Identifying security breaches from clustering properties

US 20170295189A1
Filed: 04/11/2016
Published: 10/12/2017
Est. Priority Date: 04/11/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of identifying security breaches in a computer system comprising:

monitoring behavior of users or resources of at least one computer system and storing information on the monitored behaviors;

analyzing the stored information on the monitored behaviors to generate clusters and train clustering models;

receiving information relating to labeling to a user or resource;

determining and scoring anomalies between a user or resource and at least one cluster to which the user or resource has been assigned;

detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned; and

generating an alert indicating detection of the outlier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention may provide the capability to identify security breaches in computer systems from clustering properties of clusters generated based on monitored behavior of users of the computer systems by using techniques that provide improved performance and reduced resource requirements. For example, behavior of users or resources may be monitored and analyzed to generate clusters and train clustering models. Labeling information relating to some user or resource may be received. When users or resources are clustered and when a cluster contains some labeled users/resources then an anomaly score can be determined for a user/resource belonging to the cluster. A user or resource may be detected to be an outlier of at least one cluster to which the user or resource has been assigned, and an alert indicating detection of the outlier may be generated.

Citations

18 Claims

1. A computer-implemented method of identifying security breaches in a computer system comprising:
- monitoring behavior of users or resources of at least one computer system and storing information on the monitored behaviors;
  
  analyzing the stored information on the monitored behaviors to generate clusters and train clustering models;
  
  receiving information relating to labeling to a user or resource;
  
  determining and scoring anomalies between a user or resource and at least one cluster to which the user or resource has been assigned;
  
  detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned; and
  
  generating an alert indicating detection of the outlier.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the clusters are generated based on the stored information on the monitored behaviors without using labeling information.
  - 3. The method of claim 2, wherein outliers are detected using the labeling information.
  - 4. The method of claim 1, wherein an alert is not generated until an anomaly score of a user or resource reaches a threshold value.
  - 5. The method of claim 4, wherein the anomaly score of a user or resource is increased if the user or resource has labeling information or labelled behavior different than labeling information or labelled behavior of a majority of users or resources assigned to a cluster to which the user or resource is assigned.
  - 6. The method of claim 4, wherein the anomaly score of a user or resource is increased when a cluster assignment of the user or resource is moved to a differently labeled cluster, or when the user or resource is first assigned to a cluster.

7. A system for identifying security breaches in a computer system, the system comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor to perform:
- monitoring behavior of users or resources of at least one computer system and storing information on the monitored behaviors;
  
  analyzing the stored information on the monitored behaviors to generate clusters and train clustering models;
  
  receiving information relating to labeling to a user or resource;
  
  determining and scoring anomalies between a user or resource and at least one cluster to which the user or resource has been assigned;
  
  detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned; and
  
  generating an alert indicating detection of the outlier.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the clusters are generated based on the stored information on the monitored behaviors without using labeling information.
  - 9. The system of claim 8, wherein outliers are detected using the labeling information.
  - 10. The system of claim 7, wherein an alert is not generated until an anomaly score of a user or resource reaches a threshold value.
  - 11. The system of claim 10, wherein the anomaly score of a user or resource is increased if the user or resource has labeling information or labelled behavior different than labeling information or labelled behavior of a majority of users or resources assigned to a cluster to which the user or resource is assigned.
  - 12. The system of claim 10, wherein the anomaly score of a user or resource is increased when a cluster assignment of the user or resource is moved to a differently labeled cluster, or when the user or resource is first assigned to a cluster.

13. A computer program product for identifying security breaches in a computer system, the computer program product comprising a non-transitory computer readable storage having program instructions embodied therewith, the program instructions executable by a computer, to cause the computer to perform a method comprising:
- monitoring behavior of users or resources of at least one computer system and storing information on the monitored behaviors;
  
  analyzing the stored information on the monitored behaviors to generate clusters and train clustering models;
  
  receiving information relating to labeling to a user or resource;
  
  determining and scoring anomalies between a user or resource and at least one cluster to which the user or resource has been assigned;
  
  detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned; and
  
  generating an alert indicating detection of the outlier.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13, wherein the clusters are generated based on the stored information on the monitored behaviors without using labeling information.
  - 15. The computer program product of claim 14, wherein outliers are detected using the labeling information.
  - 16. The computer program product of claim 13, wherein an alert is not generated until an anomaly score of a user or resource reaches a threshold value.
  - 17. The computer program product of claim 16, wherein the anomaly score of a user or resource is increased if the user or resource has labeling information or labelled behavior different than labeling information or labelled behavior of a majority of users or resources assigned to a cluster to which the user or resource is assigned.
  - 18. The computer program product of claim 16, wherein the anomaly score of a user or resource is increased when a cluster assignment of the user or resource is moved to a differently labeled cluster, or when the user or resource is first assigned to a cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
ADIR, ALLON, Aharoni, Ehud, Greenberg, Lev, Margalit, Oded, Miroshnikov, Rosa, Sofer, Oded, Rozenberg, Boris

Granted Patent

US 10,831,785 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Identifying security breaches from clustering properties

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying security breaches from clustering properties

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links