MECHANISMS FOR ANOMALY DETECTION AND ACCESS MANAGEMENT

US 20180288063A1
Filed: 03/29/2018
Published: 10/04/2018
Est. Priority Date: 03/31/2017
Status: Active Grant

First Claim

Patent Images

1. A method for access management of a target resource comprising:

receiving, at a computing system from a client application executing at a computing device, data associated with an access request, the access request requesting access to the target resource on a target system, by a user;

analyzing, by the computing system, the data associated with the access request against data collected concerning interactions between the user and one or more enforcement policies to obtain a rule or policy based risk for the user;

analyzing, by the computing system, the data associated with the access request against a behavior model associated with the user to obtain a behavior based risk for the user;

determining, by the computing system, a threat perception for the user based on the rule or policy based risk for the user and the behavior based risk; and

transmitting, by the computing system, the threat perception score to at least one of;

the target system, the target resource, a visualization server, and an access manager such that the at least one of;

the target system, the target resource, the visualization server, and the access manager allow, challenge, or deny access to the target resource based on the threat perception score for the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates generally to threat detection, and more particularly, to techniques for managing user access to resources in an enterprise environment. Some aspects are directed to the concept of managing access to a target resource based on a threat perception of a user that is calculated using a rule or policy based risk for the user and a behavior based risk for the user. Other aspects are directed to preventing insider attacks in a system based on a threat perception for each user logged into the system that is calculated using a rule or policy based risk for each user and a behavior based risk for each user. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the threat perception, if any, generated for each of the users.

232 Citations

20 Claims

1. A method for access management of a target resource comprising:
- receiving, at a computing system from a client application executing at a computing device, data associated with an access request, the access request requesting access to the target resource on a target system, by a user;
  
  analyzing, by the computing system, the data associated with the access request against data collected concerning interactions between the user and one or more enforcement policies to obtain a rule or policy based risk for the user;
  
  analyzing, by the computing system, the data associated with the access request against a behavior model associated with the user to obtain a behavior based risk for the user;
  
  determining, by the computing system, a threat perception for the user based on the rule or policy based risk for the user and the behavior based risk; and
  
  transmitting, by the computing system, the threat perception score to at least one of;
  
  the target system, the target resource, a visualization server, and an access manager such that the at least one of;
  
  the target system, the target resource, the visualization server, and the access manager allow, challenge, or deny access to the target resource based on the threat perception score for the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising selecting, by the computing system, the behavior model from a plurality of behavior models associated with the user, wherein:
    - (i) the selection is based on the data associated with the access request, (ii) the selected behavior model includes a data cluster generated based on a parameter of data, and (iii) the data associated with the access request includes data associated with the parameter of data.
  - 3. The method of claim 2, further comprising generating, by the computing system, the plurality of behavior models, wherein the generating the plurality of behavior models comprises:
    - obtaining, by the computing system, a plurality of historical access requests associated with the user over a period of time;
      
      identifying, by the computing system, a set of parameters associated with data from the plurality of historical access requests to be monitored; and
      
      analyzing, by the computing system, the data from the plurality of historical access requests against the set of parameters to generate the plurality of behavior models.
  - 4. The method of claim 3, wherein the analyzing the data from the plurality of historical access requests comprises generating, by the computing system, the behavior model by classifying the data from the plurality of historical access requests against the parameter and using a clustering algorithm on the classified data to generate the data cluster.
  - 5. The method of claim 4, wherein the set of parameters to be monitored are identified by the target application on the target system.
  - 6. The method of claim 1, wherein the analyzing the data associated with the access request against the behavior model comprises:
    - (i) determining, by the computing system, a deviation of the access request from one or more data clusters of the behavior model, and (ii) obtaining, by the computing system, the behavior based risk for the user based on the deviation.
  - 7. The method of claim 1, wherein the analyzing the data associated with the access request against the data collected concerning the interactions between the user and the one or more enforcement policies comprises:
    - (i) determining, by the computing system, a number of times that the user successfully or unsuccessfully accessed the target application on the target system, and (ii) obtaining, by the computing system, the rule or policy based risk for the user based on the number of times that the user successfully or unsuccessfully accessed the target application.
  - 8. The method of claim 1, further comprising assigning, by the computing system, a first weight to the rule or policy based risk for the user, and assigning, by the computing system, a second weight to the behavior based risk for the user.

9. A system comprising:
- one or more processors and non-transitory machine readable storage medium;
  
  a distributed environment that includes a user device, a plurality of agents, an access management and threat detection system, an information management system, and target system having a target resource; and
  
  program instructions configured to;
  
  receive, at the information management system from the user device, data associated with an access request, the access request requesting access to the target resource, by a user;
  
  analyze, by the information management system, the data associated with the access request against data collected concerning interactions between the user and one or more enforcement policies deployed within the access management and threat detection system to obtain a rule or policy based risk for the user;
  
  analyze, by the information management system, the data associated with the access request against a behavior model associated with the user to obtain a behavior based risk for the user;
  
  determine, by the information management system, a threat perception for the user based on the rule or policy based risk for the user and the behavior based risk; and
  
  transmit, by the information management system, the threat perception score to the access management and threat detection system such that the access management and threat detection system allows, challenges, or denies access to the target resource based on the threat perception score for the user,wherein the program instructions are stored on the non-transitory machine readable storage medium for execution by the one or more processors.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the program instructions are further configured to select, by the information management system, the behavior model from a plurality of behavior models associated with the user, wherein:
    - (i) the selection is based on the data associated with the access request, (ii) the selected behavior model includes a data cluster generated based on a parameter of data, and (iii) the data associated with the access request includes data associated with the parameter of data.
  - 11. The system of claim 10, wherein the program instructions are further configured to generate, by the information management system, the plurality of behavior models, wherein the generating the plurality of behavior models comprises:
    - obtaining, by the access management and threat detection system, a plurality of historical access requests associated with the user over a period of time;
      
      identifying, by the information management system, a set of parameters associated with data from the plurality of historical access requests to be monitored; and
      
      analyzing, by the information management system, the data from the plurality of historical access requests against the set of parameters to generate the plurality of behavior models.
  - 12. The system of claim 11, wherein the analyzing the data from the plurality of historical access requests comprises generating, by the computing system, the behavior model by classifying the data from the plurality of historical access requests against the parameter and using a clustering algorithm on the classified data to generate the data cluster.
  - 13. The system of claim 12, wherein the set of parameters to be monitored are identified by the target application on the target system.
  - 14. The system of claim 9, wherein the analyzing the data associated with the access request against the behavior model comprises:
    - (i) determining, by the information management system, a deviation of the access request from one or more data clusters of the behavior model, and (ii) obtaining, by the information management system, the behavior based risk for the user based on the deviation.
  - 15. The system of claim 9, wherein the analyzing the data associated with the access request against the data collected concerning the interactions between the user and the one or more enforcement policies comprises:
    - (i) determining, by the information management system, a number of times that the user successfully or unsuccessfully accessed the target application on the target system, and (ii) obtaining, by the information management system, the rule or policy based risk for the user based on the number of times that the user successfully or unsuccessfully accessed the target application.
  - 16. The system of claim 9, wherein the program instructions are further configured to assign, by the information management system, a first weight to the rule or policy based risk for the user, and assigning, by the information management system, a second weight to the behavior based risk for the user.

17. A non-transitory machine readable storage medium having instructions stored thereon that when executed by one or more processors cause the one or more processors to perform a method comprising:
- receiving, at an information management system from a user device, data associated with an access request, the access request requesting access to a target resource on a target system, by a user;
  
  analyzing, by the information management system, the data associated with the access request against data collected concerning interactions between the user and one or more enforcement policies deployed within an access management and threat detection system to obtain a rule or policy based risk for the user;
  
  analyzing, by the information management system, the data associated with the access request against a behavior model associated with the user to obtain a behavior based risk for the user;
  
  determining, by the information management system, a threat perception for the user based on the rule or policy based risk for the user and the behavior based risk; and
  
  transmitting, by the information management system, the threat perception score to the access management and threat detection system such that the access management and threat detection system allows, challenges, or denies access to the target resource based on the threat perception score for the user.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory machine readable storage medium of claim 17, wherein the analyzing the data associated with the access request against the behavior model comprises:
    - (i) determining, by the information management system, a deviation of the access request from one or more data clusters of the behavior model, and (ii) obtaining, by the information management system, the behavior based risk for the user based on the deviation.
  - 19. The non-transitory machine readable storage medium of claim 17, wherein the analyzing the data associated with the access request against the data collected concerning the interactions between the user and the one or more enforcement policies comprises:
    - (i) determining, by the information management system, a number of times that the user successfully or unsuccessfully accessed the target application on the target system, and (ii) obtaining, by the information management system, the rule or policy based risk for the user based on the number of times that the user successfully or unsuccessfully accessed the target application.
  - 20. The non-transitory machine readable storage medium of claim 17, wherein the method further comprises assigning, by the information management system, a first weight to the rule or policy based risk for the user, and assigning, by the information management system, a second weight to the behavior based risk for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Koottayi, Vipin, Chathoth, Vikas Pooven, Balakrishnan, Aarathi, Martin, Madhu, Ramakrishanan, Deepak

Granted Patent

US 10,721,239 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 18/23   Clustering techniques

G06F 21/50   Monitoring users, programs ...

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/535   Tracking the activity of th...

MECHANISMS FOR ANOMALY DETECTION AND ACCESS MANAGEMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

232 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MECHANISMS FOR ANOMALY DETECTION AND ACCESS MANAGEMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

232 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links