprising:
    - generating a taxonomy of categories based on the category type;
      
      selecting one or more categories from the taxonomy;
      
      extracting a plurality of features for each category; and
      
      generating the model of user behavior by using the first plurality of user actions with respect to the extracted features.
  - 24. The method of claim 21, further comprising calculating a first distance between a first distribution that models the first plurality of user actions and a second distribution that models the second plurality of user actions.
  - 25. The method of claim 24, further comprising determining that at least one of the second plurality of user actions deviates from the model of user search behavior in response to the first distance being greater than a threshold distance value.
  - 26. The method of claim 24, further comprising:
    - calculating a second distance between the second distribution that models the second plurality of user actions and a third distribution that models a third plurality of user actions; and
      
      comparing the second distance with the first distance to determine whether the third plurality of user actions corresponds to the attack.
  - 27. The method of claim 17, further comprising associating the model of user search behavior with at least one of:
    - a particular user, the computing environment, a network, and a user type.

28. A method for detecting attacks on devices, the method comprising:
- monitoring, using a hardware processor, a first plurality of user actions over a communications network;
  
  generating a model of user behavior based on the first plurality of user actions over the communications network;
  
  receiving additional user actions over the communications network;
  
  determining whether at least one of the additional user actions deviates from the generated model of user behavior; and
  
  in response to determining that at least one of the additional user actions deviates from the generated model of user behavior, generating an alert that includes information associated with the communications network.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The method of claim 28, wherein the first plurality of user actions and the second plurality of user actions includes networking-related user activities.
  - 30. The method of claim 28, wherein the first plurality of user actions and the second plurality of user actions includes communications-related user activities.
  - 31. The method of claim 28, further comprising:
    - classifying each of the first plurality of user actions into a category of a plurality of categories of user actions, wherein the plurality of categories of user actions includes a first category of communications-related user activities and networking-related user activities;
      
      extracting user actions from the first plurality of user actions that have been placed in the first category; and
      
      generating the model of user behavior based on the user actions in the first category of the plurality of categories of user actions.
  - 32. The method of claim 28, further comprising associating the model of user behavior with the communications network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Stolfo, Salvatore J., Ben Salem, Malek, Hershkop, Shlomo

Application Number

US15/056,627
Publication Number

US 20160182545A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1491   using deception as counterm...

METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others