Identifying Changes in Use of User Credentials

US 20180069893A1
Filed: 09/04/2017
Published: 03/08/2018
Est. Priority Date: 09/05/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

extracting, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource;

creating first and second sets of records, each given record in the first set comprising a sub-group of the extracted events of a single training user, each given record in the second set comprising a sub-group of the events of a plurality of the training users during respective sub-periods of a training period;

assigning safe labels to the records in the first set and suspicious labels to the records in the second set;

performing, by a processor, an analysis to fit, to the records in the first and the second sets and their respective labels, a model for predicting the label for a given record;

filtering, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and

upon detecting a given sequence of events predicted as suspicious by the model, generating an alert.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method including extracting, from initial data transmitted on a network, multiple events, each of the events including a user accessing a resource. First and second sets of records are created, each first set record including a sub-group of the events of a user, each second set record including a sub-group of the events of a multiple users during respective sub-periods of a training period. Safe labels are assigned to the first set records and suspicious labels are assigned to the second set records. An analysis fits, to the first and the second set records and their respective labels, a model for predicting the label for a given record. The model filters subsequent network data to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, an alert is generated.

25 Citations

View as Search Results

17 Claims

1. A method, comprising:
- extracting, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource;
  
  creating first and second sets of records, each given record in the first set comprising a sub-group of the extracted events of a single training user, each given record in the second set comprising a sub-group of the events of a plurality of the training users during respective sub-periods of a training period;
  
  assigning safe labels to the records in the first set and suspicious labels to the records in the second set;
  
  performing, by a processor, an analysis to fit, to the records in the first and the second sets and their respective labels, a model for predicting the label for a given record;
  
  filtering, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and
  
  upon detecting a given sequence of events predicted as suspicious by the model, generating an alert.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein filtering the subsequent data comprises extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users, and wherein using the model comprises applying the model to the sequences of the additional events.
  - 3. The method according to claim 1, wherein the analysis comprises a machine learning algorithm.
  - 4. The method according to claim 1, wherein a given event comprises a given training user accessing a given resource.
  - 5. The method according to claim 1, wherein a given resource comprises a server.
  - 6. The method according to claim 1, wherein the data network comprises a workstation comprising a log, wherein a given training user is logged into the workstation, wherein the log comprising actions performed by the resource for a given training user, and wherein the data comprises the log.
  - 7. The method according to claim 1, wherein the data network comprises a workstation, wherein a given training user is logged into the workstation, and where in the extracted data comprises data packets transmitted between the workstation and the resources.
  - 8. The method according to claim 1, wherein the plurality of the training users comprise two training users, and wherein the respective sub-periods comprise two non-overlapping time periods within the training period.

9. An apparatus, comprising:
- a memory; and
  
  a processor configured;
  
  to extract, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource,to create, in the memory, first and second sets of records, each given record in the first set comprising a sub-group of the extracted events of a single training user, each given record in the second set comprising a sub-group of the events of a plurality of the training users during respective sub-periods of a training period,to assign safe labels to the records in the first set and suspicious labels to the records in the second set,to perform an analysis to fit, to the records in the first and the second sets and their respective labels, a model for predicting the label for a given record,to filter, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, andupon detecting a given sequence of events predicted as suspicious by the model, to generate an alert.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus according to claim 9, wherein the processor is configured to filter the subsequent data by extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users, and wherein the processor is configured to use the model by applying the model to the sequences of the additional events.
  - 11. The apparatus according to claim 9, wherein the analysis comprises a machine learning algorithm.
  - 12. The apparatus according to claim 9, wherein a given event comprises a given training user accessing a given resource.
  - 13. The apparatus according to claim 9, wherein a given resource comprises a server.
  - 14. The apparatus according to claim 9, wherein the data network comprises a workstation comprising a log, wherein a given training user is logged into the workstation, wherein the log comprising actions performed by the server for a given training user, and wherein the data comprises the log.
  - 15. The apparatus according to claim 9, wherein the data network comprises a workstation, wherein a given training user is logged into the workstation, and where in the extracted data comprises data packets transmitted between the workstation and the resources.
  - 16. The apparatus according to claim 9, wherein the plurality of the training users comprise two training users, and wherein the respective sub-periods comprise two non-overlapping time periods within the training period.

17. A computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
- to extract, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource;
  
  to create first and second sets of records, each given record in the first set comprising a sub-group of the extracted events of a single training user, each given record in the second set comprising a sub-group of the events of a plurality of the training users during respective sub-periods of a training period;
  
  to assign safe labels to the records in the first set and suspicious labels to the records in the second set;
  
  to perform an analysis to fit, to the records in the first and the second sets and their respective labels, a model for predicting the label for a given record;
  
  to filter, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and
  
  upon detecting a given sequence of events predicted as suspicious by the model, to generate an alert.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Light Cyber Ltd.
Inventors
Amit, Idan, Firstenberg, Eyal, Allon, Jonathan, Neuman, Yaron

Granted Patent

US 10,686,829 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Identifying Changes in Use of User Credentials

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Identifying Changes in Use of User Credentials

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others