Enterprise information asset protection through insider attack specification, monitoring and mitigation
First Claim
1. A computer program product for protecting an enterprise data server against insider attack, comprising:
- a computer readable storage device having computer readable program code embodied therewith, the computer readable program code comprising computer readable program code configured to;
generate a display interface through which an authorized entity using a given policy specification language specifies characteristics of an insider attack including illegitimate access by a trusted user, wherein the given policy specification language enables the authorized entity to specify a set of one or more policy filters that specify characteristics of an insider attack and that is associated with a given enterprise data server type and defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given response that is to be taken upon detection of the given action;
monitor a trusted user'"'"'s given data access against the set of one or more policy filters, at least one policy filter including an expression with one or more data access attributes each associated with a behavior of a trusted user with respect to one or more information assets stored on the enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines a frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access;
analyze the trusted user'"'"'s given data access against the set of one or more policy filters by calculating the statistical functions of the data access attributes and determining an overall value for the expression of the at least one policy filter;
determine whether the trusted user'"'"'s given data access is indicative of an illegitimate access based on the overall value for the expression as specified by a given policy filter in the set of policy filters; and
in response to the trusted user'"'"'s given data access being indicative of an illegitimate access as specified by the given policy filter, take the given response specified by the given policy filter.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a policy specification framework to enable an enterprise to specify a given insider attack using a holistic view of a given data access, as well as the means to specify and implement one or more intrusion mitigation methods in response to the detection of such an attack. The policy specification provides for the use of “anomaly” and “signature” attributes that capture sophisticated behavioral characteristics of illegitimate data access. When the attack occurs, a previously-defined administrator (or system-defined) mitigation response (e.g., verification, disconnect, de-provision, or the like) is then implemented.
58 Citations
17 Claims
-
1. A computer program product for protecting an enterprise data server against insider attack, comprising:
-
a computer readable storage device having computer readable program code embodied therewith, the computer readable program code comprising computer readable program code configured to; generate a display interface through which an authorized entity using a given policy specification language specifies characteristics of an insider attack including illegitimate access by a trusted user, wherein the given policy specification language enables the authorized entity to specify a set of one or more policy filters that specify characteristics of an insider attack and that is associated with a given enterprise data server type and defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given response that is to be taken upon detection of the given action; monitor a trusted user'"'"'s given data access against the set of one or more policy filters, at least one policy filter including an expression with one or more data access attributes each associated with a behavior of a trusted user with respect to one or more information assets stored on the enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines a frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access; analyze the trusted user'"'"'s given data access against the set of one or more policy filters by calculating the statistical functions of the data access attributes and determining an overall value for the expression of the at least one policy filter; determine whether the trusted user'"'"'s given data access is indicative of an illegitimate access based on the overall value for the expression as specified by a given policy filter in the set of policy filters; and in response to the trusted user'"'"'s given data access being indicative of an illegitimate access as specified by the given policy filter, take the given response specified by the given policy filter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method of protecting an enterprise information asset against insider attack, comprising:
-
specifying a policy filter that defines characteristics of an insider attack including illegitimate access that a trusted user may attempt to take with respect to an enterprise information asset stored on an enterprise data server, the policy filter including an expression with one or more data access attributes each associated with a behavior of a trusted user with respect to the enterprise information asset stored on the enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines a frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access; monitoring a trusted user'"'"'s data access with respect to the enterprise data server; analyzing via a processor the data access against the policy filter by calculating the statistical functions of the data access attributes and determining an overall value for the expression of the policy filter; determining via the processor whether the trusted user'"'"'s data access is indicative of an illegitimate access based on the overall value for the expression as specified by the policy filter; in response to the trusted user'"'"'s data access is indicative of an illegitimate access as specified in the policy filter, taking via the processor a mitigation action or storing an audit event. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A system for protecting an enterprise information asset against insider attack, comprising:
-
a computer system including at least one processor configured to; generate a display interface through which an authorized entity using a given policy specification language specifies characteristics of an insider attack including illegitimate access by a trusted user against the enterprise information asset stored on an enterprise data server, the insider attack defined by at least an expression with one or more data access attributes each associated with a behavior of a trusted user associated with the enterprise information asset stored on an enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access; determine whether a trusted user'"'"'s given data access to an enterprise resource is indicative of an illegitimate access by calculating the statistical functions of the data access attributes and determining an overall value for the expression defining the insider attack; and responsive to the trusted user'"'"'s given data access being indicative of an illegitimate access, take a given mitigation action. - View Dependent Claims (16)
-
-
17. A system comprising:
-
a processor configured to; generate a display interface through which an authorized entity, using a given policy specification language, specifies a policy filter to detect an insider attack including illegitimate access by a trusted user by defining (a) a given action, with respect to a enterprise information asset stored on a enterprise data server, that a trusted user may attempt, the given action indicating an insider attack, and (b) a given response to the given action, the given response to be executed if the given action is detected; monitor the trusted user'"'"'s data access against the policy filter, the policy filter including an expression with one or more data access attributes each associated with a behavior of a trusted user with respect to the enterprise information asset stored on the enterprise data server, the data access attribute defined by a statistical function that receives a property value of a given data access of a trusted user, compares the property value of the given data access to corresponding property values of prior data accesses within a data access history, determines a frequency of occurrence of the property value in the data access history, and provides an indicator based on the frequency of occurrence of the property value indicating whether the property value represents an illegitimate access; and analyze the trusted user'"'"'s data access against the policy filter by calculating the statistical functions of the data access attributes and determining an overall value for the expression of the policy filter and determining whether the trusted user'"'"'s data access indicates an illegitimate access based on the overall value of the expression as specified by the policy filter, and if the trusted user'"'"'s data access indicates an illegitimate access as specified by the policy filter, responding with the given response specified by the policy filter.
-
Specification