Method and system for controlling context-aware cybersecurity training

US 9,373,267 B2
Filed: 03/17/2014
Issued: 06/21/2016
Est. Priority Date: 04/08/2011
Status: Active Grant

First Claim

Patent Images

1. A cybersecurity training system, comprising:

one or more data storage devices that store;

at least one cybersecurity training intervention, anda training needs model;

an electronic device comprising one or more sensors that sense data relating to behavior or activity of at least one user of the electronic device, wherein the one or more sensors comprise one or more of the following;

a USB device sensor configured to detect when a USB drive has been connected to the electronic device,a Wi-Fi sensor configured to detect a Wi-Fi access point to which the electronic device is connected, ora Wi-Fi sensor configured to detect whether the at least one user has attempted to connect the electronic device to a mock rogue Wi-Fi access point;

an analysis host computer comprising a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors of the analysis host computer to implement a policy manager that;

receives the sensed data from the electronic device via a communications network;

analyzes the sensed data by applying the training needs model to the sensed data to determine whether the at least one user may be at risk for a threat scenario, andidentifies, from the at least one cybersecurity training intervention, a set of one or more policy manager-identified cybersecurity training interventions that are relevant to the threat scenario;

a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors to implement a system administrator interface that displays the set of one or more policy manager-identified cybersecurity training interventions and receives a selection of an intervention in the set via the system administrator interface; and

a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors to generate a command to deliver the selected cybersecurity training intervention to an electronic device for presentation to the at least one user.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A context-aware training system senses a user action that may expose the user to a threat, such as a cybersecurity threat. The system selects a training action from a collection of available training actions and causes the training action to be delivered to the user or a group of users. The system includes an administrator interface that enables an administrator to select, customize and/or assign constraints to the training action that will be delivered to the user(s).

167 Citations

28 Claims

1. A cybersecurity training system, comprising:
- one or more data storage devices that store;
  
  at least one cybersecurity training intervention, anda training needs model;
  
  an electronic device comprising one or more sensors that sense data relating to behavior or activity of at least one user of the electronic device, wherein the one or more sensors comprise one or more of the following;
  
  a USB device sensor configured to detect when a USB drive has been connected to the electronic device,a Wi-Fi sensor configured to detect a Wi-Fi access point to which the electronic device is connected, ora Wi-Fi sensor configured to detect whether the at least one user has attempted to connect the electronic device to a mock rogue Wi-Fi access point;
  
  an analysis host computer comprising a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors of the analysis host computer to implement a policy manager that;
  
  receives the sensed data from the electronic device via a communications network;
  
  analyzes the sensed data by applying the training needs model to the sensed data to determine whether the at least one user may be at risk for a threat scenario, andidentifies, from the at least one cybersecurity training intervention, a set of one or more policy manager-identified cybersecurity training interventions that are relevant to the threat scenario;
  
  a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors to implement a system administrator interface that displays the set of one or more policy manager-identified cybersecurity training interventions and receives a selection of an intervention in the set via the system administrator interface; and
  
  a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors to generate a command to deliver the selected cybersecurity training intervention to an electronic device for presentation to the at least one user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the instructions that implement the system administrator interface also comprise instructions to receive a customization of the selected cybersecurity training intervention via the system administrator interface.
  - 3. The system of claim 1, wherein the instructions that implement the system administrator interface also comprise instructions to display parameters of the training needs model, and receive a customization of the training needs model via the system administrator interface.
  - 4. The system of claim 1, wherein the instructions that implement the system administrator interface also comprise instructions to display logic of the policy manager, and receive a configuration of the policy manager via the system administrator interface.
  - 5. The system of claim 1, wherein the instructions that implement the system administrator interface also comprise instructions to display analysis results from the policy manager and receive a manipulation of the analysis results-via the system administrator interface.
  - 6. The system of claim 1, wherein:
    - the instructions to implement the system administrator interface also comprise instructions to;
      
      display, via the system administrator interface, statistics for a plurality of additional users, andreceive, via the system administrator interface, a selected group of the additional users; and
      
      the system further comprises a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors to generate a command to deliver the selected cybersecurity training intervention to the selected group of the additional users.
  - 7. The system of claim 1, wherein:
    - the threat scenario comprises an SMS attack threat scenario; and
      
      the instructions to implement a system administrator interface that receives a customization for the selected cybersecurity training intervention comprise instructions to;
      
      display, via the system administrator interface, a plurality of SMS attack templates,receive, via the system administrator interface, a selection of one of the displayed SMS attack templates, andapply the customization to the selected template so that the customization comprises one or more of any of the following;
      
      automatic insertion of the user'"'"'s name in the administrator-selected template;
      
      a selected start time or end time for the selected cybersecurity training intervention;
      
      information obtained from a social network or public profile that is relevant to the user;
      
      link selected via the system administrator interface;
      
      oran SMS message edited via the system administrator interface.
  - 8. The system of claim 1, wherein:
    - the threat scenario comprises use of a malicious memory device; and
      
      the instructions to implement the system administrator interface that receives a customization for the selected training intervention comprise instructions to;
      
      display, via the system administrator interface, a plurality of mock malicious memory device attack templates,receive, via the system administrator interface, a selection of one of the displayed mock malicious memory device attack templates, andapply the customization to the selected template so that the customization comprises a selection of mock malware to include on at least one memory device that will be used in the training intervention.
  - 9. The system of claim 8, wherein the instructions to implement the system administrator interface that receives a customization of the selected training intervention also comprise instructions to receive any the following:
    - one or more locations at which the devices are to be delivered;
      
      ora selection of mock malware to include on the devices.
  - 10. The system of claim 2, wherein:
    - the instructions to implement the system administrator interface also comprise instructions to;
      
      display, via the system administrator interface, identification information for a plurality of additional users,receive, via the system administrator interface, a selected group of the additional users, andreceive the customization such that different mock attacks are provided to various members of the selected group; and
      
      the system further comprises a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors to generate a command to deliver the selected cybersecurity training intervention with the customization to the selected group of additional users.
  - 11. The system of claim 1, wherein:
    - the instructions to implement the system administrator interface also comprise instructions to implement a user interface portion that enables receipt of a selection of;
      
      one or more scheduling constraints for the selected training intervention, andone or more additional users to whom the selected training intervention will be delivered; and
      
      the system further comprises a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors to generate a command to deliver the selected cybersecurity training intervention to the additional users in accordance with the scheduling constraints.

12. A method of providing an administrator interface for a cybersecurity training system, comprising:
- maintaining, on one or more data storage devices, one or more training interventions and a training needs model;
  
  by one or more sensors of an electronic device, sensing data relating to behavior or activity of at least one user of the electronic device, wherein the one or more sensors comprise one or more of the following;
  
  a USB device sensor configured to detect when a USB drive has been connected to the electronic device,a Wi-Fi sensor configured to detect a Wi-Fi access point to which the electronic device is connected, ora Wi-Fi sensor configured to detect whether the at least one user has attempted to connect the electronic device to a mock rogue Wi-Fi access point; and
  
  by a processor of an analysis host computer;
  
  receiving the sensed data from the one or more sensors via a communication network,applying the training needs model to the received data to determine whether the at least one user may be at risk of a threat scenario,identifying one or more of the training interventions that are relevant to the threat scenario,displaying, via the system administrator interface, the identified one or more training interventions,receiving, via the system administrator interface, a selection of a displayed cybersecurity training intervention, andgenerating a command to deliver the selected cybersecurity training intervention to an electronic device for output to the at least one user.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, further comprising, by the processor:
    - receiving, via the system administrator interface, a customization for the selected training intervention; and
      
      when generating the command to deliver the selected training intervention to the user, generating a command to deliver the customization of the selected training intervention.
  - 14. The method of claim 12, further comprising, by the processor, causing the system administrator interface to perform one or more of the following:
    - display parameters of the training needs model, and receive a customization of the training needs model via the system administrator interface;
      
      display logic of the policy manager, and receive a configuration of the policy manager via the system administrator interface;
      
      ordisplay an output of data from the policy manager and receive a manipulation of the output data via the system administrator interface.
  - 15. The method of claim 12, further comprising, by the processor:
    - causing the system administrator interface to;
      
      display, via the system administrator interface, statistics for a plurality of additional users, andreceive, via the system administrator interface, a selected group of the additional users; and
      
      generating a command to deliver the selected training intervention to the selected group of the additional users.
  - 16. The method of claim 15, further comprising, by the processor, causing the system administrator interface to display the statistics so that the statistics are presented, sorted and/or compiled according to criteria that are selected via the system administrator interface.
  - 17. The method of claim 12, wherein:
    - the threat scenario comprises an SMS attack threat scenario; and
      
      receiving the customization for the selected training intervention comprises;
      
      displaying, via the system administrator interface, a plurality of SMS attack templates,receiving, via the system administrator interface, a selection of one of the displayed SMS attack templates, andapplying the customization to the selected template so that the customization comprises one or more of any of the following;
      
      automatic insertion of the at least one user'"'"'s name in the template;
      
      a selected start time or end time for the administrator-selected training intervention;
      
      information obtained from a social network or public profile that is relevant to the at least one user;
      
      oran SMS message edited via the system administrator interface.
  - 18. The method of claim 12, wherein:
    - the threat scenario comprises use of a malicious memory device; and
      
      receiving the customization for the selected training intervention comprises;
      
      displaying, via the system administrator interface, a plurality of mock malicious memory device attack training templates,receiving, via the system administrator interface, a selection of one of the displayed mock malicious memory device attack training templates, andapplying the customization to the selected template so that the customization comprises a selection of mock malware to include on one or more memory devices that will be used in the training intervention.
  - 19. The method of claim 12, wherein receiving the customization for the selected training intervention also comprises receiving one or more of any the following:
    - one or more locations at which the one or more devices are to be delivered, ora selection of mock malware to include on the devices.
  - 20. The method of claim 12, further comprising:
    - displaying, via the system administrator interface, identification information for a plurality of additional users;
      
      receiving, via the system administrator interface, a selected group of the additional users;
      
      receiving the customization such that different mock attacks are provided to various members of the selected group; and
      
      generating a command to deliver the selected training intervention with the customization to the selected group of the additional users.
  - 21. The method of claim 12, further comprising implementing a portion of the system administrator interface that enables receipt of a selection of:
    - one or more scheduling constraints for the selected training intervention; and
      
      one or more additional users to whom the selected training intervention will be delivered;
      
      wherein the instructions also include instructions to generate a command to deliver the selected cybersecurity training intervention to the electronic device in accordance with the scheduling constraints.

22. A method of providing an administrator interface for a cybersecurity training system, comprising:
- maintaining, on one or more data storage devices, at least one cybersecurity training intervention;
  
  by one or more sensors of an electronic device, receiving data relating to behavior or activity of at least one user of the electronic device, wherein the one or more sensors comprise one or more of the following;
  
  a USB device sensor configured to detect when a USB drive has been connected to the electronic device,a Wi-Fi sensor configured to detect a Wi-Fi access point to which the electronic device is connected, ora Wi-Fi sensor configured to detect whether the at least one user has attempted to connect the electronic device to a mock rogue Wi-Fi access point; and
  
  by a processor of an analysis host computer; and
  
  by a processor of an analysis host computer;
  
  receiving the data from the electronic device via a communication network,applying a training needs model to the received data to determine whether the at least one user may be at risk for a threat scenario,displaying, via a system administrator interface, a representation of a measurement of whether the at least one user may be at risk for the threat scenario,identifying one or more of the cybersecurity training interventions that are relevant to the threat scenario,displaying, via the system administrator interface, the identified one or more cybersecurity training interventions,receiving, via the system administrator interface, a selection of one of the displayed cybersecurity training interventions,receiving a customization for the selected cybersecurity training intervention, andgenerating a command to deliver the selected cybersecurity training intervention with the customization to an electronic device for presentation to the at least one user.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22, further comprising:
    - displaying, via the system administrator interface, identification information for a plurality of additional users;
      
      receiving, via the system administrator interface, a selected group of the additional users; and
      
      generating a command to deliver the selected cybersecurity training intervention with the customization to the selected group of the additional users.
  - 24. The method of claim 22, further comprising implementing a user interface portion of the system administrator interface that enables receipt of a selection of:
    - one or more scheduling constraints for the selected cybersecurity training intervention; and
      
      an identification of one or more additional users to whom the selected cybersecurity training intervention will be delivered;
      
      wherein the instructions also include instructions to generate a command to deliver the selected cybersecurity training intervention with the customization to the additional users in accordance with the scheduling constraints.

25. A cybersecurity training system, comprising:
- one or more data storage devices that store;
  
  at least one training intervention, anda training needs model;
  
  an electronic device comprising one or more sensors that sense data relating to behavior or activity of at least one user of the electronic device, wherein the one or more sensors comprise one or more of the following;
  
  a USB device sensor configured to detect when a USB drive has been connected to the electronic device,a Wi-Fi sensor configured to detect a Wi-Fi access point to which the electronic device is connected, ora Wi-Fi sensor configured to detect whether the at least one user has attempted to connect the electronic device to a mock rogue Wi-Fi access point;
  
  an analysis host computer comprising one or more processors and a computer-readable memory portion holding programming instructions that, when executed, instruct the one or more processors of the analysis host computer to implement a policy manager that;
  
  receives the sensed data from the electronic device via a communication network, andanalyzes the sensed data relating to at least one user by applying the training needs model to the sensed data to determine whether the at least one user may be at risk for a threat scenario; and
  
  a computer-readable memory portion holding programming instructions that, when executed, instruct one or more processors to implement a system administrator interface that is configured to perform at least one of the following actions;
  
  display parameters of the training needs model and receive a customization of the training needs model via the system administrator interface, ordisplay logic of the policy manager and receive a configuration of the logic the system administrator interface;
  
  wherein the system is also configured to, upon completion of at least one of the actions of the system administrator interface;
  
  select one or more of the training interventions that are relevant to the threat scenario, andgenerate a command to deliver the selected training intervention to an electronic device for presentation to the at least one user.
- View Dependent Claims (26, 27, 28)
- - 26. The system of claim 25, wherein the system administrator interface is also configured to perform at least one of the following actions:
    - display the one or more selected training interventions and allow the administrator to select a subset to be delivered;
      
      orreceive, via the system administrator interface, a customization of one of the training interventions to be delivered.
  - 27. The system of claim 25, wherein:
    - the instructions to implement the system administrator interface also comprise instructions to;
      
      display, via the system administrator interface, statistics for a plurality of additional users, andreceive, via the system administrator interface, a selected group of the additional users; and
      
      the instructions to generate the command also comprise instructions to generate a command to deliver the selected training intervention to the selected group of the additional users.
  - 28. The system of claim 27, wherein the instructions to implement the system administrator interface also comprise instructions to display the statistics so that the administrator can have the statistics presented, sorted and/or compiled according to selected criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Wombat Security Technologies, Inc (Proofpoint Incorporated)
Inventors
Sadeh-Koniecpol, Norman, Wescoe, Kurt, Brubaker, Jason, Hong, Jason
Primary Examiner(s)
Gishnock, Nikolai A

Application Number

US14/215,981
Publication Number

US 20140199663A1
Time in Patent Office

827 Days
Field of Search

726/11, 726/22, 726/23, 726/24, 726/25
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G09B 19/00   Teaching not covered by oth...

G09B 5/00   Electrically-operated educa...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/1475 : Passive attacks, e.g. eaves...

H04L 63/1483 : service impersonation, e.g....

H04L 63/1491 : using deception as counterm...

View All

Method and system for controlling context-aware cybersecurity training

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

167 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for controlling context-aware cybersecurity training

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links