×

Using information usage data to detect behavioral patterns and anomalies

  • US 8,396,890 B2
  • Filed: 08/03/2010
  • Issued: 03/12/2013
  • Est. Priority Date: 12/29/2005
  • Status: Active Grant
First Claim
Patent Images

1. A method of operating a system comprising:

  • providing a plurality of devices including a first device;

    providing an activity database, stored at a server;

    providing a plurality of policies, wherein the policies are applicable to a plurality oftarget profiles, each target profile having a set of target attributes, and each policy comprises a conditional statement having a policy abstraction and a corresponding action that will be performed when the conditional statement is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy;

    analyzing a first policy to determine whether that policy is relevant to a specific target profile with a set of specific target attributes;

    determining the first policy comprising a corresponding first conditional statement and a first action is relevant when a value of at least one of the specific target attributes is used during an evaluation of the first policy and allowing the first action to be performed at the first device;

    storing on the first device of the plurality of devices a first set of rules;

    storing on a second device of the plurality of devices a second set of rules, wherein the second set of rules is different from the first set of rules;

    upon a first operation requested by a first user at the first device of the plurality of devices, evaluating at the first device a first rule of the first set of rules stored at the first device;

    upon a second operation requested by a second user at the second device of the plurality of devices, evaluating at the second device a second rule of the second set of rules stored at the second device;

    at the server, collecting information usage data from the first and second devices in the activity database, wherein the information usage data comprises data associated with the first operation requested by the first user at the first device that caused evaluating at the first device the first rule of the first set of rules stored at the first device and data associated with the second operation requested by the second user at the second device that caused evaluating at the second device the second rule of the second set of rules stored at the second device;

    at the server, analyzing the information usage data in the activity database to detect a plurality of conditions that occurred at either the first or second devices, or both, wherein the plurality of conditions considered during the analyzing comprise;

    a first condition is detected when the first device or second device, or both, has attempted to access a unit of information more than X times in a Y time period; and

    a second condition is detected when a username has connected to the system from a first location E at a first time T1, via the first device, and the username has connected to the system from a second location F at a second time T2, via the second device, and a distance between the first location E and the second location F divided by (T2

    T1) is greater than Z; and

    when one or more of the plurality of conditions is detected, generating a notification of the one or more conditions detected.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×