Enterprise information asset protection through insider attack specification, monitoring and mitigation

US 8,880,893 B2
Filed: 09/24/2004
Issued: 11/04/2014
Est. Priority Date: 09/26/2003
Status: Active Grant

First Claim

Patent Images

1. A computer program product for protecting an enterprise data server against insider attack, comprising:

a computer readable storage device having computer readable program code embodied therewith, the computer readable program code comprising computer readable program code configured to;

generate a display interface through which an authorized entity using a given policy specification language specifies characteristics of an insider attack including illegitimate access by a trusted user, wherein the given policy specification language enables the authorized entity to specify a set of one or more policy filters that specify characteristics of an insider attack and that is associated with a given enterprise data server type and defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given response that is to be taken upon detection of the given action;

monitor a trusted user'"'"'s given data access against the set of one or more policy filters, at least one policy filter including an expression with one or more data access attributes each associated with a behavior of a trusted user with respect to one or more information assets stored on the enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines a frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access;

analyze the trusted user'"'"'s given data access against the set of one or more policy filters by calculating the statistical functions of the data access attributes and determining an overall value for the expression of the at least one policy filter;

determine whether the trusted user'"'"'s given data access is indicative of an illegitimate access based on the overall value for the expression as specified by a given policy filter in the set of policy filters; and

in response to the trusted user'"'"'s given data access being indicative of an illegitimate access as specified by the given policy filter, take the given response specified by the given policy filter.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a policy specification framework to enable an enterprise to specify a given insider attack using a holistic view of a given data access, as well as the means to specify and implement one or more intrusion mitigation methods in response to the detection of such an attack. The policy specification provides for the use of “anomaly” and “signature” attributes that capture sophisticated behavioral characteristics of illegitimate data access. When the attack occurs, a previously-defined administrator (or system-defined) mitigation response (e.g., verification, disconnect, de-provision, or the like) is then implemented.

58 Citations

View as Search Results

17 Claims

1. A computer program product for protecting an enterprise data server against insider attack, comprising:
- a computer readable storage device having computer readable program code embodied therewith, the computer readable program code comprising computer readable program code configured to;
  
  generate a display interface through which an authorized entity using a given policy specification language specifies characteristics of an insider attack including illegitimate access by a trusted user, wherein the given policy specification language enables the authorized entity to specify a set of one or more policy filters that specify characteristics of an insider attack and that is associated with a given enterprise data server type and defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given response that is to be taken upon detection of the given action;
  
  monitor a trusted user'"'"'s given data access against the set of one or more policy filters, at least one policy filter including an expression with one or more data access attributes each associated with a behavior of a trusted user with respect to one or more information assets stored on the enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines a frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access;
  
  analyze the trusted user'"'"'s given data access against the set of one or more policy filters by calculating the statistical functions of the data access attributes and determining an overall value for the expression of the at least one policy filter;
  
  determine whether the trusted user'"'"'s given data access is indicative of an illegitimate access based on the overall value for the expression as specified by a given policy filter in the set of policy filters; and
  
  in response to the trusted user'"'"'s given data access being indicative of an illegitimate access as specified by the given policy filter, take the given response specified by the given policy filter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer program product as described in claim 1 wherein the given response generates an audit event and the computer readable program code further comprises computer readable program code configured to store the audit event.
  - 3. The computer program product as described in claim 1 wherein the given response initiates a given attack mitigation and the computer readable program code further comprises computer readable program code configured to perform a given risk mitigation function.
  - 4. The computer program product as described in claim 1 wherein the policy language specification enables a given data access operation to be specified against a particular content string or a set of one or more addresses associated with a given information asset.
  - 5. The computer program product as described in claim 1 wherein the monitor code understands one or more different data access protocols.
  - 6. The computer program product as described in claim 1 wherein the monitor code monitors the trusted user'"'"'s given data access promiscuously.
  - 7. The computer program product as described in claim 1 wherein the monitor code monitors a log of the trusted user'"'"'s given data access.
  - 8. The computer program product as described in claim 1 wherein the display interface includes a set of controls that enable the authorized entity to specify the policy filter, the given response, and policy metadata.
  - 9. The computer program product as described in claim 1 wherein the data access attribute is one of:
    - rare, new, large, high frequency and unusual.

10. A computer-implemented method of protecting an enterprise information asset against insider attack, comprising:
- specifying a policy filter that defines characteristics of an insider attack including illegitimate access that a trusted user may attempt to take with respect to an enterprise information asset stored on an enterprise data server, the policy filter including an expression with one or more data access attributes each associated with a behavior of a trusted user with respect to the enterprise information asset stored on the enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines a frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access;
  
  monitoring a trusted user'"'"'s data access with respect to the enterprise data server;
  
  analyzing via a processor the data access against the policy filter by calculating the statistical functions of the data access attributes and determining an overall value for the expression of the policy filter;
  
  determining via the processor whether the trusted user'"'"'s data access is indicative of an illegitimate access based on the overall value for the expression as specified by the policy filter;
  
  in response to the trusted user'"'"'s data access is indicative of an illegitimate access as specified in the policy filter, taking via the processor a mitigation action or storing an audit event.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer-implemented method as described in claim 10 wherein the trusted user'"'"'s data access is monitored promiscuously or by evaluating a log.
  - 12. The computer-implemented method as described in claim 10 wherein the trusted user'"'"'s data access is monitored for given content patterns as defined by the policy filter.
  - 13. The computer-implemented method as described in claim 10 wherein the trusted user'"'"'s data access is monitored for one or more content containers as defined by the policy filter.
  - 14. The computer-implemented method as described in claim 10 wherein the data access attribute is one of rare, new, large, high frequency and unusual.

15. A system for protecting an enterprise information asset against insider attack, comprising:
- a computer system including at least one processor configured to;
  
  generate a display interface through which an authorized entity using a given policy specification language specifies characteristics of an insider attack including illegitimate access by a trusted user against the enterprise information asset stored on an enterprise data server, the insider attack defined by at least an expression with one or more data access attributes each associated with a behavior of a trusted user associated with the enterprise information asset stored on an enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access;
  
  determine whether a trusted user'"'"'s given data access to an enterprise resource is indicative of an illegitimate access by calculating the statistical functions of the data access attributes and determining an overall value for the expression defining the insider attack; and
  
  responsive to the trusted user'"'"'s given data access being indicative of an illegitimate access, take a given mitigation action.
- View Dependent Claims (16)
- - 16. The system as described in claim 15 wherein the data access attribute is one of:
    - rare, new, large, high frequency and unusual.

17. A system comprising:
- a processor configured to;
  
  generate a display interface through which an authorized entity, using a given policy specification language, specifies a policy filter to detect an insider attack including illegitimate access by a trusted user by defining (a) a given action, with respect to a enterprise information asset stored on a enterprise data server, that a trusted user may attempt, the given action indicating an insider attack, and (b) a given response to the given action, the given response to be executed if the given action is detected;
  
  monitor the trusted user'"'"'s data access against the policy filter, the policy filter including an expression with one or more data access attributes each associated with a behavior of a trusted user with respect to the enterprise information asset stored on the enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines a frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access; and
  
  analyze the trusted user'"'"'s data access against the policy filter by calculating the statistical functions of the data access attributes and determining an overall value for the expression of the policy filter and determining whether the trusted user'"'"'s data access indicates an illegitimate access based on the overall value of the expression as specified by the policy filter, and if the trusted user'"'"'s data access indicates an illegitimate access as specified by the policy filter, responding with the given response specified by the policy filter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
IBM Technology Corporation (International Business Machines Corporation)
Original Assignee
IBM International Group BV (International Business Machines Corporation)
Inventors
Moghe, Pratyush, Gehani, Narain, Smith, Peter T.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Joseph

Application Number

US10/950,070
Publication Number

US 20050071643A1
Time in Patent Office

3,693 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 713/182, 380/200, 380/201, 380/255, 380/277, 726/2, 726/1, 726/22, 726/25, 709223-225
US Class Current

713/182
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

H04L 63/1441   Countermeasures against mal...

Enterprise information asset protection through insider attack specification, monitoring and mitigation

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Enterprise information asset protection through insider attack specification, monitoring and mitigation

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others