Insider threat correlation tool

US 9,038,187 B2
Filed: 01/26/2010
Issued: 05/19/2015
Est. Priority Date: 01/26/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium storing computer-executable instructions that when executed by a processor cause the processor to perform:

calculating a ranking of a plurality of user accounts within an organization that represent a threat to the organization, wherein the ranking is determined by a predictive threat score for each user account of the plurality of user accounts, wherein the predictive threat score is based on a comparison of a first set of values of at least four controls that are monitored over a first time period to a second set of values of the at least four controls that are monitored over a second time period, and wherein the values of the first set of values and the second set of values for each user account are selected from the group consisting of;

a value corresponding to a quantity of bandwidth utilized by the user account over a network;

a value corresponding to a number of blocked transmissions by the user account over the network;

a value corresponding to a number of blocked communications through a targeted communication application, the targeted communication application allowing a first user to communicate directly with another individual;

a value corresponding to a number of non-blocked communications through the targeted communication application that violate at least one predefined criterion;

a value indicating whether at least one security application is associated with the user account;

a value indicating an illegal storage attempt; and

a value indicating whether a communication has been transmitted or received through the network via an unauthorized protocol;

wherein monitoring the at least four controls further includes;

assigning, by the processor, a zero value to an activity characteristic unless it is determined that an activity level of a first user account is over a first threshold level above an average of the plurality of user accounts for a same time period and a first integer to the activity characteristic if it is determined that the activity level of the first user account is over the first threshold level above an average of the plurality of user accounts for the same time period; and

transmitting electronic signals configured to display the ranking of the plurality of user accounts.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.

121 Citations

21 Claims

1. A non-transitory computer-readable medium storing computer-executable instructions that when executed by a processor cause the processor to perform:
- calculating a ranking of a plurality of user accounts within an organization that represent a threat to the organization, wherein the ranking is determined by a predictive threat score for each user account of the plurality of user accounts, wherein the predictive threat score is based on a comparison of a first set of values of at least four controls that are monitored over a first time period to a second set of values of the at least four controls that are monitored over a second time period, and wherein the values of the first set of values and the second set of values for each user account are selected from the group consisting of;
  
  a value corresponding to a quantity of bandwidth utilized by the user account over a network;
  
  a value corresponding to a number of blocked transmissions by the user account over the network;
  
  a value corresponding to a number of blocked communications through a targeted communication application, the targeted communication application allowing a first user to communicate directly with another individual;
  
  a value corresponding to a number of non-blocked communications through the targeted communication application that violate at least one predefined criterion;
  
  a value indicating whether at least one security application is associated with the user account;
  
  a value indicating an illegal storage attempt; and
  
  a value indicating whether a communication has been transmitted or received through the network via an unauthorized protocol;
  
  wherein monitoring the at least four controls further includes;
  
  assigning, by the processor, a zero value to an activity characteristic unless it is determined that an activity level of a first user account is over a first threshold level above an average of the plurality of user accounts for a same time period and a first integer to the activity characteristic if it is determined that the activity level of the first user account is over the first threshold level above an average of the plurality of user accounts for the same time period; and
  
  transmitting electronic signals configured to display the ranking of the plurality of user accounts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the blocked transmissions by the user account over the network are classified into a category selected from the group consisting of:
    - a security threat, an ethics threat, and combinations thereof.
  - 3. The non-transitory computer-readable medium of claim 2, the computer-executable instructions further comprising:
    - receiving a user input selecting a graphical representation of the blocked communication through the network; and
      
      displaying whether the blocked communication was a security threat, an ethics threat or combinations thereof.
  - 4. The non-transitory computer-readable medium of claim 2, the instruction further comprising:
    - receiving a user input requesting the re-ranking of the plurality of user accounts based upon one of the values the predictive threat score is based on.
  - 5. The non-transitory computer-readable medium of claim 1, wherein an account weight has been applied to at least one user account displayed, wherein the account weight is assigned to the at least one user account, if the user account is within a category selected from the group consisting of:
    - granted access rights to a specific collection of data, exempt from having the at least one security application, the at least one security application is absent;
      
      access rights to at least one service has been deactivated, and combinations thereof.
  - 6. The non-transitory computer-readable medium of claim 5, wherein the at least one user account are weighted according to the weights set forth in Table 2.
  - 7. The non-transitory computer-readable medium of claim 5, the instruction further comprising:
    - receiving a user input providing a new account weight to be applied to at least one of the plurality of user accounts; and
      
      re-ranking a plurality of accounts using the new account weight.
  - 8. The non-transitory computer-readable medium of claim 5, the instructions further comprising:
    - receiving a user input selecting a user account from the plurality of user accounts; and
      
      displaying the ranking for a plurality of values selected from the group consisting of;
      
      a value corresponding to the quantity of bandwidth utilized by the user account over the network, a value corresponding to a number of denied access attempts by the user account over the network, a value corresponding to a number of blocked communications through the targeted communication application, a value corresponding to a number of non-blocked communications through the targeted communication application that violate at least one predefined criterion, a value indicating whether at least one security application is associated with the user account, a value indicating whether communications through the network are transmitted or received via an unauthorized protocol, and combinations thereof.
  - 9. The non-transitory computer-readable medium of claim 1, wherein the first time period is less than about 3 days and the second time period is more than about 40 days.
  - 10. The non-transitory computer-readable medium of claim 1, wherein a value weight has been applied to at least one value utilized in determining the predictive threat score, wherein the value weight is assigned to the at least one user account if the user account is within a group selected from the groups consisting of:
    - a security threat, an ethics threat, blocked communication through the targeted communication application, communication through the targeted communication application meeting the predefined criterion, accessing the centralized store, an attempted illegal storage attempt, and combinations thereof.
  - 11. The non-transitory computer-readable medium of claim 10, the instruction further comprising:
    - receiving a user input providing a new value weight to be applied to at least one of the values; and
      
      re-ranking a plurality of accounts using the new value weight.
  - 12. The non-transitory computer-readable medium of claim 10, further comprising:
    - determining that an activity associated with one of the values occurred during a time frame of either the first time period or the second time period; and
      
      applying a second value weight to the activity that occurred during the time frame.
  - 13. The non-transitory computer-readable medium of claim 10, further comprising:
    - further weighting one of the values if incidence of activity associated with the value is above a predetermined threshold.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the predetermined threshold is based upon, an average activity of one of the user accounts of the plurality of user accounts, an average activity of at least one of the other user accounts of the plurality of user accounts, or combinations thereof.
  - 15. The non-transitory computer-readable medium of claim 10, wherein the activities that occurred during the first time period are weighted differently than the activities that occurred during the second time period.
  - 16. The non-transitory computer-readable medium of claim 15, wherein the activities that occurred during the first time period and the second time period are weighted according to the weights set forth in Table 2.

17. An apparatus comprising:
- a communications module configured to receive data from a plurality of applications, the data relating to a first set of values of at least four controls and a second set of values of the at least four controls associated with each user account of a plurality of user accounts within an organization, wherein the first set of values are monitored over a first time period and the second set of values are monitored over a second time period, and wherein the values of the first set of values and the second set of values for each user account are selected from the group consisting of;
  
  a value corresponding to a quantity of bandwidth utilized by the user account over a network;
  
  a value corresponding to a number of blocked transmissions by the user account over the network;
  
  a value corresponding to a number of blocked communications through a targeted communication application, the targeted communication application allowing a first user to communicate directly with another individual;
  
  a value corresponding to a number of non-blocked communications through the targeted communication application that violate at least one predefined criterion;
  
  a value indicating whether a communication has been transmitted or received through the network via an unauthorized protocol;
  
  an application detection module configured to determine whether at least one security application is associated with at least one of the user accounts; and
  
  a processor connected to a memory and configured to respectively calculate a predictive threat score for each user account of the plurality of user accounts based on a comparison of the first set of values to the second of values that are respectively associated with each user account of the plurality of user accounts,wherein monitoring the at least four controls further includes;
  
  assigning, by the processor, a zero value to an activity characteristic unless it is determined that an activity level of a first user account is over a first threshold level above an average of the plurality of user accounts for a same time period and a first integer to the activity characteristic if it is determined that the activity level of the first user account is over the first threshold level above an average of the plurality of user accounts for the same time period; and
  
  transmit electronic signals configured to display the calculated predictive treat score for each user account of the plurality of user accounts.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The apparatus of claim 17, wherein the processor is further configured to determine that an activity associated with one of the values occurred during a time frame of either the first time period or the second time period;
    - and applying a value weight to the activity that occurred during the time frame.
  - 19. The apparatus of claim 17, further comprising:
    - further weighting one of the values if incidence of activity associated with the value is above a predetermined threshold.
  - 20. The apparatus of claim 19, wherein the predetermined threshold is based upon, an average activity of one of the user accounts of the plurality of user accounts, an average activity of at least one of the other user accounts of the plurality of user accounts, or combinations thereof.
  - 21. The apparatus of claim 17, wherein the activities that occurred during the first time period are weighted differently than the activities that occurred during the second time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
McHugh, Brian, Ramcharran, Ronald, Langsam, Peter J., Metzger, Timothy C., Antilley, Dan P., Deats, Jonathan W.
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US12/694,075
Publication Number

US 20110184877A1
Time in Patent Office

1,939 Days
Field of Search

726/22
US Class Current

726/25
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06Q 10/10   Office automation; Time man...

G06Q 30/018   Certifying business or prod...

G06Q 30/0185   Product, service or busines...

Insider threat correlation tool

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Insider threat correlation tool

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links