System and method for insider threat detection
First Claim
Patent Images
1. A system for detecting insider threats in a network, the system comprising:
- one or more processors and a memory, the memory having executable instructions encoded thereon such that upon execution of the instructions the one or more processors perform operations of;
receiving data from the network relevant to network activity;
extracting observable actions from the data relevant to a mission;
combining the observable actions to provide contextual cues and reasoning results;
detecting potential insider threats through analyzing the observable actions and reasoning results;
generating, based on the observable actions and reasoning results, proposed security policy updates to force insiders into using more observable actions;
wherein in receiving the data from the network, the data is one or more data types selected from a group consisting of network packet headers, access log files, communications, and output of other security measures, or any combination thereof; and
wherein in extracting observable actions, hierarchical random graphs (HRGs) are used to cluster the data into normal patterns of activity and Bayesian Probabilistic Tensor decomposition (BPTD) is used to extract the observable actions from the patterns of activity.
1 Assignment
0 Petitions
Accused Products
Abstract
Described is a system for detecting insider threats in a network. In detecting the insider threat, the system receives data from the network relevant to network activity and extracts observable actions from the data relevant to a mission. The observable actions are combined to provide contextual cues and reasoning results. Based on the observable actions and reasoning results, proposed security policy updates are proposed to force insiders into using more observable actions. Finally, the system detects potential insider threats through analyzing the observable actions and reasoning results.
155 Citations
12 Claims
-
1. A system for detecting insider threats in a network, the system comprising:
-
one or more processors and a memory, the memory having executable instructions encoded thereon such that upon execution of the instructions the one or more processors perform operations of; receiving data from the network relevant to network activity; extracting observable actions from the data relevant to a mission; combining the observable actions to provide contextual cues and reasoning results; detecting potential insider threats through analyzing the observable actions and reasoning results; generating, based on the observable actions and reasoning results, proposed security policy updates to force insiders into using more observable actions; wherein in receiving the data from the network, the data is one or more data types selected from a group consisting of network packet headers, access log files, communications, and output of other security measures, or any combination thereof; and wherein in extracting observable actions, hierarchical random graphs (HRGs) are used to cluster the data into normal patterns of activity and Bayesian Probabilistic Tensor decomposition (BPTD) is used to extract the observable actions from the patterns of activity. - View Dependent Claims (2, 3, 4)
-
-
5. A computer program product for detecting insider threats in a network, the computer program product comprising computer-readable instructions stored on a non-transitory computer-readable medium that are executable by a computer having a processor for causing the processor to perform operations of:
-
receiving data from the network relevant to network activity; extracting observable actions from the data relevant to a mission; combining the observable actions to provide contextual cues and reasoning results; detecting potential insider threats through analyzing the observable actions and reasoning results; generating, based on the observable actions and reasoning results, proposed security policy updates to force insiders into using more observable actions; wherein in receiving the data from the network, the data is one or more data types selected from a group consisting of network packet headers, access log files, communications, and output of other security measures, or any combination thereof, and wherein in extracting observable actions, hierarchical random graphs (HRGs) are used to cluster the data into normal patterns of activity and Bayesian Probabilistic Tensor decomposition (BPTD) is used to extract the observable actions from the patterns of activity. - View Dependent Claims (6, 7, 8)
-
-
9. A computer implemented method for detecting insider threats in a network, the method comprising an act of causing one or more processors to execute instructions encoded on a non-transitory computer-readable medium, such that upon execution of the instructions, the one or more processors perform operations of:
-
receiving data from the network relevant to network activity; extracting observable actions from the data relevant to a mission; combining the observable actions to provide contextual cues and reasoning results; detecting potential insider threats through analyzing the observable actions and reasoning results; generating based on the observable actions and reasoning results proposed security policy updates to force insiders into using more observable actions; wherein in receiving the data from the network, the data is one or more data types selected from a group consisting of network packet headers, access log files, communications, and output of other security measures, or any combination thereof; and wherein in extracting observable actions, hierarchical random graphs (HRGs) are used to cluster the data into normal patterns of activity and Bayesian Probabilistic Tensor decomposition (BPTD) is used to extract the observable actions from the patterns of activity. - View Dependent Claims (10, 11, 12)
-
Specification