DYNAMIC POLICY BASED ON USER EXPERIENCE

US 20190319961A1
Filed: 04/12/2019
Published: 10/17/2019
Est. Priority Date: 04/13/2018
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:

storing an entity model for an entity at a threat management facility for an enterprise network, the entity including at least one of an identity and access management system, a domain controller, a physical device, a user, an operating system, or an application associated with the enterprise network, and the entity model characterizing a baseline of expected events based on events from the entity over an historical window as a vector in an event vector space;

instrumenting a compute instance associated with the entity to report event vectors based on one or more events from one or more sensors associated with the compute instance;

receiving an event stream at the threat management facility, the event stream including a plurality of event vectors from the compute instance;

calculating a risk score for the compute instance based on a distance between the entity model and one or more event vectors in the event stream in the event vector space; and

adjusting a policy for the compute instance based on the risk score, the policy including one or more security settings for the compute instance.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Entity models are used to evaluate potential risk of entities, either individually or in groups, in order to evaluate suspiciousness within an enterprise network. These individual or aggregated risk assessments can be used to adjust the security policy for compute instances within the enterprise network. A security policy may specify security settings such as network speed, filtering levels, network isolation, levels of privilege, and the like.

9 Citations

21 Claims

1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- storing an entity model for an entity at a threat management facility for an enterprise network, the entity including at least one of an identity and access management system, a domain controller, a physical device, a user, an operating system, or an application associated with the enterprise network, and the entity model characterizing a baseline of expected events based on events from the entity over an historical window as a vector in an event vector space;
  
  instrumenting a compute instance associated with the entity to report event vectors based on one or more events from one or more sensors associated with the compute instance;
  
  receiving an event stream at the threat management facility, the event stream including a plurality of event vectors from the compute instance;
  
  calculating a risk score for the compute instance based on a distance between the entity model and one or more event vectors in the event stream in the event vector space; and
  
  adjusting a policy for the compute instance based on the risk score, the policy including one or more security settings for the compute instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer program product of claim 1 wherein the historical window is algorithmically determined.
  - 3. The computer program product of claim 1 wherein the policy includes a security setting for at least one of network speed, network communication filtering levels, network data quotas, levels of privilege, and network isolation.
  - 4. The computer program of claim 1 wherein the threat management facility stores a plurality of entity models for a plurality of different entity types within the enterprise network.
  - 5. The computer program product of claim 1 wherein the event stream includes event vectors from a plurality of compute instances associated with the enterprise network.
  - 6. The computer program product of claim 1 wherein the event stream includes event vectors from two or more different entities associated with the compute instance.
  - 7. The computer program product of claim 1 further comprising code that performs the steps of monitoring the event stream and creating the entity model based on a baseline of event vectors for the entity in the event stream over an interval, wherein the interval is algorithmically determined.
  - 8. The computer program product of claim 7 further comprising code that performs the step of refining the entity model based on additional event vectors in the event stream received after the entity model is created.
  - 9. The computer program product of claim 7 wherein instrumenting the compute instance includes configuring the compute instance to normalize at least one of the events from at least one of the sensors.
  - 10. The computer program product of claim 7 wherein instrumenting the compute instance includes configuring the compute instance to tokenize at least one of the events from at least one of the sensors.
  - 11. The computer program product of claim 7 wherein instrumenting the compute instance includes configuring the compute instance to encrypt at least one of the events from at least one of the sensors.
  - 12. The computer program product of claim 7 wherein instrumenting the compute instance includes prioritizing at least one of the events from at least one of the sensors.
  - 13. The computer program product of claim 1 wherein the distance is at least one of a Mahalanobis distance, a Euclidean distance, and a Minkowski distance.
  - 14. The computer program product of claim 1 wherein the distance is evaluated using a k-nearest neighbor algorithm.

15. A method comprising:
- storing an entity model at a threat management facility for an enterprise network, the entity model characterizing expected events for an entity;
  
  instrumenting a compute instance in the enterprise network to detect one or more events and report a number of event vectors including the one or more events to the threat management facility;
  
  receiving an event stream of the number of event vectors from the compute instance at the threat management facility;
  
  calculating a risk score for the compute instance based on a comparison of one or more of the event vectors in the event stream with the entity model for the entity; and
  
  adjusting a policy for the compute instance based on the risk score.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 wherein the policy includes one or more security settings.
  - 17. The method of claim 16 wherein the security settings specify at least one of network speed, network communication filtering levels, network data quotas, levels of privilege, and network isolation.
  - 18. The method of claim 15 wherein the threat management facility stores a plurality of entity models for a plurality of different entity types within the enterprise network.
  - 19. The method of claim 15 wherein the event stream includes event vectors from a plurality of compute instances associated with the enterprise network.
  - 20. The method of claim 15 wherein the event stream includes event vectors from two or more different entities associated with the compute instance.

21. A system comprising:
- a compute instance in an enterprise network, the compute instance configured to detect one or more events associated with the compute instance and to report an event vector including the one or more events to a remote resource; and
  
  a threat management facility, the threat management facility including a memory storing an entity model characterizing expected events for an entity, and the threat management facility configured to receive an event stream including the event vector, to calculate a risk score for the compute instance based on a comparison of the event vector with the entity model, and to adjust a policy for the compute instance based on the risk score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Levy, Joseph H., Thomas, Andrew J., Schiappa, Daniel Salvatore, Ray, Kenneth D.

Granted Patent

US 11,087,014 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/137   Hash-based content-based in...

G06F 16/285   Clustering or classification

G06F 16/93   Document management systems

G06F 21/45   Structures or tools for the...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 21/64   Protecting data integrity, ...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 3/0675   using electro-optical, acou...

G06N 5/046   Forward inferencing; Produc...

G06N 5/048   Fuzzy inferencing

H04L 2463/082   applying multi-factor authe...

H04L 41/20   Network management software...

H04L 41/22   comprising specially adapte...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0861   using biometrical features,...

H04L 63/101 : Access control lists [ACL]

H04L 63/102 : Entity profiles

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

H04L 63/205 : involving negotiation or de...

H04L 9/0891 : Revocation or update of sec...

H04L 9/16 : the keys or algorithms bein...

H04L 9/3213 : using tickets or tokens, e....

H04L 9/3226 : using a predetermined code,...

H04L 9/3228 : One-time or temporary data,...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3265 : using certificate chains, t...

H04L 9/3271 : using challenge-response

H04L 9/50 : using hash chains, e.g. blo...

View All

DYNAMIC POLICY BASED ON USER EXPERIENCE

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

DYNAMIC POLICY BASED ON USER EXPERIENCE

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others