Detecting Behavioral Patterns and Anomalies Using Activity Data
First Claim
1. A method of managing information of a system comprising:
- providing a plurality of information management rules;
providing an activity database;
gathering activity data from a first target in the activity database;
gathering activity data from a second target in the activity database;
associating at least a first rule of the information management rules to the first target;
evaluating the data stored in the activity database according to a detection algorithm, wherein the detection algorithm detects at least a first condition;
based on the detection algorithm, determining the first condition has occurred, and then associating a second rule to the first target; and
for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule.
1 Assignment
0 Petitions
Accused Products
Abstract
Activity data is analyzed or evaluated to detect behavioral patterns and anomalies. When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task. This activity data may be collected in an information management system, which may be policy based. Notification may be by way e-mail, report, pop-up message, or system message. Some tasks to perform upon detection may include implementing a policy in the information management system, disallowing a user from connecting to the system, and restricting a user from being allowed to perform certain actions. To detect a pattern, activity data may be compared to a previously defined or generated activity profile.
-
Citations
20 Claims
-
1. A method of managing information of a system comprising:
-
providing a plurality of information management rules; providing an activity database; gathering activity data from a first target in the activity database; gathering activity data from a second target in the activity database; associating at least a first rule of the information management rules to the first target; evaluating the data stored in the activity database according to a detection algorithm, wherein the detection algorithm detects at least a first condition; based on the detection algorithm, determining the first condition has occurred, and then associating a second rule to the first target; and for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of managing information of a system comprising:
-
providing a plurality of information management rules; providing an activity database; gathering activity data from a first target in the activity database; gathering activity data from a second target in the activity database; associating at least a first rule of the information management rules to the first target; evaluating the data stored in the activity database according to a detection algorithm, wherein the detection algorithm detects at least a first condition; based on the detection algorithm, determining the first condition has occurred, and then associating a second rule to the first target; for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule; for a first activity at the first target, evaluating whether the at least first rule of information management rules applies based on the first activity; and for the first activity at the first target, evaluating whether the second rule applies based on the first activity, wherein the second rule comprises a first abstraction, the first abstraction is defined in a first definition statement stored separately from the second rule and the first abstraction. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A method of managing information of a system comprising:
-
providing a plurality of information management rules; providing an activity database; gathering activity data from a first target in the activity database; gathering activity data from a second target in the activity database; associating at least a first rule of the information management rules to the first target; evaluating the data stored in the activity database according to a detection algorithm; based on the detection algorithm, determining the first condition has occurred, and then associating a second rule to the first target; for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule; based on the detection algorithm, determining the first condition has occurred, associating an additional second rule to the first target; for the first target, controlling usage of information based on the at least first rule of information management rules and the additional second rule; for a first activity at the first target, evaluating whether the at least first rule of information management rules applies based on the first activity; and for the first activity at the first target, evaluating whether the additional second rule applies based on the first activity, wherein the additional second rule comprises a first abstraction, the first abstraction is defined in a first definition statement stored separately from the additional second rule and the first abstraction. - View Dependent Claims (19, 20)
-
Specification