Security threat detection associated with security events and an actor category model
First Claim
Patent Images
1. A method of determining a security threat comprising:
- storing security events associated with network devices;
storing an actor category model including a plurality of levels arranged in a hierarchy, wherein each level is associated with a subcategory for a category of the actor category model, wherein the actor category model comprises an attribute for users, and the actor category model comprises parent-child relationships between the plurality of levels, and child levels inherit rules from their parent levels;
correlating security events with the actor category model,wherein the correlating of the security events with the actor category model includesidentifying a user for each security event;
determining the actor category model is applicable to the user for each security event and any of the security events associated with the user by matching the attribute for users in the actor category model with a user attribute of the user in a user data model; and
identifying a level in the actor category model associated with the user for each security event; and
determining, by at least one processor, whether the security threat exists based on the correlating,wherein the determining of whether the security threat exists based on the correlating includesdetermining a security rule for the identified level; and
determining whether the security threat exists by applying the security rule.
10 Assignments
0 Petitions
Accused Products
Abstract
Security events associated with network devices and an actor category model are stored (501, 503). The actor category model includes levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model. Security events are correlated with the actor category model (505), and a determination of whether a security threat exists is performed based on the correlating (506).
-
Citations
17 Claims
-
1. A method of determining a security threat comprising:
-
storing security events associated with network devices; storing an actor category model including a plurality of levels arranged in a hierarchy, wherein each level is associated with a subcategory for a category of the actor category model, wherein the actor category model comprises an attribute for users, and the actor category model comprises parent-child relationships between the plurality of levels, and child levels inherit rules from their parent levels; correlating security events with the actor category model, wherein the correlating of the security events with the actor category model includes identifying a user for each security event; determining the actor category model is applicable to the user for each security event and any of the security events associated with the user by matching the attribute for users in the actor category model with a user attribute of the user in a user data model; and identifying a level in the actor category model associated with the user for each security event; and determining, by at least one processor, whether the security threat exists based on the correlating, wherein the determining of whether the security threat exists based on the correlating includes determining a security rule for the identified level; and determining whether the security threat exists by applying the security rule. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A threat detection system comprising:
-
a non-transitory data storage that stores security events associated with network devices, and an actor category model including a plurality of levels arranged in a hierarchy and each level is associated with a subcategory for a category of the actor category model, wherein the actor category model comprises an attribute for users, and the actor category model comprises parent-child relationships between the plurality of levels, and child levels inherit rules from their parent levels; and at least one physical processor that correlates security events with the actor category model, wherein to correlate the security events the at least one processor; identifies a user for each security event; determines the actor category model is applicable to the user for each security event and any of the security events associated with the user by matching the attribute for users in the actor category model with a user attribute of the user in a user data model; identifies a level in the actor category model associated with the user for each security event; and determines whether a security threat exists based on the correlating, wherein to determine whether the security threat exists, the at least one processor; determines a security rule for the identified level; and applies the security rule to determine whether the security threat exists. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. The A non-transitory computer readable medium storing machine readable instructions that when executed by a physical processor cause the physical processor to:
-
store security events associated with network devices; store an actor category model including a plurality of levels arranged in a hierarchy and each level is associated with a subcategory for a category of the model; correlate security events with the actor category model, wherein to correlate the security events the at least one processor is to identify a user for each security event, determine the actor category model is applicable to the user for each security event and any of the security events associated with the user by matching the attribute for users in the actor category model with a user attribute of the user in a user data model, and identify a level in the actor category model associated with the user for each security event, wherein to identify the user for each security event, the processor determines an application associated with the security event, identifies an authenticator that provisions user accounts for the application, determines an account ID associated with the security event, and determines the user based on the authenticator and the account ID; and determines whether the security threat exists based on the correlating, wherein to determine whether the security threat exists, the at least one processor is to select a security rule for the identified level from a plurality of security rules, and determine whether the security threat exists by applying the selected security rule. - View Dependent Claims (16, 17)
-
Specification