Behavioral engine for identifying anomalous data access patterns

US 9,275,065 B1
Filed: 07/26/2011
Issued: 03/01/2016
Est. Priority Date: 12/14/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, from a data loss prevention (DLP) agent running on an endpoint device, data access records by a processing device executing a DLP server;

determining, by the processing device, a data access behavior pattern for at least one of a file or a directory based on the data access records, wherein the data access behavior pattern is user independent;

receiving, by the processing device, a confirmation request from the DLP agent that has blocked an access event for at least one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation request comprising a new data access record associated with the blocked access event;

identifying deviation from the data access behavior pattern based on the new data access record;

determining, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that the access event represents malicious activity;

responsive to determining that the deviation is below a threshold, sending a confirmation message to the DLP agent, the confirmation message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage device of the endpoint device; and

responsive to determining that the deviation exceeds the threshold, generating an alert indicating that data access activity for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises the risk rating.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device receives data access records and determines a user data access behavior pattern for a user based on the data access records. The computing device receives new data access records and identifies any deviation from the user data access behavior pattern based on the new data access records. Upon identifying deviation from the user data access behavior pattern, the computing device generates an alert indicating that the user has deviated from the user data access behavior pattern.

51 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving, from a data loss prevention (DLP) agent running on an endpoint device, data access records by a processing device executing a DLP server;
  
  determining, by the processing device, a data access behavior pattern for at least one of a file or a directory based on the data access records, wherein the data access behavior pattern is user independent;
  
  receiving, by the processing device, a confirmation request from the DLP agent that has blocked an access event for at least one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation request comprising a new data access record associated with the blocked access event;
  
  identifying deviation from the data access behavior pattern based on the new data access record;
  
  determining, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that the access event represents malicious activity;
  
  responsive to determining that the deviation is below a threshold, sending a confirmation message to the DLP agent, the confirmation message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage device of the endpoint device; and
  
  responsive to determining that the deviation exceeds the threshold, generating an alert indicating that data access activity for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises the risk rating.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein determining the data access behavior pattern comprises:
    - computing at least one of an average or a median of data access activity for at least one of the file or the directory based on the data access records; and
      
      computing an activity threshold for at least one of the file or the directory based on at least one of the average or the median of the data access activity.
  - 3. The method of claim 2, wherein identifying the deviation from the data access behavior pattern comprises:
    - determining, from the new data access record, whether new data access activity for at least one of the file or the directory exceeds the activity threshold.
  - 4. The method of claim 1, wherein the new data access record is for a new day, and wherein determining the data access behavior pattern comprises:
    - computing a weekly average data access count over a time period based on the data access records;
      
      computing a standard deviation of the data access count; and
      
      using the standard deviation and the weekly average data access count to set an activity threshold.
  - 5. The method of claim 4, wherein identifying deviation from the data access behavior pattern comprises:
    - determining a data access count for the new day from the new data access record and one or more additional new data access records;
      
      determining data access counts for six previous days from the data access records;
      
      combining the data access count for the new day to the data access counts for the six previous days to determine a current week'"'"'s data access count; and
      
      identifying that the current week'"'"'s data access count exceeds the activity threshold.
  - 6. The method of claim 1, wherein the DLP agent is hosted by a storage server.

7. A non-transitory computer readable medium including instructions that, when executed by a processing device executing a data loss prevention (DLP) server, cause the processing device to perform operations comprising:
- receiving data access records from a DLP agent running on an endpoint device;
  
  determining, by the processing device, a data access behavior pattern for at least one of a file or a directory based on the data access records, wherein the data access behavior pattern is user independent;
  
  receiving, by the processing device, a confirmation request from the DLP agent that has blocked an access event for at least one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation request comprising a new data access record associated with the blocked access event;
  
  identifying, by the processing device, deviation from the data access behavior pattern based on the new data access record;
  
  determining, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that the access event represents malicious activity;
  
  responsive to determining that the deviation is below a threshold, sending a confirmation message to the DLP agent, the confirmation message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage device of the endpoint; and
  
  responsive to determining that the deviation exceeds the threshold, generating, by the processing device, an alert indicating that data access activity for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises the risk rating.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer readable medium of claim 7, wherein determining the data access behavior pattern comprises:
    - computing at least one of an average or a median of data access activity for at least one of the file or the directory based on the data access records; and
      
      computing an activity threshold for at least one of the file or the directory based on at least one of the average or the median of the data access activity.
  - 9. The non-transitory computer readable medium of claim 8, wherein identifying the deviation from the data access behavior pattern comprises:
    - determining, from the new data access record, whether new data access activity for at least one of the file or the directory exceeds the activity threshold.
  - 10. The non-transitory computer readable medium of claim 7, wherein the new data access record is for a new day, and wherein determining the data access behavior pattern comprises:
    - computing a weekly average data access count over a time period based on the data access records;
      
      computing a standard deviation of the data access count; and
      
      using the standard deviation and the weekly average data access count to set an activity threshold.
  - 11. The non-transitory computer readable medium of claim 10, wherein identifying deviation from the data access behavior pattern comprises:
    - determining a data access count for the new day from the new data access record and one or more additional new data access records;
      
      determining data access counts for six previous days from the data access records;
      
      combining the data access count for the new day to the data access counts for the six previous days to determine a current week'"'"'s data access count; and
      
      identifying that the current week'"'"'s data access count exceeds the activity threshold.
  - 12. The non-transitory computer readable medium of claim 7, wherein the DLP agent is hosted by a storage server.

13. A system comprising:
- a memory to store instructions for a behavior detector; and
  
  a processing device coupled to the memory to execute the instructions, wherein the processing device is configured to;
  
  receive data access records from a data loss prevention (DLP) agent running on an endpoint device;
  
  determine a data access behavior pattern for at least one of a file or a directory based on the data access records, wherein the data access behavior pattern is user independent;
  
  receive a confirmation request from the DLP agent that has blocked an access event for at least one of the file or directory on a local storage device of the endpoint device on which the DLP agent runs, the confirmation request comprising a new data access record associated with the blocked access event;
  
  identify deviation from the data access behavior pattern based on the new data access record;
  
  determine, based on the data access behavior pattern and the new data access record, a risk rating indicating a risk that the access event represents malicious activity;
  
  responsive to a determination that the deviation is below a threshold, send a confirmation message to the DLP agent, the confirmation message comprising an instruction to permit the access event for at least one of the file or the directory on the local storage device of the endpoint device; and
  
  responsive to a determination that the deviation exceeds the threshold, generate an alert indicating that data access activity for at least one of the file or the directory has deviated from the data access behavior pattern, wherein the alert comprises the risk rating.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein determining the data access behavior pattern comprises:
    - computing at least one of an average or a median of data access activity for at least one of the file or the directory based on the data access records; and
      
      computing an activity threshold for at least one of the file or the directory based on at least one of the average or the median of the data access activity.
  - 15. The system of claim 14, wherein identifying the deviation from the data access behavior pattern comprises:
    - determining, from the new data access record, whether new data access activity for at least one of the file or the directory exceeds the activity threshold.
  - 16. The system of claim 13, wherein the new data access record is for a new day, and wherein determining the data access behavior pattern comprises:
    - computing a weekly average data access count over a time period based on the data access records;
      
      computing a standard deviation of the data access count; and
      
      using the standard deviation and the weekly average data access count to set an activity threshold.
  - 17. The system of claim 16, wherein identifying deviation from the data access behavior pattern comprises:
    - determining a data access count for the new day from the new data access record and one or more additional data access records;
      
      determining data access counts for six previous days from the data access records;
      
      combining the data access count for the new day to the data access counts for the six previous days to determine a current week'"'"'s data access count; and
      
      identifying that the current week'"'"'s data access count exceeds the activity threshold.
  - 18. The system of claim 13, wherein the DLP agent is hosted by a storage server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Ganesh, Anantharaman, Banerjee, Anindya, Nanda, Bijayalaxmi
Primary Examiner(s)
Mackes, Kris

Application Number

US13/191,201
Time in Patent Office

1,680 Days
Field of Search

707/781
US Class Current

1/1
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/168   Details of user interfaces ...

G06F 16/1734   Details of monitoring file ...

G06F 21/556   involving covert channels, ...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

G06N 5/025   Extracting rules from data

H04L 41/0604   using filtering, e.g. reduc...

H04L 63/20   for managing network securi...

Behavioral engine for identifying anomalous data access patterns

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral engine for identifying anomalous data access patterns

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links