Modeling user working time using authentication events within an enterprise network
First Claim
1. A method comprising:
- processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data;
creating a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device;
generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters;
assigning a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto;
prioritizing the alert over one or more additional alerts based on the risk score; and
outputting the alert and the one or more additional alerts sequentially in an order matching said prioritizing;
wherein said processing, said creating, said generating, said assigning, said prioritizing, and said outputting are carried out by at least one computing device.
9 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus and articles of manufacture for modeling user working time using authentication events within an enterprise network are provided herein. A method includes collecting multiple instances of activity within an enterprise network over a specified period of time, wherein said multiple instances of activity are attributed to a given device; creating a model based on said collected instances of activity, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; and generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters.
-
Citations
20 Claims
-
1. A method comprising:
-
processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data; creating a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters; assigning a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto; prioritizing the alert over one or more additional alerts based on the risk score; and outputting the alert and the one or more additional alerts sequentially in an order matching said prioritizing; wherein said processing, said creating, said generating, said assigning, said prioritizing, and said outputting are carried out by at least one computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry out steps comprising:
-
processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data; creating a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; generating an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters; assigning a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto; prioritizing the alert over one or more additional alerts based on the risk score; and outputting the alert and the one or more additional alerts sequentially in an order matching said prioritizing.
-
-
14. An apparatus comprising:
-
a memory; and at least one processor coupled to the memory and configured to; process multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified period of time attributed to a given device, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data; create a model based on said multiple items of processed log data, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; generate an alert upon detecting an instance of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters; assign a risk score to the alert based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto; prioritize the alert over one or more additional alerts based on the risk score; and output the alert and the one or more additional alerts sequentially in an order matching said prioritizing.
-
-
15. A method comprising:
-
processing multiple items of log data derived from one or more data sources associated with an enterprise network, wherein said multiple items of log data pertain to multiple instances of activity within the enterprise network over a specified temporal training period attributed to a given device associated with the user, and wherein said processing comprises normalizing said multiple items of log data by normalizing a timestamp associated with each respective one of the multiple items of log data to a common time zone via application of a correction function to the timestamp associated with each respective one of the multiple items of log data; creating a model based on (i) said multiple items of processed log data and (ii) one or more items of enterprise-related information pertaining to the user, wherein said model comprises a temporal pattern of activity within the enterprise network associated with the given device; generating an alert upon detecting each of multiple instances of activity within the enterprise network associated with the given device that is (i) inconsistent with the temporal pattern of the model and (ii) in violation of one or more security parameters; assigning a risk score to each of the multiple alerts based on one or more risk factors, wherein each respective one of the one or more risk factors has a discrete weight applied thereto; prioritizing the multiple alerts based on the assigned risk scores; and outputting the multiple alerts sequentially in an order matching said prioritizing. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification