Methods, systems, and media for masquerade attack detection by monitoring computer user behavior
First Claim
1. A method for detecting masquerade attacks, the method comprising:
- monitoring, by a hardware processor, a first plurality of user actions in a computing environment;
monitoring files in the computing environment that contain decoy information;
generating a user intent model for a category that includes at least one of the first plurality of user actions;
monitoring a second plurality of user actions;
comparing the second plurality of user actions with the generated user intent model by determining whether at least one of the second plurality of user activities deviates from the generated user intern model;
determining whether the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model;
identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and
generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the flies in the computing environment that contain the decoy information.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.
172 Citations
36 Claims
-
1. A method for detecting masquerade attacks, the method comprising:
-
monitoring, by a hardware processor, a first plurality of user actions in a computing environment; monitoring files in the computing environment that contain decoy information; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the generated user intent model by determining whether at least one of the second plurality of user activities deviates from the generated user intern model; determining whether the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the flies in the computing environment that contain the decoy information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for detecting masquerade attacks, the system comprising:
a hardware processor that; monitors a first plurality of user actions in a computing environment; monitors files in the computing environment that contain decoy information; generates a user intent model for a category that includes at least one of the first plurality of user actions; monitors a second plurality of user actions; compares the second plurality of user actions with the generated user intent model, by determining whether at least one of the second plurality of user activities deviates from the generated user intent model; determines whether the second plurality of user actions includes accessing the files in the continuing environment that contain the decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model; identifies whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generates an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
25. A non-transitory computer-readable medium containing, computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting masquerade attacks, the method comprising:
-
monitoring a first plurality of user actions in a computing environment; monitoring files in the computing environment that contain decoy information; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the generated user intent model by determining whether at least one of the second plurality of user activities deviates from the generated user intent model; determining whether the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
Specification