Detecting Malicious User Activity

US 20170286671A1
Filed: 03/31/2016
Published: 10/05/2017
Est. Priority Date: 03/31/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious user activity, the computer-implemented method comprising:

generating, by a computer, a profile for a user that accesses a set of protected assets, the profile generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user;

applying, by the computer, a plurality of analytics on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on the applying of the plurality of analytics on the profile of the user;

generating, by the computer, a malicious user activity alert in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value; and

sending, by the computer, the malicious user activity alert to an analyst for feedback.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting malicious user activity is provided. A profile for a user that accesses a set of protected assets is generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user. A plurality of analytics is applied on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on applying the plurality of analytics on the profile of the user. A malicious user activity alert is generated in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value. The malicious user activity alert is sent to an analyst for feedback.

154 Citations

20 Claims

1. A computer-implemented method for detecting malicious user activity, the computer-implemented method comprising:
- generating, by a computer, a profile for a user that accesses a set of protected assets, the profile generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user;
  
  applying, by the computer, a plurality of analytics on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on the applying of the plurality of analytics on the profile of the user;
  
  generating, by the computer, a malicious user activity alert in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value; and
  
  sending, by the computer, the malicious user activity alert to an analyst for feedback.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1 further comprising:
    - blocking, by the computer, the user from accessing the set of protected assets based on the malicious user activity alert.
  - 3. The computer-implemented method of claim 1 further comprising:
    - applying, by the computer, the feedback to the malicious user activity alert; and
      
      prioritizing, by the computer, the malicious user activity alert based on the applied feedback.
  - 4. The computer-implemented method of claim 1, wherein the static information representing the organizational view and associated attributes corresponding to the user includes:
    - information in human resource records of the user;
      
      information regarding the user in a directory of employees of an enterprise that employs the user;
      
      identity management information of the user including asset access account and privilege information, roles, and work-related groups of the user;
      
      configuration management database information including information regarding information technology assets owned or administered by the user; and
      
      social networks the user belongs to.
  - 5. The computer-implemented method of claim 1, wherein the dynamic information representing observable actions made by the user includes:
    - activities performed by the user on social networks;
      
      communication patterns of the user on the social networks;
      
      work-related asset access activities performed by the user;
      
      network and device access behaviors of the user;
      
      external threat feeds associated with the user;
      
      enterprise physical facility access behaviors of the user; and
      
      past asset access behavior of the user.
  - 6. The computer-implemented method of claim 1 further comprising:
    - identifying, by the computer, dependencies between analytics in the plurality of analytics of a malicious user activity detector based on data input corresponding to a defined window of time; and
      
      determining, by the computer, whether an unprocessed data input exists from at least one dependent analytic of a selected analytic in the plurality of analytics.
  - 7. The computer-implemented method of claim 6 further comprising:
    - responsive to the computer determining that an unprocessed data input does not exist from at least one dependent analytic of the selected analytic, waiting, by the computer, for the unprocessed data input from the at least one dependent analytic; and
      
      responsive to the computer determining that an unprocessed data input does exist from the at least one dependent analytic of the selected analytic, scheduling, by the computer, the selected analytic to process the input data corresponding to the defined window of time.
  - 8. The computer-implemented method of claim 6 further comprising:
    - responsive to the computer determining that another analytic does not exist in the plurality of analytics, aggregating, by the computer, results of the plurality of analytics processing the input data corresponding to the defined window of time.
  - 9. The computer-implemented method of claim 1 further comprising:
    - receiving, by the computer, input data corresponding to the user accessing the set of protected assets in one of a steam or a batch; and
      
      aggregating, by the computer, the input data corresponding to the user into a set of one or more defined windows based on at least one of time and the user.
  - 10. The computer-implemented method of claim 9 further comprising:
    - extracting, by the computer, features from the aggregated input data corresponding to the user; and
      
      feeding, by the computer, the extracted features from the aggregated input data corresponding to the user into selected analytics of a plurality of analytics of a malicious user activity detector for processing.
  - 11. The computer-implemented method of claim 10 further comprising:
    - determining, by the computer, whether other analytics in the plurality of analytics depend on a data output of the selected analytics;
      
      responsive to the computer determining that other analytics in the plurality of analytics do depend on the data output of the selected analytics, feeding, by the computer, the extracted features into the other analytics that dependent on the data output of the selected analytics; and
      
      responsive to the computer determining that other analytics in the plurality of analytics do not depend on the data output of the selected analytics, collecting, by the computer, data outputs of the plurality of analytics processing the extracted features.

12. A computer system for detecting malicious user activity, the computer system comprising:
- a bus system;
  
  a storage device connected to the bus system, wherein the storage device stores program instructions; and
  
  a processor connected to the bus system, wherein the processor executes the program instructions to;
  
  generate a profile for a user that accesses a set of protected assets, the profile generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user;
  
  apply a plurality of analytics on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on applying the plurality of analytics on the profile of the user;
  
  generate a malicious user activity alert in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value; and
  
  send the malicious user activity alert to an analyst for feedback.
- View Dependent Claims (13, 14)
- - 13. The computer system of claim 12, wherein the processor further executes the program instructions to:
    - block the user from accessing the set of protected assets based on the malicious user activity alert.
  - 14. The computer system of claim 12, wherein the processor further executes the program instructions to:
    - apply the feedback to the malicious user activity alert; and
      
      prioritize the malicious user activity alert based on the applied feedback.

15. A computer program product for detecting malicious user activity, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising:
- generating, by a computer, a profile for a user that accesses a set of protected assets, the profile generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user;
  
  applying, by the computer, a plurality of analytics on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on the applying of the plurality of analytics on the profile of the user;
  
  generating, by the computer, a malicious user activity alert in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value; and
  
  sending, by the computer, the malicious user activity alert to an analyst for feedback.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15 further comprising:
    - blocking, by the computer, the user from accessing the set of protected assets based on the malicious user activity alert.
  - 17. The computer program product of claim 15 further comprising:
    - applying, by the computer, the feedback to the malicious user activity alert; and
      
      prioritizing, by the computer, the malicious user activity alert based on the applied feedback.
  - 18. The computer program product of claim 15, wherein the static information representing the organizational view and associated attributes corresponding to the user includes:
    - information in human resource records of the user;
      
      information regarding the user in a directory of employees of an enterprise that employs the user;
      
      identity management information of the user including asset access account and privilege information, roles, and work-related groups of the user;
      
      configuration management database information including information regarding information technology assets owned or administered by the user; and
      
      social networks the user belongs to.
  - 19. The computer program product of claim 15, wherein the dynamic information representing observable actions made by the user includes:
    - activities performed by the user on social networks;
      
      communication patterns of the user on the social networks;
      
      work-related asset access activities performed by the user;
      
      network and device access behaviors of the user;
      
      external threat feeds associated with the user;
      
      enterprise physical facility access behaviors of the user; and
      
      past asset access behavior of the user.
  - 20. The computer program product of claim 15 further comprising:
    - identifying, by the computer, dependencies between analytics in the plurality of analytics of a malicious user activity detector based on data input corresponding to a defined window of time; and
      
      determining, by the computer, whether an unprocessed data input exists from at least one dependent analytic of a selected analytic in the plurality of analytics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chari, Suresh N., Habeck, Ted A., Molloy, Ian M., Park, Youngja, Rao, Josyula R., Teiken, Wilfried

Granted Patent

US 10,599,837 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 2221/034 Test or assess a computer o...

Detecting Malicious User Activity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

154 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Malicious User Activity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

154 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links