Computer system with risk-based assessment and protection against harmful user activity

US 8,782,782 B1
Filed: 12/23/2010
Issued: 07/15/2014
Est. Priority Date: 12/23/2010
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a computer system against potentially harmful activity of a privileged user authorized to perform sensitive computer system operations which non-privileged users of the computer system are not authorized to perform, the method comprising:

deploying a risk agent in the computer system, the risk agent being communicatively coupled to a risk engine, the risk engine being operative in response to queries from the risk agent to perform rules-based risk assessments of activities identified in the queries and to provide responses conveying risk assessment results; and

operating the risk agent in the computer system to;

(a) identify a user as one of a privileged user and a non-privileged user, the privileged user being authorized to perform sensitive computer system operations the non-privileged user is not authorized to perform;

(b) when the user is identified as the non-privileged user, refrain from performing a monitoring action that includes monitoring computer system activity of the user;

(c) when the user is identified as the privileged user, then (i) perform the monitoring action to monitor computer system activity of the privileged user to detect initiation of a sensitive computer system operation, and (ii) identify the computer system operation as one of a sensitive computer system operation and a non-sensitive computer system operation, the sensitive computer system operation being either an unusual operation not normally performed by the privileged user or having special potential for causing disruption to a service provided by the computer system, the non-sensitive computer system operation normally being performed by the privileged user and lacking special potential for causing disruption to the service provided by the computer system;

(d) when the computer system operation is identified as the non-sensitive computer system operation during the monitoring, then allow the computer system operation to proceed and refrain from performing an assessment to determine whether the computer system operation exceeds a predetermined criteria of riskiness;

(e) when the computer system operation is identified as the sensitive computer system operation during the monitoring, then perform the assessment to determine whether the sensitive computer system operation exceeds the predetermined criteria of riskiness, and if not then (i) allow the sensitive computer system operation to proceed and (ii) refrain from performing an additional security related processing; and

(f) when the sensitive computer system operation is determined to exceed the predetermined criteria of riskiness, then perform the additional security related processing by;

(1) formulating and sending a query to the risk engine requesting risk assessment for the sensitive computer system operation,(2) receiving a response to the query from the risk engine, and(3) based on a risk assessment result in the response, selecting one of a set of control actions and performing the selected control action, the set of control actions including allowing the sensitive computer system operation to proceed, preventing the sensitive computer system operation from proceeding, issuing a notification that the sensitive computer operation is proceeding, and obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system is protected against harmful activity of a privileged user. A risk agent is deployed which is communicatively coupled to a risk engine, the risk engine being operative in response to queries to perform model-based risk assessments of activities and to provide responses conveying risk assessment results. The risk agent monitors computer system activity of the privileged user to detect initiation of a sensitive operation, and formulates and sends a query to the risk engine requesting risk assessment. The risk agent takes an appropriate control action based on a risk assessment result in a response to a query. The control action may be one of allowing the sensitive operation to proceed; preventing the sensitive operation from proceeding; issuing a notification that the sensitive computer operation is proceeding; and obtaining further confirmation as a condition to allowing the sensitive operation to proceed. By this method, security of the computer system is enhanced, especially against inadvertent or intentional harmful activity of a privileged user.

33 Citations

View as Search Results

20 Claims

1. A method of protecting a computer system against potentially harmful activity of a privileged user authorized to perform sensitive computer system operations which non-privileged users of the computer system are not authorized to perform, the method comprising:
- deploying a risk agent in the computer system, the risk agent being communicatively coupled to a risk engine, the risk engine being operative in response to queries from the risk agent to perform rules-based risk assessments of activities identified in the queries and to provide responses conveying risk assessment results; and
  
  operating the risk agent in the computer system to;
  
  (a) identify a user as one of a privileged user and a non-privileged user, the privileged user being authorized to perform sensitive computer system operations the non-privileged user is not authorized to perform;
  
  (b) when the user is identified as the non-privileged user, refrain from performing a monitoring action that includes monitoring computer system activity of the user;
  
  (c) when the user is identified as the privileged user, then (i) perform the monitoring action to monitor computer system activity of the privileged user to detect initiation of a sensitive computer system operation, and (ii) identify the computer system operation as one of a sensitive computer system operation and a non-sensitive computer system operation, the sensitive computer system operation being either an unusual operation not normally performed by the privileged user or having special potential for causing disruption to a service provided by the computer system, the non-sensitive computer system operation normally being performed by the privileged user and lacking special potential for causing disruption to the service provided by the computer system;
  
  (d) when the computer system operation is identified as the non-sensitive computer system operation during the monitoring, then allow the computer system operation to proceed and refrain from performing an assessment to determine whether the computer system operation exceeds a predetermined criteria of riskiness;
  
  (e) when the computer system operation is identified as the sensitive computer system operation during the monitoring, then perform the assessment to determine whether the sensitive computer system operation exceeds the predetermined criteria of riskiness, and if not then (i) allow the sensitive computer system operation to proceed and (ii) refrain from performing an additional security related processing; and
  
  (f) when the sensitive computer system operation is determined to exceed the predetermined criteria of riskiness, then perform the additional security related processing by;
  
  (1) formulating and sending a query to the risk engine requesting risk assessment for the sensitive computer system operation,(2) receiving a response to the query from the risk engine, and(3) based on a risk assessment result in the response, selecting one of a set of control actions and performing the selected control action, the set of control actions including allowing the sensitive computer system operation to proceed, preventing the sensitive computer system operation from proceeding, issuing a notification that the sensitive computer operation is proceeding, and obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, wherein the computer system is a storage area network, the privileged user is a storage area network administrator, and the sensitive computer system operation is one of a set of predetermined administrative storage-related operations, the set including mounting or dismounting a disk drive;
    - deleting data of the non-privileged user;
      
      writing to a file of the non-privileged user; and
      
      deleting an entire storage device.
  - 3. A method according to claim 2, wherein the storage-related operation is selected from the group consisting of mounting or dismounting a disk drive;
    - deleting user data and/or an entire storage device; and
      
      writing to files stored on storage devices of the storage area network.
  - 4. A method according to claim 1, wherein the computer system includes an operating system and the sensitive computer system operation is a function provided by the operating system.
  - 5. A method according to claim 4, wherein the function provided by the operating system is selected from the group consisting of deleting user data and/or storage devices;
    - and writing data to files included in a file system of the operating system.
  - 6. A method according to claim 1, wherein the computer system includes a virtual machine monitor and the sensitive computer system operation is a function provided by the virtual machine monitor.
  - 7. A method according to claim 6, wherein the function provided by the virtual machine monitor is selected from the group consisting of creating a virtual machine;
    - deleting a virtual machine; and
      
      moving or copying a virtual machine.
  - 8. A method according to claim 1, wherein the risk agent is one of a plurality of risk agents in the computer system, each risk agent operating at a respective one of distinct operating layers of the computer system, the operating layers including at least an application layer and an operating system layer, each risk agent communicating with a respective one of distinct risk engines using respective distinct risk models each tailored for the respective operating layer.
  - 9. A method according to claim 8, wherein the operating layers further include a virtual machine monitor layer, and the risk agents include a risk agent operating at the virtual machine monitor layer.
  - 10. A method according to claim 1, wherein obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed includes (i) selecting one of set of confirmation actions including requesting further credentials from the privileged user and obtaining clearance from a separate trusted system user, and (ii) performing the selected confirmation action.

11. A computer for use in a computer system, comprising:
- memory;
  
  one or more processors;
  
  input/output circuitry for connecting the computer to a risk engine, the risk engine being operative in response to queries from a risk agent of the computer to perform model-based risk assessments of activities identified in the queries and to provide responses conveying risk assessment results;
  
  one or more data buses coupling the memory, processors and input/output circuitry together; and
  
  computer instructions stored in the memory and executable by the processors to cause the computer to perform a method of protecting the computer system against potentially harmful activity of a privileged user authorized to perform sensitive computer system operations which non-privileged users of the computer are not authorized to perform, the method including;
  
  (a) identifying a user as one of a privileged user and a non-privileged user, the privileged user being authorized to perform sensitive computer system operations the non-privileged user is not authorized to perform;
  
  (b) when the user is identified as the non-privileged user, refraining from performing a monitoring action that includes monitoring computer system activity of the user;
  
  (c) when the user is identified as the privileged user, then (i) performing the monitoring action to monitor computer system activity of the privileged user to detect initiation of a sensitive computer system operation, and (ii) identifying the computer system operation as one of a sensitive computer system operation and a non-sensitive computer system operation, the sensitive computer system operation being either an unusual operation not normally performed by the privileged user or having special potential for causing disruption to a service provided by the computer system, the non-sensitive computer system operation normally being performed by the privileged user and lacking special potential for causing disruption to the service provided by the computer system;
  
  (d) when the computer system operation is identified as the non-sensitive computer system operation during the monitoring, then allowing the computer system operation to proceed and refraining from performing an assessment to determine whether the computer system operation exceeds a predetermined criteria of riskiness;
  
  (e) when the computer system operation is identified as the sensitive computer system operation during the monitoring, then performing the assessment to determine whether the sensitive computer system operation exceeds the predetermined criteria of riskiness, and if not then (i) allowing the sensitive computer system operation to proceed and (ii) refraining from performing an additional security related processing; and
  
  (f) when the sensitive computer system operation is determined to exceed the predetermined criteria of riskiness, then performing the additional security related processing by;
  
  (1) formulating and sending a query to the risk engine requesting risk assessment for the sensitive computer system operation;
  
  (2) receiving a response to the query from the risk engine; and
  
  (3) based on a risk assessment result in the response, selecting one of a set of control actions and performing the selected control action, the set of control actions including allowing the sensitive computer system operation to proceed, preventing the sensitive computer system operation from proceeding, issuing a notification that the sensitive computer operation is proceeding, and obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. A computer according to claim 11, wherein the computer system is a storage area network, the privileged user is a storage area network administrator, and the sensitive computer system operation is a one of a set of predetermined administrative storage-related operations, the set including mounting or dismounting a disk drive;
    - deleting data of the non-privileged user;
      
      writing to a file of the non-privileged user; and
      
      deleting an entire storage device.
  - 13. A computer according to claim 12, wherein the storage-related operation is selected from the group consisting of mounting or dismounting a disk drive;
    - deleting user data and/or an entire storage device; and
      
      writing to files stored on storage devices of the storage area network.
  - 14. A computer according to claim 11, wherein the memory further includes additional computer instructions constituting an operating system of the computer, and wherein the sensitive computer system operation is a function provided by the operating system.
  - 15. A computer according to claim 14, wherein the function provided by the operating system is selected from the group consisting of deleting user data and/or storage devices;
    - and writing data to files included in a file system of the operating system.
  - 16. A computer according to claim 11, wherein the memory further includes additional computer instructions constituting a virtual machine monitor of the computer, and wherein the sensitive computer system operation is a function provided by the virtual machine monitor.
  - 17. A computer according to claim 16, wherein the function provided by the virtual machine monitor is selected from the group consisting of creating a virtual machine;
    - deleting a virtual machine; and
      
      moving or copying a virtual machine.
  - 18. A computer according to claim 11, wherein the risk agent is one of a plurality of risk agents in the computer, each risk agent operating at a respective one of distinct operating layers of the computer, the operating layers including at least an application layer and an operating system layer, each risk agent communicating with a respective one of distinct risk engines using respective distinct risk models each tailored for the respective operating layer.
  - 19. A computer according to claim 18, wherein the operating layers further include a virtual machine monitor layer, and the risk agents include a risk agent operating at the virtual machine monitor layer.
  - 20. A computer according to claim 11, wherein obtaining further confirmation as a condition to allowing the sensitive computer system operation to proceed includes (i) selecting one of set of confirmation actions including requesting further credentials from the privileged user and obtaining clearance from a separate trusted system user, and (ii) performing the selected confirmation action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Dicovitsky, Gregory, Bryan, Robert William
Primary Examiner(s)
Vaughan, Michael R

Application Number

US12/978,096
Time in Patent Office

1,300 Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 67/1097   for distributed storage of ...

H04W 12/67   Risk-dependent, e.g. select...

Computer system with risk-based assessment and protection against harmful user activity

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system with risk-based assessment and protection against harmful user activity

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links