Identifying suspicious user logins in enterprise networks

US 9,231,962 B1
Filed: 12/23/2013
Issued: 01/05/2016
Est. Priority Date: 11/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising steps of:

processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts;

generating a set of profiles, wherein the set comprises profiles corresponding to respective ones of multiple users and profiles corresponding to respective ones of the multiple hosts, wherein each profile comprises historical login information derived from said log data;

creating a graph based on said set of profiles, wherein said graph comprises (i) nodes representing said multiple users and said multiple hosts within the enterprise network, (ii) edges representing login instances linking together user-host pairs, and (iii) one or more communities identified among the nodes, wherein each community corresponds to a group of one or more users and one or more hosts that exhibit at least a specified level of interaction;

analyzing a login instance within the enterprise network against the graph;

identifying the login instance as inconsistent with the historical login information based on said graph; and

outputting said identification of the inconsistent login instance;

wherein said steps are carried out by at least one computing device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and articles of manufacture for identifying suspicious user logins in enterprise networks are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts; generating a set of profiles, wherein the set comprises a profile corresponding to each of multiple users and a profile corresponding to each of the multiple hosts, wherein each profile comprises one or more login patterns based on historical login information derived from said log data; and analyzing a login instance within the enterprise network against the set of profiles.

77 Citations

View as Search Results

20 Claims

1. A method comprising steps of:
- processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts;
  
  generating a set of profiles, wherein the set comprises profiles corresponding to respective ones of multiple users and profiles corresponding to respective ones of the multiple hosts, wherein each profile comprises historical login information derived from said log data;
  
  creating a graph based on said set of profiles, wherein said graph comprises (i) nodes representing said multiple users and said multiple hosts within the enterprise network, (ii) edges representing login instances linking together user-host pairs, and (iii) one or more communities identified among the nodes, wherein each community corresponds to a group of one or more users and one or more hosts that exhibit at least a specified level of interaction;
  
  analyzing a login instance within the enterprise network against the graph;
  
  identifying the login instance as inconsistent with the historical login information based on said graph; and
  
  outputting said identification of the inconsistent login instance;
  
  wherein said steps are carried out by at least one computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - computing a score for each user and each host associated with the inconsistent login instance, wherein said score captures a degree of inconsistency corresponding to the inconsistent login instance.
  - 3. The method of claim 2, wherein said computing comprises computing the score for each user and each host using one or more weights.
  - 4. The method of claim 1, further comprising:
    - applying a graph partitioning algorithm to the graph.
  - 5. The method of claim 1, wherein said processing comprises normalizing said log data.
  - 6. The method of claim 5, wherein said normalizing comprises normalizing a timestamp associated with each item of said log data into a common time zone.
  - 7. The method of claim 5, wherein said normalizing comprises establishing a mapping between each internet protocol (IP) address associated with said log data and a unique identifier for each of said multiple hosts.
  - 8. The method of claim 1, wherein said one or more data sources comprises a dynamic host configuration protocol server.
  - 9. The method of claim 1, wherein said one or more data sources comprises a domain controller.
  - 10. The method of claim 1, wherein said one or more data sources comprises a virtual private network server.
  - 11. The method of claim 1, wherein said one or more data sources comprises a web proxy.
  - 12. The method of claim 1, wherein said one or more data sources comprises enterprise malware.
  - 13. The method of claim 1, wherein a profile corresponding to a given one of the multiple users comprises:
    - a list of one or more of the multiple hosts onto which the given user successfully logged in;
      
      the number of times that the given user logged on to each of the one or more hosts; and
      
      a timestamp corresponding to the first login instance and the last login instance for the given user and each of the one or more hosts.
  - 14. The method of claim 13, further comprising:
    - removing a given host from the profile after the given user has not logged in to the given host for a specified amount of time.
  - 15. The method of claim 1, further comprising:
    - updating the set of profiles upon the processing of additional log data.
  - 16. The method of claim 1, wherein said generating comprises generating the set of profiles for the multiple users and the multiple hosts based on authentication attempts within the enterprise network observed over a specified period of time.

17. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry out steps comprising:
- processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts;
  
  generating a set of profiles, wherein the set comprises profiles corresponding to respective ones of multiple users and profiles corresponding to respective ones of the multiple hosts, wherein each profile comprises historical login information derived from said log data;
  
  creating a graph based on said set of profiles, wherein said graph comprises (i) nodes representing said multiple users and said multiple hosts within the enterprise network, (ii) edges representing login instances linking together user-host pairs, and (iii) one or more communities identified among the nodes, wherein each community corresponds to a group of one or more users and one or more hosts that exhibit at least a specified level of interaction;
  
  analyzing a login instance within the enterprise network against the graph;
  
  identifying the login instance as inconsistent with the historical login information based on said graph; and
  
  outputting said identification of the inconsistent login instance.
- View Dependent Claims (18, 19)
- - 18. The article of manufacture of claim 17, wherein the steps further comprise:
    - computing a score for each user and each host associated with the inconsistent login instance, wherein said score captures a degree of inconsistency corresponding to the inconsistent login instance.
  - 19. The article of manufacture of claim 18, wherein said computing comprises computing the score for each user and each host using one or more weights.

20. An apparatus comprising:
- a memory; and
  
  at least one processor coupled to the memory; and
  
  a plurality of modules executing on the at least one processor, wherein the plurality of modules comprise;
  
  a normalization module configured to process log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts;
  
  a behavioral profiler module configured to generate a set of profiles, wherein the set comprises profiles corresponding to respective ones of multiple users and profiles corresponding to respective ones of the multiple hosts, wherein each profile comprises historical login information derived from said log data;
  
  an analysis module configured to;
  
  create a graph based on said set of profiles, wherein said graph comprises (i) nodes representing said multiple users and said multiple hosts within the enterprise network, (ii) edges representing login instances linking together user-host pairs, and (iii) one or more communities identified among the nodes, wherein each community corresponds to a group of one or more users and one or more hosts that exhibit at least a specified level of interaction;
  
  analyze a login instance within the enterprise network against the graph;
  
  identify the login instance as inconsistent with the historical login information based on said graph; and
  
  output said identification of the inconsistent login instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Yen, Ting-Fang, Oprea, Alina
Primary Examiner(s)
Ho, Dao

Application Number

US14/138,961
Time in Patent Office

743 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Identifying suspicious user logins in enterprise networks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying suspicious user logins in enterprise networks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links