Method and apparatus to detect unauthorized information disclosure via content anomaly detection

US 8,286,237 B2
Filed: 02/17/2004
Issued: 10/09/2012
Est. Priority Date: 02/25/2003
Status: Active Grant

First Claim

Patent Images

1. A method of performing an application layer semantic analysis to detect information access anomalies, comprising:

a) capturing data packets;

b) filtering the captured data packets to detect information content;

c) processing packets based on semantics of an application or protocol;

d) generating a quantitative representation;

e) deriving a content signature from the quantitative representation;

f) deriving a prototypical model that includes a frequency view of a set of content signatures accessed by a given user, where the set of content signatures are indicative of content that is changing over time; and

g) detecting an application layer information access anomaly by using a semantic analysis to detect a given deviation from the prototypical model.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus to monitor and detect anomalies of information content flows, the method comprising the steps of capturing information access packets, filtering packets to extract information, decoding packets to determine information content, deriving content signatures, trending prototypical behavior, and detecting anomalies of information access, and said apparatus comprising a computing device comprising a network based device that captures the information and produces anomaly information.

Citations

38 Claims

1. A method of performing an application layer semantic analysis to detect information access anomalies, comprising:
- a) capturing data packets;
  
  b) filtering the captured data packets to detect information content;
  
  c) processing packets based on semantics of an application or protocol;
  
  d) generating a quantitative representation;
  
  e) deriving a content signature from the quantitative representation;
  
  f) deriving a prototypical model that includes a frequency view of a set of content signatures accessed by a given user, where the set of content signatures are indicative of content that is changing over time; and
  
  g) detecting an application layer information access anomaly by using a semantic analysis to detect a given deviation from the prototypical model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The method, according to claim 1, where the prototypical model also includes a time distribution of a set of content accesses by the given user.
  - 3. The method, according to claim 1, where the prototypical model also includes a location distribution of a set of content accesses by the given user.
  - 4. The method, according to claim 1, where the quantitative representation is captured as a content distribution vector that captures a frequency based distribution of key words in the message.
  - 5. The method, according to claim 1, where the content signature is computed based on a moment statistic.
  - 6. The method, according to claim 1, where the content signature is computed as a hash of the information content.
  - 7. The method, according to claim 1, where the content signature is computed via a document clustering technique where documents that share content signatures are classified together.
  - 8. The method, according to claim 1, further including storing the information content, the content signature, and one or more attributes, where the attributes include one of:
    - user identity, location of access, time of access, content type, content length, content hash, content encoding, and one or more content properties.
  - 9. The method, according to claim 1, where mining is based on statistical clustering and distance based metrics.
  - 10. The method, according to claim 9, where a statistical metric includes frequency of all content signatures accessed by a user.
  - 11. The method, according to claim 9, where a statistical metric includes time of all content signatures accessed by a user.
  - 12. The method, according to claim 9, where a statistical metric includes location of all content signatures accessed by a user.
  - 13. The method, according to claim 1, where the prototypical model is derived by mining a content database.
  - 14. The method, according to claim 1, where mining may be augmented by content aging, where information is periodically deleted from the content database.
  - 15. The method, according to claim 14, where content aging is a function of a mining algorithm and a type of information being monitored.
  - 16. The method, according to claim 1, where the information access anomaly is based on a given user accessing given content from a given location at a given time.
  - 17. The method, according to claim 16, where the information access anomaly is detected by a memory-based deviation where the given content accessed by the given user shows a deviation over normal content accessed.
  - 18. The method, according to claim 16, where the information access anomaly is detected by a rare content condition, where the given user accesses given content that is rarely accessed by the given user.
  - 19. The method, according to claim 16, where the information access anomaly is detected by a time deviation where the given user accesses the given content at a time different from historical access by the given user.
  - 20. The method, according to claim 16, where the information access anomaly is detected by a location deviation where the given user accesses the given content from a location different from historical access by the given user.
  - 21. The method, according to claim 1, further including processing the information access anomaly.
  - 22. The method, according to claim 21, where processing the information access anomaly processing includes one of:
    - positive correlation with at least one past security violation event, and negative correlation with a past false alarm or non-event.
  - 23. The method, according to claim 1, where a set of consistent anomalies are classified into a pattern of misuse.
  - 24. The method, according to claim 1, where the information access anomaly is detected in real-time.
  - 25. The method, according to claim 1, where information access anomaly detection is used for real-time protection of information.
  - 26. The method, according to claim 25, where real-time anomaly detection is used for protection via real-time alerts.
  - 27. The method, according to claim 25, where real-time anomaly detection is used for real-time protection via denial of access.
  - 28. The method, according to claim 25, where real-time anomaly detection is used for real-time protection via additional user validation.
  - 29. The method as described in claim 1, where the data packets are associated with access to a confidential information repository.
  - 30. The method of claim 1 wherein the application layer semantic analysis examines an entirety of an application layer without any application-specific limits.

31. Apparatus, comprising:
- a processor; and
  
  a computer memory storing program instructions that when executed by the processor perform a method of detecting an information access anomaly, the method comprising;
  
  monitoring data packets indicative of changing content over time;
  
  generating a prototypical model; and
  
  performing a semantic analysis against the prototypical model to identify an application level information access anomaly.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
- - 32. The apparatus as described in claim 31 wherein the detecting method examines an entirely of an application layer without any application-specific limits.
  - 33. The apparatus of claim 31, implemented on a computing device and connected on a network as a passive tap.
  - 34. The apparatus of claim 31, implemented as a network appliance that derives information transparently.
  - 35. The apparatus of claim 31, implemented on an end-user computing device.
  - 36. The apparatus of claim 31, implemented as a shim on an application server.
  - 37. The apparatus of claim 31, connected to an access control system to enable real-time monitoring of anomalous information access.
  - 38. The apparatus of claim 31, configured to implement one or more compliance policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
IBM International Group BV (International Business Machines Corporation)
Inventors
Moghe, Pratyush
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US10/780,252
Publication Number

US 20050091532A1
Time in Patent Office

3,157 Days
Field of Search

726/22, 726/23, 726/25
US Class Current

726/22
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Method and apparatus to detect unauthorized information disclosure via content anomaly detection

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to detect unauthorized information disclosure via content anomaly detection

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links