RISK SCORES FOR ENTITIES

US 20180336353A1
Filed: 05/16/2017
Published: 11/22/2018
Est. Priority Date: 05/16/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:

receive anomaly scores regarding an entity from a plurality of detectors;

produce a weighted anomaly score for the entity based on the anomaly scores and respective weights assigned to the plurality of detectors, the weights based on historical performance of the plurality of detectors;

determine an impact based on a context of the entity, wherein the impact is indicative of an effect that the entity would have on a computing environment if the entity were to exhibit anomalous behavior; and

compute a risk score for the entity based on the weighted anomaly score and the determined impact.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some examples, a system receives anomaly scores regarding an entity from a plurality of detectors, produces a weighted anomaly score for the entity based on the anomaly scores and respective weights assigned to the plurality of detectors, the weights based on historical performance of the plurality of detectors, determines an impact based on a context of the entity, wherein the impact is indicative of an effect that the entity would have on a computing environment if the entity were to exhibit anomalous behavior, and computes a risk score for the entity based on the weighted anomaly score and the determined impact.

121 Citations

20 Claims

1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
- receive anomaly scores regarding an entity from a plurality of detectors;
  
  produce a weighted anomaly score for the entity based on the anomaly scores and respective weights assigned to the plurality of detectors, the weights based on historical performance of the plurality of detectors;
  
  determine an impact based on a context of the entity, wherein the impact is indicative of an effect that the entity would have on a computing environment if the entity were to exhibit anomalous behavior; and
  
  compute a risk score for the entity based on the weighted anomaly score and the determined impact.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory machine-readable storage medium of claim 1, wherein the impact is represented by a static impact score based on a static context of the entity, wherein the static context comprises a static attribute that does not vary with a change in a setting of the entity, and wherein the instructions upon execution cause the system to further:
    - determine a dynamic impact score based on a dynamic context of the entity, the dynamic context comprising a dynamic attribute that changes with a change in the setting of the entity,wherein the risk score is computed based on the weighted anomaly score, the static impact score, and the dynamic impact score.
  - 3. The non-transitory machine-readable storage medium of claim 2, wherein the change in setting comprises a change in time or a change in location.
  - 4. The non-transitory machine-readable storage medium of claim 1, wherein the anomaly scores are from a plurality of different types of detectors that apply different anomaly detection techniques.
  - 5. The non-transitory machine-readable storage medium of claim 4, wherein the plurality of different anomaly detection techniques comprise a first type of anomaly detection technique based on features of a profile of the entity, and a second type of anomaly detection technique based on a graph representing interactions among entities.
  - 6. The non-transitory machine-readable storage medium of claim 1, wherein the anomaly scores are provided for a profile of the entity, the profile comprising a representation of a behavior of the entity over a time period.
  - 7. The non-transitory machine-readable storage medium of claim 1, wherein the weight assigned to a first detector of the plurality of detectors is according to at least one selected from among an accuracy of the first detector and an efficiency of the first detector.
  - 8. The non-transitory machine-readable storage medium of claim 1, wherein the weight assigned to a first detector of the plurality of detectors is according to a performance of the first detector at a plurality of past time instances.
  - 9. The non-transitory machine-readable storage medium of claim 1, wherein producing the weighted anomaly score for the entity based on the anomaly scores and the weights assigned to the plurality of detectors comprises computing a value derived from at least one selected from among:
    - aggregating the weights and the anomaly scores, applying a classifier to weighted scores computed for the plurality of detectors to obtain an aggregate score, applying a rule based on expert domain knowledge, selecting a maximum of the weighted scores, a harmonic mean of the weighted scores.

10. A system comprising:
- a processor; and
  
  a non-transitory storage medium storing instructions are executable on the processor to;
  
  receive anomaly scores regarding an entity from a plurality of detectors;
  
  produce a weighted anomaly score for the entity based on the anomaly scores and respective weights assigned to the plurality of detectors, the respective weights based on historical performance of the plurality of detectors;
  
  determine impact scores for respective static and dynamic contexts of the entity, each impact score of the impact scores being indicative of an effect that the entity would have on a computing environment if the entity were to exhibit anomalous behavior; and
  
  compute a risk score for the entity based on combining the weighted anomaly score and the impact scores.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the static context comprises a static attribute of the entity that remains static for different settings of the entity.
  - 12. The system of claim 10, wherein the static context comprises static attributes of the entity that remain static for different settings of the entity, and wherein the determining of the impact score for the static context is based on impact scores assigned to the static attributes by a domain expert or learned by a classifier based on historical data.
  - 13. The system of claim 10, wherein the static context comprises static attributes of the entity that remain static for different settings of the entity, and wherein the determining of the impact score for the static context is based on impact scores and respective weights assigned to the static attributes by a domain expert or learned by a classifier based on historical data.
  - 14. The system of claim 10, wherein the dynamic context comprises a dynamic attribute of the entity that changes for the different settings of the entity.
  - 15. The system of claim 10, wherein the dynamic context comprises dynamic attributes of the entity that change for the different settings of the entity, and wherein the determining of the impact score for the dynamic context is based on impact scores assigned to the dynamic attributes by a domain expert or learned by a classifier based on historical data.
  - 16. The system of claim 10, wherein the dynamic context comprises dynamic attributes of the entity that change for the different settings of the entity, and wherein the determining of the impact score for the dynamic context is based on impact scores and respective weights assigned to the dynamic attributes by a domain expert or learned by a classifier based on historical data.
  - 17. The system of claim 10, wherein the instructions are executable on the processor to:
    - combine the impact scores for the respective static and dynamic contexts of the entity to produce an overall impact score,wherein the risk score for the entity is based on the overall impact score.
  - 18. The system of claim 17, wherein the combining of the impact scores for the respective static and dynamic contexts of the entity comprises computing a weighted aggregate of the impact scores for the respective static and dynamic contexts of the entity.

19. A method comprising:
- receiving, by a system comprising a processor, anomaly scores regarding a profile of an entity from a plurality of detectors;
  
  producing, by the system, a weighted anomaly score for the entity based on the anomaly scores and respective weights assigned to the plurality of detectors, the respective weights based on historical performance of the plurality of detectors;
  
  determining, by the system, an impact score based on a context of the entity, wherein the impact score is indicative of an effect that the entity would have on a computing environment if the entity were to exhibit anomalous behavior;
  
  computing, by the system, a risk score for the entity based on the weighted anomaly score and the impact score; and
  
  performing, by the system in response to the risk score, an action relating to an issue associated with the entity.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein the action in response to the risk score is selected from among generating an alert, performing an automated response, or prioritizing entity profiles for investigation by an analyst.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
entIT Software LLC (Open Text Corporation)
Inventors
Manadhata, Pratyusa K., Marwah, Manish, Ulanov, Alexander

Granted Patent

US 10,878,102 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/244   Grouping and aggregation

G06F 16/285   Clustering or classification

G06F 16/3334   Selection or weighting of t...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2137   Time limited access, e.g. t...

G06Q 10/0635   Risk analysis of enterprise...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

RISK SCORES FOR ENTITIES

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

RISK SCORES FOR ENTITIES

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links