Insider threat correlation tool
First Claim
1. A non-transitory computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:
- for each of a plurality of users, calculating a baseline activity score, comprising;
determining values of controls for electronic transmissions associated with the user over a first time period, wherein the controls comprise;
a bandwidth control relating to a quantity of bandwidth associated with the user over a first network during the first time period;
a blocked transmission control relating to blocked transmissions associated with the user over the first network during the first time period;
a non-blocked transmission control relating to non-blocked transmissions associated with the user over the first network during the first time period that violate at least one predefined criterion; and
calculating the baseline activity score based upon the values of the controls over the first time period;
for each of a plurality of users, calculating a second activity score, including;
determining values of the controls for electronic transmissions associated with a second time period; and
calculating a second activity score based upon the values of the controls over the second time period; and
for each of a plurality of users, calculating a predictive threat score, including;
comparing the baseline activity score with the second activity score,wherein both of the baseline activity score and the second activity score each include sub-scores and the comparing of the baseline activity score with the second activity score includes;
comparing a sub-score of the baseline activity score with a sub-score of the second activity score.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.
141 Citations
10 Claims
-
1. A non-transitory computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:
-
for each of a plurality of users, calculating a baseline activity score, comprising; determining values of controls for electronic transmissions associated with the user over a first time period, wherein the controls comprise; a bandwidth control relating to a quantity of bandwidth associated with the user over a first network during the first time period; a blocked transmission control relating to blocked transmissions associated with the user over the first network during the first time period; a non-blocked transmission control relating to non-blocked transmissions associated with the user over the first network during the first time period that violate at least one predefined criterion; and calculating the baseline activity score based upon the values of the controls over the first time period; for each of a plurality of users, calculating a second activity score, including; determining values of the controls for electronic transmissions associated with a second time period; and calculating a second activity score based upon the values of the controls over the second time period; and for each of a plurality of users, calculating a predictive threat score, including; comparing the baseline activity score with the second activity score, wherein both of the baseline activity score and the second activity score each include sub-scores and the comparing of the baseline activity score with the second activity score includes; comparing a sub-score of the baseline activity score with a sub-score of the second activity score. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:
-
for each of a plurality of users, calculating a baseline activity score, comprising; determining values of controls for electronic transmissions associated with the user over a first time period, wherein the controls comprise; a bandwidth control relating to a quantity of bandwidth associated with the user over a first network during the first time period; a blocked transmission control relating to blocked transmissions associated with the user over the first network during the first time period; a non-blocked transmission control relating to non-blocked transmissions associated with the user over the first network during the first time period that violate at least one predefined criterion; and calculating the baseline activity score based upon the values of the controls over the first time period; for each of a plurality of users, calculating a second activity score, including; determining values of the controls for electronic transmissions associated with a second time period; and calculating a second activity score based upon the values of the controls over the second time period; and for each of a plurality of users, calculating a predictive threat score, including; comparing the baseline activity score with the second activity score; categorizing at least one transmission associated with a first user into a category of a plurality of categories comprising;
a security threat, an ethics threat, and combinations thereof; andweighting transmissions categorized in the security threat category according to a first weight. - View Dependent Claims (7, 8, 9, 10)
-
Specification