METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR
First Claim
1. A method for detecting attacks on devices, the method comprising:
- receiving, using a hardware processor, a first plurality of user actions in a computing environment associated with a user account, wherein the first plurality of user actions includes a user selection of one or more particular documents in the computing environment;
generating a model of user behavior based at least in part on the first plurality of user actions, wherein the model of user behavior is associated with the user account;
receiving a second plurality of user actions in the computing environment that correspond to the user account;
determining whether at least one of the second plurality of user actions deviates from the generated model of user behavior, wherein the determination further comprises determining whether the second plurality of user actions includes accessing the one or more particular documents in the computing environment;
identifying whether the second plurality of user actions is an attack based at least in part on the determination that at least one of the second plurality of user actions deviates from the generated model of user behavior and that the one or more particular documents in the computing environment has been accessed; and
generating an alert of the attack in response to the identification.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring, using a hardware processor, a first plurality of user actions in a computing environment; generating a user intent model based on the first plurality of user actions; monitoring a second plurality of user actions in the computing environment; determining whether at least one of the second plurality of user actions deviates from the generated user intent model; determining whether the second plurality of user actions include performing an action on a file in the computing environment that contains decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model; and generating an alert in response to determining that the second plurality of user actions include performing an action on a file in the computing environment that contains decoy information.
15 Citations
32 Claims
-
1. A method for detecting attacks on devices, the method comprising:
-
receiving, using a hardware processor, a first plurality of user actions in a computing environment associated with a user account, wherein the first plurality of user actions includes a user selection of one or more particular documents in the computing environment; generating a model of user behavior based at least in part on the first plurality of user actions, wherein the model of user behavior is associated with the user account; receiving a second plurality of user actions in the computing environment that correspond to the user account; determining whether at least one of the second plurality of user actions deviates from the generated model of user behavior, wherein the determination further comprises determining whether the second plurality of user actions includes accessing the one or more particular documents in the computing environment; identifying whether the second plurality of user actions is an attack based at least in part on the determination that at least one of the second plurality of user actions deviates from the generated model of user behavior and that the one or more particular documents in the computing environment has been accessed; and generating an alert of the attack in response to the identification. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for detecting attacks on devices, the method comprising:
-
receiving, using a hardware processor, a first plurality of user actions in a computing environment associated with a user account; generating a model of user behavior based on the first plurality of user actions, wherein the model of user behavior is associated with the user account; receiving additional user actions in the computing environment that correspond to the user account; determining whether at least one of the additional user actions deviates from the generated model of user behavior; and in response to determining that at least one of the additional user actions deviates from the generated model of user behavior, generating an alert that includes information associated with the user account. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method for detecting attacks on devices, the method comprising:
-
monitoring, using a hardware processor, a first plurality of user actions over a communications network; generating a model of user behavior based on the first plurality of user actions over the communications network; receiving additional user actions over the communications network; determining whether at least one of the additional user actions deviates from the generated model of user behavior; and in response to determining that at least one of the additional user actions deviates from the generated model of user behavior, generating an alert that includes information associated with the communications network. - View Dependent Claims (29, 30, 31, 32)
-
Specification