Continuous monitoring of computer user and computer activities

US 9,047,464 B2
Filed: 03/15/2013
Issued: 06/02/2015
Est. Priority Date: 04/11/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method for securing a computer device, the method comprising:

receiving, by a security server, interaction data for a user interfacing with the computer device while the user is authenticated for accessing at least one computer resource, the interaction data including keyboard inputs, images taken of the user during the access and screen captures taken periodically;

performing optical character recognition (OCR) to identify text in the screen captures;

extracting semantic data from the interaction data and from the text in the screen captures, the semantic data identifying user activities associated with the interaction data;

generating a schema based on the extracted semantic data, the schema including tags that are descriptive of at least one of the identified user activity and the associated interaction data;

analyzing the schema based on a model to identify security threats associated with the user activities;

creating an alarm when non-conforming behavior for at least one user activity is detected, the alarm including a binding of the one or more user activities, one or more tags, keyboard inputs, and screen captures associated with the one or more user activities; and

sending a command from the security server to terminate access to the at least one computer resource in response to the alarm, wherein operations of the method are executed by a processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer programs are presented for securing a computer device. One method includes an operation for capturing interaction data for a user interfacing with the computer device, the interaction data including keyboard inputs and screen captures taken periodically. Further, the method includes operations for extracting semantic meaning of the interaction data, and generating a schema, based on the extracted semantic meaning, to create meaningful tags for the interaction data. The schema is analyzed based on a model in order to identify security threats, and an alarm is created when non-conforming behavior for the model is detected.

Citations

18 Claims

1. A method for securing a computer device, the method comprising:
- receiving, by a security server, interaction data for a user interfacing with the computer device while the user is authenticated for accessing at least one computer resource, the interaction data including keyboard inputs, images taken of the user during the access and screen captures taken periodically;
  
  performing optical character recognition (OCR) to identify text in the screen captures;
  
  extracting semantic data from the interaction data and from the text in the screen captures, the semantic data identifying user activities associated with the interaction data;
  
  generating a schema based on the extracted semantic data, the schema including tags that are descriptive of at least one of the identified user activity and the associated interaction data;
  
  analyzing the schema based on a model to identify security threats associated with the user activities;
  
  creating an alarm when non-conforming behavior for at least one user activity is detected, the alarm including a binding of the one or more user activities, one or more tags, keyboard inputs, and screen captures associated with the one or more user activities; and
  
  sending a command from the security server to terminate access to the at least one computer resource in response to the alarm, wherein operations of the method are executed by a processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, further including:
    - providing an interface for receiving parameters associated with the model, the parameters identifying non-conforming behavior for the model.
  - 3. The method as recited in claim 2, further including:
    - refining the model by analyzing computer use during a predetermined period of time.
  - 4. The method as recited in claim 2, wherein the interface includes a definition of exceptions for the creating of alarms for one or more exception behaviors.
  - 5. The method as recited in claim 1, wherein analyzing the schema further includes:
    - identifying a non-conforming behavior based on the model and a time of the non-conforming behavior.
  - 6. The method as recited in claim 1, further including:
    - providing a search interface for viewing the interaction data and identification of non-conforming behavior, the search interface including an option to select one or more of the tags, wherein results from a search include one or more bindings of the one or more user activities, one or more tags, keyboard inputs, and screen captures associated with the one or more user activities.
  - 7. The method as recited in claim 1, wherein the interaction data further includes one or more of a mouse input, an audio input, a biometric signal for the user, a geographic location of the user, a name of an active application used by the user, an operation to save data to an external device, an operation to print, a cut-and-paste of data for inclusion in an email or an attachment of a file being emailed, or computer device type including operating system, Basic Input/Output System (BIOS) version, time and date.
  - 8. The method as recited in claim 1, wherein the screen captures are performed periodically with a time interval between screen captures in a range from 1/30 of a second to 10 seconds, wherein the time interval between screen captures is decreased when a user operation for access to an external storage device or when the user performs a cut-and-paste operation.
  - 9. The method as recited in claim 1, further including:
    - performing continuous authentication of the user based on the images taken of the user while interacting with the computer device.

10. A computer device comprising:
- a memory;
  
  a processor;
  
  an interface to an image capture device for receiving images of a user while accessing the computer device; and
  
  a keyboard for receiving keyboard inputs, wherein the memory includes a computer program that, when executed by the processor, performs a method, the method comprising;
  
  authenticate the user on a security server for accessing at least one computer resource;
  
  perform optical character recognition (OCR) to identify text in screen captures;
  
  extracting semantic data from the text in the screen captures and from interaction data that includes the screen captures, images of the user and the keyboard inputs, the semantic data identifying user activities associated with the interaction data;
  
  generating a schema based on the extracted semantic data, the schema including tags that are descriptive of at least one of the identified user activity and the associated interaction data;
  
  analyzing the schema based on a defined model to identify security threats associated with the user activities;
  
  creating an alarm when a security threat is identified, the alarm including a binding of the one or more user activities, one or more tags, keyboard inputs, and screen captures associated with the one or more user activities; and
  
  sending a command to the security server to terminate access to the at least one computer resource in response to the alarm.

11. A computer program embedded in a non-transitory computer-readable storage medium, when executed by one or more processors, for securing a computer device, the computer program comprising:
- program instructions for receiving, by a security server, interaction data for a user interfacing with the computer device while the user is authenticated for accessing at least one computer resource, the interaction data including keyboard inputs, images taken of the user during the access and screen captures taken periodically;
  
  program instructions for performing optical character recognition (OCR) to identify text in the screen captures;
  
  program instructions for extracting semantic data from the interaction data and from the text in the screen captures, the semantic data identifying user activities associated with the interaction data;
  
  program instructions for generating a schema based on the extracted semantic data, the schema including tags that are descriptive of at least one of the identified user activity and the associated interaction data;
  
  program instructions for analyzing the schema based on a model to identify security threats associated with the user activities;
  
  program instructions for creating an alarm when non-conforming behavior for at least one user activity is detected, the alarm including a binding of the one or more user activities, one or more tags, keyboard inputs, and screen captures associated with the one or more user activities; and
  
  sending a command from the security server to terminate access to the at least one computer resource in response to the alarm.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer program as recited in claim 11, further including:
    - program instructions for providing a search interface for viewing the interaction data and identification of non-conforming behavior.
  - 13. The computer program as recited in claim 12, further including:
    - program instructions for providing search results after a search request, wherein the search results include associated user activities, time snapshots having an image of the user, associated keyboard inputs, and an associated screen capture.
  - 14. The computer program as recited in claim 11, wherein analyzing the schema includes generating a security score based on the model and the interaction data.
  - 15. The computer program as recited in claim 11, further including:
    - program instructions for providing an interface for receiving parameters associated with the model, the parameters identifying non-conforming behavior for the model.
  - 16. The computer program as recited in claim 15, further including:
    - program instructions for refining the model by analyzing computer use during a predetermined period of time.
  - 17. The computer program as recited in claim 15, wherein the interface includes a definition of exceptions for creating the alarm for one or more exception behaviors.
  - 18. The computer program as recited in claim 11, wherein analyzing the schema further includes:
    - program instructions for identifying a non-conforming behavior based on the model and a time of the non-conforming behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NSS Lab Works LLC
Original Assignee
NSS Lab Works LLC
Inventors
Sambamurthy, Namakkal S., Krishnan, Parthasarathy
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/844,274
Publication Number

US 20140283059A1
Time in Patent Office

809 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

G06F 21/552 involving long-term monitor...

Continuous monitoring of computer user and computer activities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Continuous monitoring of computer user and computer activities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links