Method and system for monitoring high risk users

US 9,129,257 B2
Filed: 12/20/2010
Issued: 09/08/2015
Est. Priority Date: 12/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

designating, by at least one processor, a user as a high risk user candidate;

placing the high risk user candidate on a watch list of high risk user candidates and designating, in the watch list, a monitoring status of the high risk user candidate as not being monitored;

after said designating the user, initiating monitoring of activities of a computing device associated with identity information of the user and changing, in the watch list, the monitoring status of the high risk usercandidate as being monitored;

collecting event data from the computing device and from one or more data sources according to one or more predetermined parameters that specify asset information;

correlating the event data with one or more predetermined high risk events and by the identity information of the user for confirming that the user is a high risk user;

collecting one or more events from the computing device and the one or more data sources;

cross referencing the collected one or more events with specified high risk events or activities to determine whether the collected one or more events is a high risk event or activity;

upon determining the collected one or more events is a high risk event or activity, comparing the collected one or more events with the watch list; and

generating, based on the comparing, a high risk user event to output an alert.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for enabling the monitoring of high risk users is described. A high risk user (HRU) event management platform designates a user as a high risk user candidate and then initiates monitoring of activities of a computing device associated with identity information of the user. The HRU event management platform then collects data from the computing device and from one or more data sources according to one or more predetermined parameters specifying asset information. The data is correlated with the identity information of the user for confirming that the user is a high risk user.

Citations

18 Claims

1. A method comprising:
- designating, by at least one processor, a user as a high risk user candidate;
  
  placing the high risk user candidate on a watch list of high risk user candidates and designating, in the watch list, a monitoring status of the high risk user candidate as not being monitored;
  
  after said designating the user, initiating monitoring of activities of a computing device associated with identity information of the user and changing, in the watch list, the monitoring status of the high risk usercandidate as being monitored;
  
  collecting event data from the computing device and from one or more data sources according to one or more predetermined parameters that specify asset information;
  
  correlating the event data with one or more predetermined high risk events and by the identity information of the user for confirming that the user is a high risk user;
  
  collecting one or more events from the computing device and the one or more data sources;
  
  cross referencing the collected one or more events with specified high risk events or activities to determine whether the collected one or more events is a high risk event or activity;
  
  upon determining the collected one or more events is a high risk event or activity, comparing the collected one or more events with the watch list; and
  
  generating, based on the comparing, a high risk user event to output an alert.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, further comprising:
    - retrieving asset information and identity information for the user for determining the high risk user candidacy of the user; and
      
      extracting one or more data pairs relating the asset information or the identity information to a user identifier value.
  - 3. A method according to claim 2, further comprising:
    - exporting data that is correlated with the identity information to generate the watch list specifying the user.
  - 4. A method according to claim 1, wherein the computing device is configured to access resources of a network associated with an organization, and the user has an employee-employer relationship with the organization.
  - 5. A method according to claim 1, further comprising:
    - creating an entry for a high risk user list that specifies one or more high risk user candidates,wherein the entry includes the identity information and timing information for the monitoring of the activities.
  - 6. A method according to claim 1, further comprising:
    - determining a host name associated with the computing device, a media access control address associated with the computing device, and a network address associated with the computing device; and
      
      generating a high risk monitor list to indicate that the activities of the computing device are to be monitored, wherein the high risk monitor list includes the identity information, the host name, the media access control address, and the network address; and
      
      extracting a subset of the correlated event data based on the high risk monitor list.
  - 7. A method according to claim 6, further comprising:
    - comparing the extracted subset with events associated with the computing device and the one or more data sources; and
      
      updating a watch list based on the comparison.

8. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs,the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following,designate a user as a high risk user candidate,place the high risk user candidate on a watch list of high risk user candidates and designating, in the watch list, a monitoring status of the high risk user candidate as not being monitored,after said designating the user, initiate monitoring of activities of a computing device associated with identity information of the user and change, in the watch list, the monitoring status of the high risk user candidate as being monitored,collect event data from the computing device and from one or more data sources according to one or more predetermined parameters that specify asset information,correlate the event data with one or more predetermined high risk events and by the identity information of the user for confirming that the user is a high risk user,collect one or more events from the computing device and the one or more data sources;
  
  cross reference the collected one or more events with specified high risk events or activities to determine whether the collected one or more events is a high risk event or activity;
  
  upon determining the collected one or more events is a high risk event or activity, compare the collected one or more events with the watch list; and
  
  generate, based on the comparison, a high risk user event to output an alert.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. An apparatus according to claim 8, wherein the apparatus is further caused to:
    - retrieve asset information and identity information for the user for determining the high risk user candidacy of the user; and
      
      extract one or more data pairs relating the asset information or the identity information to a user identifier value.
  - 10. An apparatus according to claim 9, wherein the apparatus is further caused to:
    - export data that is correlated with the identity information to generate the watch list specifying the user.
  - 11. An apparatus according to claim 8, wherein the computing device is configured to access resource of a network associated with an organization, and the user has an employee-employer relationship with the organization.
  - 12. An apparatus according to claim 8, wherein the apparatus is further caused to:
    - create an entry for a high risk user list that specifies one or more high risk user candidates,wherein the entry includes the identity information and timing information for the monitoring of the activities.
  - 13. An apparatus according to claim 8, wherein the apparatus is further caused to:
    - determine a host name associated with the computing device, a media access control address associated with the computing device, and a network address associated with the computing device; and
      
      generate a high risk monitor list to indicate that the activities of the computing device are to be monitored, wherein the high risk monitor list includes the identity information, the host name, the media access control address, and the network address; and
      
      extract a subset of the correlated event data based on the high risk monitor list.
  - 14. An apparatus according to claim 13, wherein the apparatus is further caused to:
    - compare the extracted subset with events associated with the computing device and the one or more data sources; and
      
      update a watch list based on the comparison.

15. A system comprising:
- a high risk user management platform configured to receive, from a front end application, high risk user data that has been validated for availability for a particular user, wherein the platform is further configured to generate a list of one or more high risk users in response to the received high risk user data, the list indicating candidates for monitoring; and
  
  a database coupled to the platform and configured to store the list and a monitor table that specifies correlated event data for the particular user that has previously been designated as a high risk user,wherein the list includes a monitoring status of the candidates indicating whether or not each of the candidates is currently being monitored,wherein the correlated event data is derived from monitored activities of a computing device associated with the particular user and one or more data sources other than the computing device, andwherein the platform is further configured to extract, by at least one processor, a subset of the correlated event data to update a watch list based on events collected from the computing device and the one or more data sources, and that have been cross referenced with specified high risk activities to determine whether the events collected are high risk activities, and to correlate the subset of the correlated event data with one or more predetermined high risk events to confirm that the user is a high risk user.
- View Dependent Claims (16, 17, 18)
- - 16. A system according to claim 15, wherein the front end application is configured to retrieve asset information and identity information for the particular user for determining candidacy of the particular user to be included on the list, and extract one or more data pairs relating the asset information or the identity information to a user identifier value.
  - 17. A system according to claim 15, wherein the platform is further configured to create an entry for the list, wherein the entry includes the identity information and timing information for the monitored activities.
  - 18. A system according to claim 15, wherein the platform is further configured to generate a high risk monitor list to indicate that the activities of the computing device is to be monitored, wherein the high risk monitor list includes the identity information, host name, media access control address, and network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Saunders, Donald E., Newhouse, Jeremy D.
Primary Examiner(s)
McNally, Michael S
Assistant Examiner(s)
DOLLY, KENDALL LYNN

Application Number

US12/972,727
Publication Number

US 20120158454A1
Time in Patent Office

1,723 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/50   Monitoring users, programs ...

G06F 21/60   Protecting data

G06Q 10/0635   Risk analysis of enterprise...

G06Q 10/10   Office automation; Time man...

Method and system for monitoring high risk users

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for monitoring high risk users

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links