Modeling user working time using authentication events within an enterprise network

US 9,338,187 B1
Filed: 12/23/2013
Issued: 05/10/2016
Est. Priority Date: 11/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data;

creating a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device;

generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters;

assigning a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto;

prioritizing the alert over one or more additional alerts based on the risk score; and

outputting the alert and the one or more additional alerts sequentially in an order matching said prioritizing;

wherein said processing, said creating, said generating, said assigning, said prioritizing, and said outputting are carried out by at least one computing device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and articles of manufacture for modeling user working time using authentication events within an enterprise network are provided herein. A method includes collecting multiple instances of activity within an enterprise network over a specified period of time, wherein said multiple instances of activity are attributed to a given device; creating a model based on said collected instances of activity, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; and generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters.

Citations

20 Claims

1. A method comprising:
- processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data;
  
  creating a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device;
  
  generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters;
  
  assigning a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto;
  
  prioritizing the alert over one or more additional alerts based on the risk score; and
  
  outputting the alert and the one or more additional alerts sequentially in an order matching said prioritizing;
  
  wherein said processing, said creating, said generating, said assigning, said prioritizing, and said outputting are carried out by at least one computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said processing comprises collecting each authentication event involving the given device within the enterprise network over the specified period of time.
  - 3. The method of claim 1, wherein said specified period of time comprises multiple days.
  - 4. The method of claim 1, wherein said creating the model comprises representing a temporal distribution of activity associated with the given device via a vector expressing a probability that the given device is carrying out an instance of activity during a specified temporal interval.
  - 5. The method of claim 4, wherein said generating an alert comprises generating an alert for every temporal interval in which the given device is carrying out an instance of activity, but for which the probability that the given device is carrying out an instance of activity as expressed by the vector is lower than a certain threshold.
  - 6. The method of claim 1, further comprising:
    - updating the model upon collection of additional instances of activity within the enterprise network attributed to the given device.
  - 7. The method of claim 1, wherein said one or more security parameters comprises one or more enterprise policies.
  - 8. The method of claim 1, wherein said one or more security parameters comprises contacting one or more blacklisted websites.
  - 9. The method of claim 1, wherein said one or more security parameters comprises accessing one or more sensitive enterprise resources.
  - 10. The method of claim 1, further comprising establishing a mapping between each internet protocol (IP) address associated with each respective one of the multiple items of log data and a unique identifier for the given device.
  - 11. The method of claim 1, wherein the enterprise network comprises a geographically distributed enterprise network.
  - 12. The method of claim 1, wherein said one or more risk factors comprise at least one of (i) the length of a detected instance of activity, (ii) the number of connections made during a detected instance of activity, and (iii) the amount of data sent and/or received during a detected instance of activity.

13. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry out steps comprising:
- processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data;
  
  creating a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device;
  
  generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters;
  
  assigning a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto;
  
  prioritizing the alert over one or more additional alerts based on the risk score; and
  
  outputting the alert and the one or more additional alerts sequentially in an order matching said prioritizing.

14. An apparatus comprising:
- a memory; and
  
  at least one processor coupled to the memory and configured to;
  
  process multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data;
  
  create a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device;
  
  generate an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters;
  
  assign a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto;
  
  prioritize the alert over one or more additional alerts based on the risk score; and
  
  output the alert and the one or more additional alerts sequentially in an order matching said prioritizing.

15. A method comprising:
- processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified temporal training period attributed to a given device associated with the user, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data;
  
  creating a model based on (i) said multiple items of processed log data and (ii) one or more items of enterprise-related information pertaining to the user, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device;
  
  generating an alert upon detecting each of multiple instances of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters;
  
  assigning a risk score to each of the multiple alerts based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto;
  
  prioritizing the multiple alerts based on the assigned risk scores; and
  
  outputting the multiple alerts sequentially in an order matching said prioritizing.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - updating the model upon collection of additional instances of activity within the enterprise network attributed to the given device.
  - 17. The method of claim 15, wherein said one or more risk factors comprise the length of a detected instance of activity.
  - 18. The method of claim 15, wherein said one or more risk factors comprise the number of connections made during a detected instance of activity.
  - 19. The method of claim 15, wherein said one or more risk factors comprise the amount of data sent and/or received during a detected instance of activity.
  - 20. The method of claim 15, wherein the enterprise network comprises a geographically distributed enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Oprea, Alina, Yen, Ting-Fang
Primary Examiner(s)
Ho, Dao

Application Number

US14/139,019
Time in Patent Office

869 Days
Field of Search

726/22, 713/168
US Class Current

1/1
CPC Class Codes

G06F 21/316   by observing the pattern of...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Modeling user working time using authentication events within an enterprise network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Modeling user working time using authentication events within an enterprise network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links