Behavioral engine for identifying anomalous data access patterns
First Claim
Patent Images
1. A method comprising:
- receiving, from a data loss prevention (DLP) agent running on an endpoint device, data access records by a processing device executing a DLP server;
determining, by the processing device, a data access behavior pattern for at least one of a file or a directory based on the data access records, wherein the data access behavior pattern is user independent;
receiving, by the processing device, a confirmation request from the DLP agent that has blocked an access event for at least one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation request comprising a new data access record associated with the blocked access event;
identifying deviation from the data access behavior pattern based on the new data access record;
determining, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that the access event represents malicious activity;
responsive to determining that the deviation is below a threshold, sending a confirmation message to the DLP agent, the confirmation message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage device of the endpoint device; and
responsive to determining that the deviation exceeds the threshold, generating an alert indicating that data access activity for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises the risk rating.
2 Assignments
0 Petitions
Accused Products
Abstract
A computing device receives data access records and determines a user data access behavior pattern for a user based on the data access records. The computing device receives new data access records and identifies any deviation from the user data access behavior pattern based on the new data access records. Upon identifying deviation from the user data access behavior pattern, the computing device generates an alert indicating that the user has deviated from the user data access behavior pattern.
51 Citations
18 Claims
-
1. A method comprising:
-
receiving, from a data loss prevention (DLP) agent running on an endpoint device, data access records by a processing device executing a DLP server; determining, by the processing device, a data access behavior pattern for at least one of a file or a directory based on the data access records, wherein the data access behavior pattern is user independent; receiving, by the processing device, a confirmation request from the DLP agent that has blocked an access event for at least one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation request comprising a new data access record associated with the blocked access event; identifying deviation from the data access behavior pattern based on the new data access record; determining, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that the access event represents malicious activity; responsive to determining that the deviation is below a threshold, sending a confirmation message to the DLP agent, the confirmation message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage device of the endpoint device; and responsive to determining that the deviation exceeds the threshold, generating an alert indicating that data access activity for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises the risk rating. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer readable medium including instructions that, when executed by a processing device executing a data loss prevention (DLP) server, cause the processing device to perform operations comprising:
-
receiving data access records from a DLP agent running on an endpoint device; determining, by the processing device, a data access behavior pattern for at least one of a file or a directory based on the data access records, wherein the data access behavior pattern is user independent; receiving, by the processing device, a confirmation request from the DLP agent that has blocked an access event for at least one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation request comprising a new data access record associated with the blocked access event; identifying, by the processing device, deviation from the data access behavior pattern based on the new data access record; determining, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that the access event represents malicious activity; responsive to determining that the deviation is below a threshold, sending a confirmation message to the DLP agent, the confirmation message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage device of the endpoint; and responsive to determining that the deviation exceeds the threshold, generating, by the processing device, an alert indicating that data access activity for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises the risk rating. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a memory to store instructions for a behavior detector; and a processing device coupled to the memory to execute the instructions, wherein the processing device is configured to; receive data access records from a data loss prevention (DLP) agent running on an endpoint device; determine a data access behavior pattern for at least one of a file or a directory based on the data access records, wherein the data access behavior pattern is user independent; receive a confirmation request from the DLP agent that has blocked an access event for at least one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation request comprising a new data access record associated with the blocked access event; identify deviation from the data access behavior pattern based on the new data access record; determine, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that the access event represents malicious activity; responsive to a determination that the deviation is below a threshold, send a confirmation message to the DLP agent, the confirmation message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage device of the endpoint device; and responsive to a determination that the deviation exceeds the threshold, generate an alert indicating that data access activity for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises the risk rating. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification