IDENTIFYING AND MONITORING NORMAL USER AND USER GROUP INTERACTIONS

US 20180246797A1
Filed: 08/30/2016
Published: 08/30/2018
Est. Priority Date: 08/28/2015
Status: Abandoned Application

First Claim

Patent Images

1. A method of monitoring user interactions within one or more monitored computer systems, comprising the steps of:

receiving metadata from one or more devices within the one or more monitored computer systems;

identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer systems;

storing user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer systems;

determining, using the stored user interaction event data, normal user interaction behaviour; and

storing the determined normal user interaction behaviour as a reference.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a network monitoring system for computer systems. According to an aspect of the invention, there is provided a method for monitoring user interactions within one or more monitored computer systems, comprising the steps of: receiving metadata from one or more devices within the one or more monitored computer systems; identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer systems; storing user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer systems; determining, using the stored user interaction event data, normal user interaction behaviour; and storing the determined normal user interaction behaviour as a reference.

Citations

70 Claims

1. A method of monitoring user interactions within one or more monitored computer systems, comprising the steps of:
- receiving metadata from one or more devices within the one or more monitored computer systems;
  
  identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer systems;
  
  storing user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer systems;
  
  determining, using the stored user interaction event data, normal user interaction behaviour; and
  
  storing the determined normal user interaction behaviour as a reference.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 40, 41)
- - 2. The method of claim 1, further comprising the step of comparing the identified user interaction event data against the reference to evaluate user interactions.
  - 3. The method of claim 1 or 2, wherein a sequence of user interaction events is identified and compared against said reference where the reference is a sequence of events.
  - 4. The method of claim 3, wherein the time between user interaction events in the sequence is compared against the time between events in the reference.
  - 5. The method of any preceding claim, wherein the reference is reference user interaction event data.
  - 6. The method of claim 5, wherein the user interaction event data relates to a first common parameter and the reference is a plurality of user interaction event data that relates to a second common parameter.
  - 7. The method of claim 6, wherein the first common parameter is a first user, and the second common parameter is a second user or a second plurality of users.
  - 8. The method of claim 7, wherein the first user and the second user(s) are in the same user category.
  - 9. The method of claim 8, wherein the first user and the second user(s) are in the same job type.
  - 10. The method of claim 8 or 9, wherein the first user and the second user(s) are in the same industry.
  - 11. The method of any of claims 8 to 10, wherein the first user and the second user(s) are in the same user group.
  - 12. The method of any of claims 5 to 11, wherein the reference user interaction event data comprises historical user interaction event data and/or live user interaction event data.
  - 13. The method of any of claims 5 to 12, wherein the reference user interaction event data comprises user interaction event data from the user and/or user interaction event data from users within the same organisation as the user, and/or user interaction event data from users from different organisations as the user.
  - 14. The method of claim 13, wherein the proportion of user interaction event data from users within the same organisation as the user to user interaction event data from users from different organisations as the user is dependent on a quantity of user interaction event data from users within the same organisation.
  - 15. The method of claim 13 or 14, wherein the proportion of user interaction event data from users within the same organisation as the user to user interaction event data from users from different organisations as the user is dependent on a number of employees in the user'"'"'s organisation.
  - 16. The method of any preceding claim, wherein evaluating user interactions based on the comparison of user interaction event data against a reference comprises identifying a behavioural scenario.
  - 17. The method of any preceding claim, wherein the one or more monitored computer systems are one or more computer networks.
  - 18. The method of any preceding claim, wherein the one or more monitored computer systems are one or more computer devices.
  - 19. The method of any preceding claim, wherein the reference is one or more probabilistic models of expected user interactions from said stored user interaction event data.
  - 20. The method of claim 19, further comprising updating the probabilistic model(s) of expected user interactions from said stored user interaction event data.
  - 21. The method of claim 19 or 20, wherein one or more of the probabilistic models are trained artificial neural networks.
  - 22. The method of any of claims 19 to 21, wherein one or more of the probabilistic models are continuous time models.
  - 23. The method of any of claims 19 to 22, wherein the user interaction event data is further tested against one or more predetermined models developed from previously identified user interaction scenarios.
  - 24. The method of any preceding claim, wherein identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer systems comprises:
    - extracting relevant parameters from computer and/or network device metadata; and
      
      mapping said relevant parameters to a common data schema.
  - 25. The method of any preceding claim, wherein identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer systems comprises identifying additional parameters related to the metadata.
  - 26. The method of any preceding claim, further comprising storing contextual data, wherein said contextual data is related to a user interaction event.
  - 27. The method of claim 26, wherein the user interaction event data is further tested against one or more predetermined models developed from heuristics related to the contextual data.
  - 28. The method of any preceding claim, wherein user interaction event data and, when dependent on claim 26 or 27, the contextual data are stored in a graph database.
  - 29. The method of any preceding claim, wherein metadata and/or the relevant parameters therefrom are stored in an index database.
  - 30. The method of any preceding claim, further comprising comparing user interaction event data against a reference to evaluate user interactions at a scheduled time and/or continuously.
  - 31. The method of any preceding claim, further comprising reporting user interaction event data compared against the reference.
  - 32. The method of any preceding claim, wherein receiving metadata comprises aggregating metadata at a single entry point.
  - 33. The method of any preceding claim, wherein metadata is received at the device via one or more of a third party server instance, a client server within one or more computer networks, or a direct link with the one or more devices.
  - 34. The method of any preceding claim, wherein metadata is extracted from one or more monitored computer systems via one or more of:
    - an application programming interface, a stream from a file server, manual export, application proxy systems, active directory log-in systems, and/or physical data storage.
  - 40. Apparatus for carrying out the method of any of claims 1 to 34.
  - 41. A computer program product comprising software code for carrying out the method of any of claims 1 to 34.

35. Apparatus for monitoring user interactions within one or more monitored computer systems, comprising:
- a metadata-ingesting module configured to receive and aggregate metadata from one or more devices within the one or more monitored computer systems;
  
  a data pipeline module configured to identify from the metadata events corresponding to a plurality of user interactions with the monitored computer systems;
  
  a data store configured to store user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer systems; and
  
  an analysis module arranged to determine, using the stored user interaction event data, normal user interaction behaviour and store the determined normal user interaction behaviour as a reference.
- View Dependent Claims (36, 37, 38, 39)
- - 36. Apparatus according to claim 35, wherein the analysis module is further arranged to compare user interaction event data against the reference to evaluate user interactions.
  - 37. Apparatus according to claim 35 or 36, further comprising a user interface accessible via a web portal and/or mobile application.
  - 38. Apparatus according to claim 37, wherein the user interface may be used to:
    - view metrics, graphs and reports related to identified user interactions, and/or query the data store.
  - 39. Apparatus according to any of claims 35 to 38, further comprising a transfer module configured to aggregate and send at least a portion of the metadata from the one or more devices within the one or more monitored computer systems, wherein the transfer module is within the one or more monitored computer systems.

42. A method for monitoring user interactions within one or more monitored computer networks, comprising the steps of:
- receiving metadata from one or more devices within the one or more monitored computer networks;
  
  identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer networks;
  
  storing user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks; and
  
  comparing user interaction event data against a reference to evaluate user interactions.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 67, 68)
- - 43. The method of claim 42, wherein a sequence of user interaction events is identified and compared against said reference where the reference is a sequence of events.
  - 44. The method of claim 43, wherein the time between user interaction events in the sequence is compared against the time between events in the reference.
  - 45. The method of any of claims 42 to 44, wherein the reference is reference user interaction event data.
  - 46. The method of claim 45, wherein the user interaction event data relates to a first common parameter and the reference is a plurality of user interaction event data that relates to a second common parameter.
  - 47. The method of claim 46, wherein the first common parameter is a first user, and the second common parameter is a second user.
  - 48. The method of any of claims 42 to 47, wherein the reference is a probabilistic model of expected user interactions from said stored user interaction event data.
  - 49. The method of claim 48, further comprising updating the probabilistic model of expected user interactions from said stored user interaction event data.
  - 50. The method of claim 48 or 49, wherein the probabilistic model is a trained artificial neural network.
  - 51. The method of any of claims 48 to 50, wherein the probabilistic model is a continuous time model.
  - 52. The method of any of claims 47 to 51, wherein the user interaction event data is further tested against one or more predetermined models developed from previously identified user interaction scenarios.
  - 53. The method of any of claims 42 to 52, wherein identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer networks comprises:
    - extracting relevant parameters from computer and/or network device metadata; and
      
      mapping said relevant parameters to a common data schema.
  - 54. The method of any of claims 42 to 53, wherein identifying from the metadata events corresponding to a plurality of user interactions with the monitored computer networks comprises identifying additional parameters related to the metadata.
  - 55. The method of any of claims 42 to 54, further comprising storing contextual data, wherein said contextual data is related to a user interaction event.
  - 56. The method of claim 55, wherein the user interaction event data is further tested against one or more predetermined models developed from heuristics related to the contextual data.
  - 57. The method of any of claims 42 to 56, wherein user interaction event data and, when dependent on claim 55 or 56, the contextual data are stored in a graph database.
  - 58. The method of any of claims 42 to 57, wherein metadata and/or the relevant parameters therefrom are stored in an index database.
  - 59. The method of any of claims 42 to 58, further comprising reporting user interaction event data compared against the reference.
  - 60. The method of any of claims 42 to 59, wherein receiving metadata comprises aggregating metadata at a single entry point.
  - 61. The method of any of claims 42 to 60, wherein metadata is received at the device via one or more of a third party server instance, a client server within one or more computer networks, or a direct link with the one or more devices.
  - 62. The method of any of claims 42 to 61, wherein metadata is extracted from one or more monitored computer networks via one or more of:
    - an application programming interface, a stream from a file server, manual export, application proxy systems, active directory log-in systems, and/or physical data storage.
  - 67. Apparatus for carrying out the method of any of claims 42 to 62.
  - 68. A computer program product comprising software code for carrying out the method of any of claims 42 to 62.

63. Apparatus for monitoring user interactions within one or more monitored computer networks, comprising:
- a metadata-ingesting module configured to receive and aggregate metadata from one or more devices within the one or more monitored computer networks;
  
  a data pipeline module configured to identify from the metadata events corresponding to a plurality of user interactions with the monitored computer networks;
  
  a data store configured to store user interaction event data from the identified said events corresponding to a plurality of user interactions with the monitored computer networks; and
  
  an analysis module arranged to compare user interaction event data against a reference to evaluate user interactions.
- View Dependent Claims (64, 65, 66)
- - 64. Apparatus according to claim 63, further comprising a user interface accessible via a web portal and/or mobile application.
  - 65. Apparatus according to claim 64, wherein the user interface may be used to:
    - view metrics, graphs and reports related to identified user interactions, and/or query the data store.
  - 66. Apparatus according to any of claims 63 to 65, further comprising a transfer module configured to aggregate and send at least a portion of the metadata from the one or more devices within the one or more monitored computer networks, wherein the transfer module is within the one or more monitored computer networks.

69. A method substantially as herein described and/or as illustrated with reference to the accompanying figures.

70. Apparatus substantially as herein described and/or as illustrated with reference to the accompanying figures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ankur Modi, Mircea Danila-Dumitrescu
Original Assignee
Ankur Modi, Mircea Danila-Dumitrescu
Inventors
MODI, Ankur, DANILA-DUMITRESCU, Mircea

Application Number

US15/756,069
Publication Number

US 20180246797A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3024   where the computing system ...

G06F 11/3438   monitoring of user actions ...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 16/22   Indexing; Data structures t...

G06N 3/08   Learning methods

G06N 7/01   Probabilistic graphical mod...

G06Q 10/06398   Performance of employee wit...

IDENTIFYING AND MONITORING NORMAL USER AND USER GROUP INTERACTIONS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING AND MONITORING NORMAL USER AND USER GROUP INTERACTIONS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links