System and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity

US 9,117,076 B2
Filed: 03/14/2013
Issued: 08/25/2015
Est. Priority Date: 03/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring a data network and identifying potentially malicious or threatening cyber activity, comprising:

monitoring and collecting digital hidrosis data from at least one host system, wherein the digital hidrosis data comprises data associated with predetermined system and user-based behavioral indicators that provide information regarding a user'"'"'s behavior, wherein the predetermined system and user-based behavioral indicators comprise at least one indicator that is not associated with autonomous application-initiated activity;

comparing the digital hidrosis data with reference digital hidrosis data, wherein the reference digital hidrosis data defines normal values and/or a normal range of values for the predetermined system and user-based behavioral indicators that are indicative of non-malicious activity by a user; and

determining whether malicious or threatening cyber activity may be present based on the comparison between the digital hidrosis data and the reference digital hidrosis data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is provided to monitor user and system behavior associated with computer and network activity to determine deviations from normal behavior that represent a potential cyber threat or cyber malicious activity. The system and method uses a multi-factor behavioral and activity analysis approach to determine when a trusted insider might be exhibiting threatening behavior or when a user'"'"'s computer or network credentials have been compromised and are in use by a third-party. As a result, changes in insider behavior that could be indicative of malicious intent can be detected, or an external entity masquerading as a legitimate user can be detected.

34 Citations

View as Search Results

18 Claims

1. A method for monitoring a data network and identifying potentially malicious or threatening cyber activity, comprising:
- monitoring and collecting digital hidrosis data from at least one host system, wherein the digital hidrosis data comprises data associated with predetermined system and user-based behavioral indicators that provide information regarding a user'"'"'s behavior, wherein the predetermined system and user-based behavioral indicators comprise at least one indicator that is not associated with autonomous application-initiated activity;
  
  comparing the digital hidrosis data with reference digital hidrosis data, wherein the reference digital hidrosis data defines normal values and/or a normal range of values for the predetermined system and user-based behavioral indicators that are indicative of non-malicious activity by a user; and
  
  determining whether malicious or threatening cyber activity may be present based on the comparison between the digital hidrosis data and the reference digital hidrosis data.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein a determination is made that malicious or threatening cyber activity may be present when a predetermined number and predetermined combination of system and user-based behavioral indicators exceed the normal values and/or normal range of values defined by the reference digital hidrosis data.
  - 3. The method of claim 1, further comprising generating a deviation report when it is determined that malicious or threatening cyber activity may be present.
  - 4. The method of claim 1, further comprising periodically defining new reference digital hidrosis data based on the digital hidrosis data collected by the at least one host system.
  - 5. The method of claim 1, wherein the predetermined system and user-based behavioral indicators comprise at least one of the following:
    - (a) whether an anomalous or unknown code has gained execution privileges on the at least one host system;
      
      (b) CPU utilization in the at least one host system;
      
      (c) activities exhibited by one or more applications running on the at least one host system that are associated with a user interfacing with the one or more applications;
      
      (d) timing of external connections made by the at least one host system;
      
      (e) performance of user interfaces used by the at least one host system;
      
      (f) the length of network sessions initiated by the at least one host system;
      
      (g) network activity initiated by a user;
      
      (h) system settings on the at least one host system;
      
      (i) hygiene profile of the at least one host system; and
      
      (j) data acquisition history of the at least one host system.
  - 6. The method of claim 1, wherein the at least one indicator that is not associated with autonomous application-initiated activity comprises at least one of the following:
    - (a) activities exhibited by one or more applications running on the at least one host system that are associated with a user interfacing with the one or more applications;
      
      (b) timing of external connections made by the at least one host system;
      
      (c) performance of user interfaces used by the at least one host system;
      
      (d) the length of network sessions initiated by the at least one host system;
      
      (e) network activity initiated by a user;
      
      (f) system settings on the at least one host system; and
      
      (g) data acquisition history of the at least one host system.

7. A system for monitoring a data network and identifying potentially malicious or threatening cyber activity, comprising:
- at least one host system, wherein each host system comprises a host processor and host memory; and
  
  a digital hidrosis monitor comprising a set of computer readable instructions stored in each host memory that are executable by each host processor to;
  
  monitor and collect digital hidrosis data from the host system, wherein the digital hidrosis data comprises data associated with predetermined system and user-based behavioral indicators that provide information regarding a user'"'"'s behavior, wherein the predetermined system and user-based behavioral indicators comprise at least one indicator that is not associated with autonomous application-initiated activity,compare the digital hidrosis data with reference digital hidrosis data stored in the memory, wherein the reference digital hidrosis data defines normal values and/or a normal range of values for the predetermined system and user-based behavioral indicators that are indicative of non-malicious activity by a user, anddetermine whether malicious or threatening cyber activity may be present based on the comparison between the digital hidrosis data and the reference digital hidrosis data.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the host processor determines that malicious or threatening cyber activity may be present when a predetermined number and predetermined combination of system and user-based behavioral indicators exceed the normal values and/or normal range of values defined by the reference digital hidrosis data.
  - 9. The system of claim 7, wherein the at least one indicator that is not associated with autonomous application-initiated activity comprises at least one of the following:
    - (a) activities exhibited by one or more applications running on the at least one host system that are associated with a user interfacing with the one or more applications;
      
      (b) timing of external connections made by the at least one host system;
      
      (c) performance of user interfaces used by the at least one host system;
      
      (d) the length of network sessions initiated by the at least one host system;
      
      (e) network activity initiated by a user;
      
      (f) system settings on the at least one host system; and
      
      (g) data acquisition history of the at least one host system.
  - 10. The system of claim 7, wherein the predetermined system and user behavioral factors comprise at least one of the following:
    - (a) whether an anomalous or unknown code has gained execution privileges on the at least one host system;
      
      (b) CPU utilization in the at least one host system;
      
      (c) activities exhibited by one or more applications running on the at least one host system that are associated with a user interfacing with the one or more applications;
      
      (d) timing of external connections made by the at least one host system;
      
      (e) performance of user interfaces used by the at least one host system;
      
      (f) the length of network sessions initiated by the at least one host system;
      
      (g) network activity initiated by a user;
      
      (h) system settings on the at least one host system;
      
      (i) hygiene profile of the at least one host system; and
      
      (j) data acquisition history of the at least one host system.
  - 11. The system of claim 7, further comprising:
    - a server comprising a server processor and a server memory;
      
      a digital hidrosis engine comprising a set of computer readable instructions stored in the server memory that are executable by the server processor to;
      
      receive digital hidrosis data collected and sent by each host system,create new reference digital hidrosis data based on the received digital hidrosis data, andsend the new reference digital hidrosis data to each host system.
  - 12. The system of claim 11, wherein each host processor generates a deviation report and sends the deviation report to the server when the host processor determines that malicious or threatening cyber activity may be present.

13. A system for monitoring a data network and identifying potentially malicious or threatening cyber activity, comprising:
- at least one digital hidrosis monitor, wherein each digital hidrosis monitor;
  
  monitors and collects digital hidrosis data from a respective host system, wherein the digital hidrosis data comprises data associated with predetermined system and user-based behavioral indicators that provide information regarding a user'"'"'s behavior, wherein the predetermined system and user behavioral factors user-based behavioral indicators comprise at least one indicator that is not associated with autonomous application-initiated activity,compares the digital hidrosis data with reference digital hidrosis data, wherein the reference digital hidrosis data defines normal values and/or a normal range of values for the predetermined system and user-based behavioral indicators that are indicative of non-malicious activity by a user, anddetermines whether malicious or threatening cyber activity may be present based on the comparison between the digital hidrosis data and the reference digital hidrosis data.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein each digital hidrosis monitor determines that malicious or threatening cyber activity may be present when a predetermined number and predetermined combination of system and user behavioral factors user-based behavioral indicators exceed the normal values and/or normal range of values defined by the reference digital hidrosis data.
  - 15. The system of claim 13, wherein the at least one indicator that is not associated with autonomous application-initiated activity comprises at least one of the following:
    - (a) activities exhibited by one or more applications running on the at least one host system that are associated with a user interfacing with the one or more applications;
      
      (b) timing of external connections made by the at least one host system;
      
      (c) performance of user interfaces used by the at least one host system;
      
      (d) the length of network sessions initiated by the at least one host system;
      
      (e) network activity initiated by a user;
      
      (f) system settings on the at least one host system; and
      
      (g) data acquisition history of the at least one host system.
  - 16. The system of claim 13, wherein the predetermined system and user-based behavioral indicators comprise at least one of the following:
    - (a) whether an anomalous or unknown code has gained execution privileges on the at least one host system;
      
      (b) CPU utilization in the at least one host system;
      
      (c) activities exhibited by one or more applications running on the at least one host system that are associated with a user interfacing with the one or more applications;
      
      (d) timing of external connections made by the at least one host system;
      
      (e) performance of user interfaces used by the at least one host system;
      
      (f) the length of network sessions initiated by the at least one host system;
      
      (g) network activity initiated by a user;
      
      (h) system settings on the at least one host system;
      
      (i) hygiene profile of the at least one host system; and
      
      (j) data acquisition history of the at least one host system.
  - 17. The system of claim 13, further comprising:
    - a digital hidrosis engine, wherein the digital hidrosis engine;
      
      receives digital hidrosis data collected and sent by each digital hidrosis monitor,creates new reference digital hidrosis data based on the received digital hidrosis data, andsends the new reference digital hidrosis data to each digital hidrosis monitor.
  - 18. The system of claim 17, wherein each digital hidrosis monitor generates a deviation report and sends the deviation report to the digital hidrosis engine when the digital hidrosis monitor determines that malicious or threatening cyber activity may be present.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wintermute LLC (Wintermute Trading Ltd.)
Original Assignee
Wintermute LLC (Wintermute Trading Ltd.)
Inventors
Devost, Matthew G.
Primary Examiner(s)
Lipman, Jacob

Application Number

US13/829,613
Publication Number

US 20130254885A1
Time in Patent Office

894 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/316 by observing the pattern of...

G06F 21/56 Computer malware detection ...

System and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links