Method and system for monitoring high risk users
First Claim
Patent Images
1. A method comprising:
- designating, by at least one processor, a user as a high risk user candidate;
placing the high risk user candidate on a watch list of high risk user candidates and designating, in the watch list, a monitoring status of the high risk user candidate as not being monitored;
after said designating the user, initiating monitoring of activities of a computing device associated with identity information of the user and changing, in the watch list, the monitoring status of the high risk usercandidate as being monitored;
collecting event data from the computing device and from one or more data sources according to one or more predetermined parameters that specify asset information;
correlating the event data with one or more predetermined high risk events and by the identity information of the user for confirming that the user is a high risk user;
collecting one or more events from the computing device and the one or more data sources;
cross referencing the collected one or more events with specified high risk events or activities to determine whether the collected one or more events is a high risk event or activity;
upon determining the collected one or more events is a high risk event or activity, comparing the collected one or more events with the watch list; and
generating, based on the comparing, a high risk user event to output an alert.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach for enabling the monitoring of high risk users is described. A high risk user (HRU) event management platform designates a user as a high risk user candidate and then initiates monitoring of activities of a computing device associated with identity information of the user. The HRU event management platform then collects data from the computing device and from one or more data sources according to one or more predetermined parameters specifying asset information. The data is correlated with the identity information of the user for confirming that the user is a high risk user.
-
Citations
18 Claims
-
1. A method comprising:
-
designating, by at least one processor, a user as a high risk user candidate; placing the high risk user candidate on a watch list of high risk user candidates and designating, in the watch list, a monitoring status of the high risk user candidate as not being monitored; after said designating the user, initiating monitoring of activities of a computing device associated with identity information of the user and changing, in the watch list, the monitoring status of the high risk user candidate as being monitored; collecting event data from the computing device and from one or more data sources according to one or more predetermined parameters that specify asset information; correlating the event data with one or more predetermined high risk events and by the identity information of the user for confirming that the user is a high risk user; collecting one or more events from the computing device and the one or more data sources; cross referencing the collected one or more events with specified high risk events or activities to determine whether the collected one or more events is a high risk event or activity; upon determining the collected one or more events is a high risk event or activity, comparing the collected one or more events with the watch list; and generating, based on the comparing, a high risk user event to output an alert. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
at least one processor; and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following, designate a user as a high risk user candidate, place the high risk user candidate on a watch list of high risk user candidates and designating, in the watch list, a monitoring status of the high risk user candidate as not being monitored, after said designating the user, initiate monitoring of activities of a computing device associated with identity information of the user and change, in the watch list, the monitoring status of the high risk user candidate as being monitored, collect event data from the computing device and from one or more data sources according to one or more predetermined parameters that specify asset information, correlate the event data with one or more predetermined high risk events and by the identity information of the user for confirming that the user is a high risk user, collect one or more events from the computing device and the one or more data sources; cross reference the collected one or more events with specified high risk events or activities to determine whether the collected one or more events is a high risk event or activity; upon determining the collected one or more events is a high risk event or activity, compare the collected one or more events with the watch list; and generate, based on the comparison, a high risk user event to output an alert. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a high risk user management platform configured to receive, from a front end application, high risk user data that has been validated for availability for a particular user, wherein the platform is further configured to generate a list of one or more high risk users in response to the received high risk user data, the list indicating candidates for monitoring; and a database coupled to the platform and configured to store the list and a monitor table that specifies correlated event data for the particular user that has previously been designated as a high risk user, wherein the list includes a monitoring status of the candidates indicating whether or not each of the candidates is currently being monitored, wherein the correlated event data is derived from monitored activities of a computing device associated with the particular user and one or more data sources other than the computing device, and wherein the platform is further configured to extract, by at least one processor, a subset of the correlated event data to update a watch list based on events collected from the computing device and the one or more data sources, and that have been cross referenced with specified high risk activities to determine whether the events collected are high risk activities, and to correlate the subset of the correlated event data with one or more predetermined high risk events to confirm that the user is a high risk user. - View Dependent Claims (16, 17, 18)
-
Specification