System and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity
First Claim
1. A method for monitoring a data network and identifying potentially malicious or threatening cyber activity, comprising:
- monitoring and collecting digital hidrosis data from at least one host system, wherein the digital hidrosis data comprises data associated with predetermined system and user-based behavioral indicators that provide information regarding a user'"'"'s behavior, wherein the predetermined system and user-based behavioral indicators comprise at least one indicator that is not associated with autonomous application-initiated activity;
comparing the digital hidrosis data with reference digital hidrosis data, wherein the reference digital hidrosis data defines normal values and/or a normal range of values for the predetermined system and user-based behavioral indicators that are indicative of non-malicious activity by a user; and
determining whether malicious or threatening cyber activity may be present based on the comparison between the digital hidrosis data and the reference digital hidrosis data.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method is provided to monitor user and system behavior associated with computer and network activity to determine deviations from normal behavior that represent a potential cyber threat or cyber malicious activity. The system and method uses a multi-factor behavioral and activity analysis approach to determine when a trusted insider might be exhibiting threatening behavior or when a user'"'"'s computer or network credentials have been compromised and are in use by a third-party. As a result, changes in insider behavior that could be indicative of malicious intent can be detected, or an external entity masquerading as a legitimate user can be detected.
34 Citations
18 Claims
-
1. A method for monitoring a data network and identifying potentially malicious or threatening cyber activity, comprising:
-
monitoring and collecting digital hidrosis data from at least one host system, wherein the digital hidrosis data comprises data associated with predetermined system and user-based behavioral indicators that provide information regarding a user'"'"'s behavior, wherein the predetermined system and user-based behavioral indicators comprise at least one indicator that is not associated with autonomous application-initiated activity; comparing the digital hidrosis data with reference digital hidrosis data, wherein the reference digital hidrosis data defines normal values and/or a normal range of values for the predetermined system and user-based behavioral indicators that are indicative of non-malicious activity by a user; and determining whether malicious or threatening cyber activity may be present based on the comparison between the digital hidrosis data and the reference digital hidrosis data. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for monitoring a data network and identifying potentially malicious or threatening cyber activity, comprising:
-
at least one host system, wherein each host system comprises a host processor and host memory; and a digital hidrosis monitor comprising a set of computer readable instructions stored in each host memory that are executable by each host processor to; monitor and collect digital hidrosis data from the host system, wherein the digital hidrosis data comprises data associated with predetermined system and user-based behavioral indicators that provide information regarding a user'"'"'s behavior, wherein the predetermined system and user-based behavioral indicators comprise at least one indicator that is not associated with autonomous application-initiated activity, compare the digital hidrosis data with reference digital hidrosis data stored in the memory, wherein the reference digital hidrosis data defines normal values and/or a normal range of values for the predetermined system and user-based behavioral indicators that are indicative of non-malicious activity by a user, and determine whether malicious or threatening cyber activity may be present based on the comparison between the digital hidrosis data and the reference digital hidrosis data. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system for monitoring a data network and identifying potentially malicious or threatening cyber activity, comprising:
at least one digital hidrosis monitor, wherein each digital hidrosis monitor; monitors and collects digital hidrosis data from a respective host system, wherein the digital hidrosis data comprises data associated with predetermined system and user-based behavioral indicators that provide information regarding a user'"'"'s behavior, wherein the predetermined system and user behavioral factors user-based behavioral indicators comprise at least one indicator that is not associated with autonomous application-initiated activity, compares the digital hidrosis data with reference digital hidrosis data, wherein the reference digital hidrosis data defines normal values and/or a normal range of values for the predetermined system and user-based behavioral indicators that are indicative of non-malicious activity by a user, and determines whether malicious or threatening cyber activity may be present based on the comparison between the digital hidrosis data and the reference digital hidrosis data. - View Dependent Claims (14, 15, 16, 17, 18)
Specification