System and method for insider threat detection

US 9,043,905 B1
Filed: 10/02/2013
Issued: 05/26/2015
Est. Priority Date: 01/23/2012
Status: Active Grant

First Claim

Patent Images

1. A system for detecting insider threats in a network, the system comprising:

one or more processors and a memory, the memory having executable instructions encoded thereon such that upon execution of the instructions the one or more processors perform operations of;

receiving data from the network relevant to network activity;

extracting observable actions from the data relevant to a mission;

combining the observable actions to provide contextual cues and reasoning results;

detecting potential insider threats through analyzing the observable actions and reasoning results;

generating, based on the observable actions and reasoning results, proposed security policy updates to force insiders into using more observable actions;

wherein in receiving the data from the network, the data is one or more data types selected from a group consisting of network packet headers, access log files, communications, and output of other security measures, or any combination thereof; and

wherein in extracting observable actions, hierarchical random graphs (HRGs) are used to cluster the data into normal patterns of activity and Bayesian Probabilistic Tensor decomposition (BPTD) is used to extract the observable actions from the patterns of activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is a system for detecting insider threats in a network. In detecting the insider threat, the system receives data from the network relevant to network activity and extracts observable actions from the data relevant to a mission. The observable actions are combined to provide contextual cues and reasoning results. Based on the observable actions and reasoning results, proposed security policy updates are proposed to force insiders into using more observable actions. Finally, the system detects potential insider threats through analyzing the observable actions and reasoning results.

155 Citations

12 Claims

1. A system for detecting insider threats in a network, the system comprising:
- one or more processors and a memory, the memory having executable instructions encoded thereon such that upon execution of the instructions the one or more processors perform operations of;
  
  receiving data from the network relevant to network activity;
  
  extracting observable actions from the data relevant to a mission;
  
  combining the observable actions to provide contextual cues and reasoning results;
  
  detecting potential insider threats through analyzing the observable actions and reasoning results;
  
  generating, based on the observable actions and reasoning results, proposed security policy updates to force insiders into using more observable actions;
  
  wherein in receiving the data from the network, the data is one or more data types selected from a group consisting of network packet headers, access log files, communications, and output of other security measures, or any combination thereof; and
  
  wherein in extracting observable actions, hierarchical random graphs (HRGs) are used to cluster the data into normal patterns of activity and Bayesian Probabilistic Tensor decomposition (BPTD) is used to extract the observable actions from the patterns of activity.
- View Dependent Claims (2, 3, 4)
- - 2. The system as set forth in claim 1, wherein in combining the observable actions to provide contextual cues and reasoning results, the system uses dynamic Bayesian networks.
  - 3. The system as set forth in claim 2, wherein in generating proposed security policy updates, the system uses game theoretic techniques to model interactions between potential insiders and current security policies to generate the proposed security policy updates.
  - 4. The system as set forth in claim 2, wherein in detecting potential insider threats, the system uses Spectral Early Warning Signals to detect transitions between normal usage and exfiltration usage.

5. A computer program product for detecting insider threats in a network, the computer program product comprising computer-readable instructions stored on a non-transitory computer-readable medium that are executable by a computer having a processor for causing the processor to perform operations of:
- receiving data from the network relevant to network activity;
  
  extracting observable actions from the data relevant to a mission;
  
  combining the observable actions to provide contextual cues and reasoning results;
  
  detecting potential insider threats through analyzing the observable actions and reasoning results;
  
  generating, based on the observable actions and reasoning results, proposed security policy updates to force insiders into using more observable actions;
  
  wherein in receiving the data from the network, the data is one or more data types selected from a group consisting of network packet headers, access log files, communications, and output of other security measures, or any combination thereof, andwherein in extracting observable actions, hierarchical random graphs (HRGs) are used to cluster the data into normal patterns of activity and Bayesian Probabilistic Tensor decomposition (BPTD) is used to extract the observable actions from the patterns of activity.
- View Dependent Claims (6, 7, 8)
- - 6. The computer program product as set forth in claim 5, wherein in combining the observable actions to provide contextual cues and reasoning results, dynamic Bayesian networks are used.
  - 7. The computer program product as set forth in claim 6, wherein in generating proposed security policy updates, game theoretic techniques are used to model interactions between potential insiders and current security policies to generate the proposed security policy updates.
  - 8. The computer program product as set forth in claim 6, wherein in detecting potential insider threats, Spectral Early Warning Signals are used to detect transitions between normal usage and exfiltration usage.

9. A computer implemented method for detecting insider threats in a network, the method comprising an act of causing one or more processors to execute instructions encoded on a non-transitory computer-readable medium, such that upon execution of the instructions, the one or more processors perform operations of:
- receiving data from the network relevant to network activity;
  
  extracting observable actions from the data relevant to a mission;
  
  combining the observable actions to provide contextual cues and reasoning results;
  
  detecting potential insider threats through analyzing the observable actions and reasoning results;
  
  generating based on the observable actions and reasoning results proposed security policy updates to force insiders into using more observable actions;
  
  wherein in receiving the data from the network, the data is one or more data types selected from a group consisting of network packet headers, access log files, communications, and output of other security measures, or any combination thereof; and
  
  wherein in extracting observable actions, hierarchical random graphs (HRGs) are used to cluster the data into normal patterns of activity and Bayesian Probabilistic Tensor decomposition (BPTD) is used to extract the observable actions from the patterns of activity.
- View Dependent Claims (10, 11, 12)
- - 10. The method as set forth in claim 9, wherein in combining the observable actions to provide contextual cues and reasoning results, dynamic Bayesian networks are used.
  - 11. The method as set forth in claim 10, wherein in generating proposed security policy updates, game theoretic techniques are used to model interactions between potential insiders and current security policies to generate the proposed security policy updates.
  - 12. The method as set forth in claim 10, wherein in detecting potential insider threats, Spectral Early Warning Signals are used to detect transitions between normal usage and exfiltration usage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HRL Laboratories LLC (The Boeing Co.)
Original Assignee
HRL Laboratories LLC (The Boeing Co.)
Inventors
Allen, David L., Lu, Tsai-Ching, Tressler, Eric P., Moon, Hankyu
Primary Examiner(s)
Kim, Tae
Assistant Examiner(s)
TENG, LOUIS C

Application Number

US14/044,793
Time in Patent Office

601 Days
Field of Search

726/22, 726/23, 726/25
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

System and method for insider threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

155 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

System and method for insider threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others