Systems and methods for detecting security threats based on user profiles
First Claim
1. A computer-implemented method for detecting security threats based on user profiles, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying behavior by a user on a computing system that is potentially indicative of a security threat by identifying at least one of;
use of an administrative tool that causes remote execution on other computing systems;
execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials;
identifying a profile for the user that estimates a level of the user'"'"'s technical sophistication at least in part by;
accessing a history of behavior by the user;
matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical sophistication than a group of administrators;
comparing the identified behavior of the user with the estimated level of the user'"'"'s technical sophistication;
determining that the identified behavior of the user indicates a security threat at least in part by determining that the identified behavior is inconsistent with the estimated level of the user'"'"'s technical sophistication associated with the group of non-administrators.
6 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for detecting security threats based on user profiles may include 1) identifying behavior on a computing system that is potentially indicative of a security threat, 2) identifying a user profile for a user of the computing system that estimates a level of the user'"'"'s technical sophistication, 3) comparing the identified behavior with the estimated level of the user'"'"'s technical sophistication, and 4) determining whether the identified behavior indicates a security threat based at least in part on the comparison of the identified behavior with the estimated level of the user'"'"'s technical sophistication. Various other methods, systems, and computer-readable media are also disclosed.
100 Citations
20 Claims
-
1. A computer-implemented method for detecting security threats based on user profiles, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
identifying behavior by a user on a computing system that is potentially indicative of a security threat by identifying at least one of; use of an administrative tool that causes remote execution on other computing systems; execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials; identifying a profile for the user that estimates a level of the user'"'"'s technical sophistication at least in part by; accessing a history of behavior by the user; matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical sophistication than a group of administrators; comparing the identified behavior of the user with the estimated level of the user'"'"'s technical sophistication; determining that the identified behavior of the user indicates a security threat at least in part by determining that the identified behavior is inconsistent with the estimated level of the user'"'"'s technical sophistication associated with the group of non-administrators. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for detecting security threats based on user profiles, the system comprising:
-
an identification module, stored in a memory, that identifies; behavior by a user on a computing system that is potentially indicative of a security threat by identifying at least one of; use of an administrative tool that causes remote execution on other computing systems; execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials; a profile for the user that estimates a level of the user'"'"'s technical sophistication at least in part by; accessing a history of behavior by the user; matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical sophistication than a group of administrators; a comparing module, stored in the memory, that compares the identified behavior of the user with the estimated level of the user'"'"'s technical sophistication; a determination module, stored in the memory, that determines that the identified behavior of the user indicates a security threat at least in part by determining that the identified behavior is inconsistent with the estimated level of the user'"'"'s technical sophistication associated with the group of non-administrators; at least one physical processor that is coupled to the memory and that is configured to execute the identification module, the comparing module, and the determination module. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable-storage medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
identify behavior by a user on a computing system that is potentially indicative of a security threat by identifying at least one of; use of an administrative tool that causes remote execution on other computing systems; execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials; identify a profile for the user that estimates a level of the user'"'"'s technical sophistication at least in part by; accessing a history of behavior by the user; matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical sophistication than a group of administrators; compare the identified behavior of the user with the estimated level of the user'"'"'s technical sophistication; determine that the identified behavior of the user indicates a security threat at least in part by determining that the identified behavior is inconsistent with the estimated level of the user'"'"'s technical sophistication associated with the group of non-administrators.
-
Specification