COMPUTER-IMPLEMENTED METHOD FOR DETERMINING COMPUTER SYSTEM SECURITY THREATS, SECURITY OPERATIONS CENTER SYSTEM AND COMPUTER PROGRAM PRODUCT

US 20180167402A1
Filed: 09/23/2015
Published: 06/14/2018
Est. Priority Date: 05/05/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for determining computer system security threats, the computer system including user accounts established on the computer system, the method including the steps of:

(i) for a plurality of user accounts, assigning a risk level to each account;

(ii) in a time interval, for a plurality of events, wherein each event is linked to a respective user account, assigning an event score relating to deviation from normal behavior of each event with respect to the respective user account;

(iii) in the time interval, for the plurality of events, calculating an event importance which is a function of the respective event score and the respective user account risk level;

(iv) prioritizing the plurality of events by event importance, and(v) providing a record of the plurality of events, prioritized by event importance.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for determining computer system security threats, the computer system including user accounts established on the computer system, the method including the steps of: (i) for a plurality of user accounts, assigning a risk level to each account; (ii) in a time interval, for a plurality of events, wherein each event is linked to a respective user account, assigning an event score relating to deviation from normal behavior of each event with respect to the respective user account; (iii) in the time interval, for the plurality of events, calculating an event importance which is a function of the respective event score and the respective user account risk level; (iv) prioritizing the plurality of events by event importance, and (v) providing a record of the plurality of events, prioritized by event importance.

104 Citations

View as Search Results

93 Claims

1. A computer-implemented method for determining computer system security threats, the computer system including user accounts established on the computer system, the method including the steps of:
- (i) for a plurality of user accounts, assigning a risk level to each account;
  
  (ii) in a time interval, for a plurality of events, wherein each event is linked to a respective user account, assigning an event score relating to deviation from normal behavior of each event with respect to the respective user account;
  
  (iii) in the time interval, for the plurality of events, calculating an event importance which is a function of the respective event score and the respective user account risk level;
  
  (iv) prioritizing the plurality of events by event importance, and(v) providing a record of the plurality of events, prioritized by event importance.
- View Dependent Claims (16, 25, 26, 28, 29, 31, 32, 39, 40, 52, 53)
- - 16. The method of claim 1, wherein user behavior profiles are created and are continually adjusted using machine learning.
  - 25. The method of claim 1, including the step of providing a web-based user interface in which activities, hosts, and user accounts may be checked and in which results are made available.
  - 26. The method of claim 1, including the step of presenting a user interface in which events are presented and ranked by their security risk importance, or including the step of presenting a user interface in which user accounts are presented and ranked by their highest event security risk importance.
  - 28. The method of claim 1, including the step of presenting a user interface in which remote IP addresses are presented and ranked by their highest event security risk importance.
  - 29. The method of claim 1, including the step of presenting histograms, distributions, baseline visualisation for peer groups and for an entire company based on typical behavior.
  - 31. The method of claim 1, including the step of building a unique profile of individual users with cooperation of a Shell Control Box (SCB) which records all user activity at an application layer.
  - 32. The method of claim 31 in which the SCB has information on user sessions and meta information on connections and details of user activities in the sessions.
  - 39. The method of claim 1, wherein data may be accessed using a Representational State Transfer (REST) application programming interface (API) for integration into existing monitoring infrastructure.
  - 40. The method of claim 1, including the step of analyzing application logs and other sources to find anomalies and suspicious activity, including the step of automatically disabling a user account in response when an anomaly is detected and, including the step of starting session recording as an automatic response when an anomaly is detected.
  - 52. The method of claim 1, wherein the system gets data from other systems including Logs, audit-trails, and information on user activities.
  - 53. The method of claim 1, including the system using at least two data sources, including Contextual information sources and raw user activity data sources, wherein contextual information sources are one or more of:
    - Information on users, hosts, but not actual activities, or wherein contextual information sources are one or more of;
      
      Active Directory (AD), Lightweight Directory Access Protocol (LDAP), human resources (HR)-system, IT-asset database (DB), and wherein raw user activity data sources include one or more of;
      
      logs, SSB/syslog-ng/SIEM logs, SCB logs, databases logs, csv files logs, and application data through application programming interfaces.

2-15. -15. (canceled)

17-24. -24. (canceled)

27. (canceled)

30. (canceled)

33-38. -38. (canceled)

41-51. -51. (canceled)

54-81. -81. (canceled)

82. A security operations center system including a processor, the processor programmed to execute a computer-implemented method for determining computer system security threats, the computer system including user accounts established on the computer system, wherein data relating to the user accounts is accessible to the processor, the processor programmed to:
- (i) for a plurality of user accounts, assign a risk level to each account;
  
  (ii) in a time interval, for a plurality of events, wherein each event is linked to a respective user account, assign an event score relating to deviation from normal behavior of each event with respect to the respective user account;
  
  (iii) in the time interval, for the plurality of events, calculate an event importance which is a function of the respective event score and the respective user account risk level;
  
  (iv) prioritize the plurality of events by event importance, and(v) provide a record of the plurality of events, prioritized by event importance.
- View Dependent Claims (83, 84, 85, 86, 87, 88, 89, 90)
- - 83. The security operations center system of claim 82, wherein the security operations center system is provided as a platform product.
  - 84. The security operations center system of claim 82, wherein the system provides a command line interface for managing system installation and running maintenance jobs.
  - 85. The security operations center system of claim 82, wherein Behavior Analysis as a Service (BaaaS) is provided, wherein Cloud offering of the system is provided for customers who do not want to use an on-premise installation.
  - 86. The security operations center system of claim 85, wherein through cloud integration the system is usable to compare user activities &
    - analytics with other organizations baselines.
  - 87. The security operations center system of claim 86, wherein shared information includes one or more of:
    - User risk histogram, algorithm parameters, algorithm weights, activity numbers, average baseline, baseline outliers, min/max/average/stddev score given by algorithms/baselines, false-negative activities with baselines, anonymous clusters.
  - 88. The security operations center system of claim 82, wherein one installation of the system can serve multiple customers, wherein Database, configuration, and user interface are all separated between instances.
  - 89. The security operations center system of claim 82, wherein the system is installed on a Linux system, including database servers, web-server, Initial data import, and automatic job setup.
  - 90. The security operations center system of claim 82, wherein the system can load historical data from data sources.

91. (canceled)

92. A computer program product executable on a processor to perform a computer-implemented method for determining computer system security threats, the computer system including user accounts established on the computer system, wherein data relating to the user accounts is accessible to the processor, the computer program product executable to:
- (i) for a plurality of user accounts, assign a risk level to each account;
  
  (ii) in a time interval, for a plurality of events, wherein each event is linked to a respective user account, assign an event score relating to deviation from normal behavior of each event with respect to the respective user account;
  
  (iii) in the time interval, for the plurality of events, calculate an event importance which is a function of the respective event score and the respective user account risk level;
  
  (iv) prioritize the plurality of events by event importance, and(v) provide a record of the plurality of events, prioritized by event importance.

93-151. -151. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Balabit (Quest Software, Inc.)
Original Assignee
Balabit (Quest Software, Inc.)
Inventors
SCHEIDLER, Balazs, ILLES, Marton

Granted Patent

US 10,681,060 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06N 20/00   Machine learning

G06Q 10/06393   Score-carding, benchmarking...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

COMPUTER-IMPLEMENTED METHOD FOR DETERMINING COMPUTER SYSTEM SECURITY THREATS, SECURITY OPERATIONS CENTER SYSTEM AND COMPUTER PROGRAM PRODUCT

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

104 Citations

93 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER-IMPLEMENTED METHOD FOR DETERMINING COMPUTER SYSTEM SECURITY THREATS, SECURITY OPERATIONS CENTER SYSTEM AND COMPUTER PROGRAM PRODUCT

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

93 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links