Detecting Behavioral Patterns and Anomalies Using Activity Data

US 20170142125A1
Filed: 01/31/2017
Published: 05/18/2017
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of managing information of a system comprising:

providing a plurality of information management rules;

providing an activity database;

gathering activity data from a first target in the activity database;

gathering activity data from a second target in the activity database;

associating at least a first rule of the information management rules to the first target;

evaluating the data stored in the activity database according to a detection algorithm, wherein the detection algorithm detects at least a first condition;

based on the detection algorithm, determining the first condition has occurred, and then associating a second rule to the first target; and

for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Activity data is analyzed or evaluated to detect behavioral patterns and anomalies. When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task. This activity data may be collected in an information management system, which may be policy based. Notification may be by way e-mail, report, pop-up message, or system message. Some tasks to perform upon detection may include implementing a policy in the information management system, disallowing a user from connecting to the system, and restricting a user from being allowed to perform certain actions. To detect a pattern, activity data may be compared to a previously defined or generated activity profile.

Citations

20 Claims

1. A method of managing information of a system comprising:
- providing a plurality of information management rules;
  
  providing an activity database;
  
  gathering activity data from a first target in the activity database;
  
  gathering activity data from a second target in the activity database;
  
  associating at least a first rule of the information management rules to the first target;
  
  evaluating the data stored in the activity database according to a detection algorithm, wherein the detection algorithm detects at least a first condition;
  
  based on the detection algorithm, determining the first condition has occurred, and then associating a second rule to the first target; and
  
  for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the first condition comprises the first target has attempted to access a unit of information more than X1 times in a Y1 time period.
  - 3. The method of claim 1 wherein the first condition comprises the first target has attempted to access more than X2 units of information in a Y2 time period.
  - 4. The method of claim 1 wherein the first condition comprises the first target has an aggregated usage time in a program above a time value X3 in a Y3 time period.
  - 5. The method of claim 1 comprising:
    - based on the detection algorithm, determining the first condition has occurred, associating an additional second rule to the first target; and
      
      for the first target, controlling usage of information based on the at least first rule of information management rules and the additional second rule.
  - 6. The method of claim 5 comprising:
    - for a first activity at the first target, evaluating whether the at least first rule of information management rules applies based on the first activity; and
      
      for the first activity at the first target, evaluating whether the additional second rule applies based on the first activity, wherein the additional second rule comprises a first abstraction, the first abstraction is defined in a first definition statement stored separately from the additional second rule and the first abstraction.
  - 7. The method of claim 6 wherein the evaluating whether the additional second rule applies comprises:
    - retrieving the first definition statement;
      
      when evaluating the second rule, replacing the first abstraction of the additional second rule by the first definition statement.
  - 8. The method of claim 7 comprising:
    - evaluating the additional second rule with the replaced first definition statement
  - 9. The method of claim 1 wherein the activity database is stored on the first target.
  - 10. The method of claim 1 wherein the activity database is stored on a server where the plurality of information management rules is stored.
  - 11. The method of claim 1 wherein the activity database is stored on an intelligence server and the plurality of information management rules are stored on a policy server, where the policy and intelligence servers are separate.
  - 12. The method of claim 1 further comprising:
    - based on the detection algorithm, adding the additional second rule to the plurality of information management rules.

13. A method of managing information of a system comprising:
- providing a plurality of information management rules;
  
  providing an activity database;
  
  gathering activity data from a first target in the activity database;
  
  gathering activity data from a second target in the activity database;
  
  associating at least a first rule of the information management rules to the first target;
  
  evaluating the data stored in the activity database according to a detection algorithm, wherein the detection algorithm detects at least a first condition;
  
  based on the detection algorithm, determining the first condition has occurred, and then associating a second rule to the first target;
  
  for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule;
  
  for a first activity at the first target, evaluating whether the at least first rule of information management rules applies based on the first activity; and
  
  for the first activity at the first target, evaluating whether the second rule applies based on the first activity, wherein the second rule comprises a first abstraction, the first abstraction is defined in a first definition statement stored separately from the second rule and the first abstraction.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13 wherein the first condition comprises the first target has attempted to access a unit of information more than X1 times in a Y1 time period.
  - 15. The method of claim 13 wherein the first condition comprises the first target has attempted to access more than X2 units of information in a Y2 time period.
  - 16. The method of claim 13 wherein the first condition comprises the first target has an aggregated usage time in a program above a time value X3 in a Y3 time period.
  - 17. The method of claim 13 comprising:
    - for a first activity at the first target, evaluating whether the at least first rule of information management rules applies based on the first activity; and
      
      for the first activity at the first target, evaluating whether the second rule applies based on the first activity, wherein the second rule comprises a first abstraction, the first abstraction is defined in a first definition statement stored separately from the second rule and the first abstraction.

18. A method of managing information of a system comprising:
- providing a plurality of information management rules;
  
  providing an activity database;
  
  gathering activity data from a first target in the activity database;
  
  gathering activity data from a second target in the activity database;
  
  associating at least a first rule of the information management rules to the first target;
  
  evaluating the data stored in the activity database according to a detection algorithm;
  
  based on the detection algorithm, determining the first condition has occurred, and then associating a second rule to the first target;
  
  for the first target, controlling usage of information based on the at least first rule of information management rules and the second rule;
  
  based on the detection algorithm, determining the first condition has occurred, associating an additional second rule to the first target;
  
  for the first target, controlling usage of information based on the at least first rule of information management rules and the additional second rule;
  
  for a first activity at the first target, evaluating whether the at least first rule of information management rules applies based on the first activity; and
  
  for the first activity at the first target, evaluating whether the additional second rule applies based on the first activity, wherein the additional second rule comprises a first abstraction, the first abstraction is defined in a first definition statement stored separately from the additional second rule and the first abstraction.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18 wherein the first condition comprises the first target has attempted to access a unit of information more than X1 times in a Y1 time period.
  - 20. The method of claim 18 wherein the first condition comprises the first target has attempted to access more than X2 units of information in a Y2 time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng

Granted Patent

US 9,946,717 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 16/122   using management policies b...

G06F 16/13   File access structures, e.g...

G06F 16/176   Support for shared access t...

G06F 16/93   Document management systems

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Detecting Behavioral Patterns and Anomalies Using Activity Data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Behavioral Patterns and Anomalies Using Activity Data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links