Systems and methods for detecting security threats based on user profiles

US 9,401,925 B1
Filed: 09/12/2013
Issued: 07/26/2016
Est. Priority Date: 09/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting security threats based on user profiles, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying behavior by a user on a computing system that is potentially indicative of a security threat by identifying at least one of;

use of an administrative tool that causes remote execution on other computing systems;

execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials;

identifying a profile for the user that estimates a level of the user'"'"'s technical sophistication at least in part by;

accessing a history of behavior by the user;

matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical sophistication than a group of administrators;

comparing the identified behavior of the user with the estimated level of the user'"'"'s technical sophistication;

determining that the identified behavior of the user indicates a security threat at least in part by determining that the identified behavior is inconsistent with the estimated level of the user'"'"'s technical sophistication associated with the group of non-administrators.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting security threats based on user profiles may include 1) identifying behavior on a computing system that is potentially indicative of a security threat, 2) identifying a user profile for a user of the computing system that estimates a level of the user'"'"'s technical sophistication, 3) comparing the identified behavior with the estimated level of the user'"'"'s technical sophistication, and 4) determining whether the identified behavior indicates a security threat based at least in part on the comparison of the identified behavior with the estimated level of the user'"'"'s technical sophistication. Various other methods, systems, and computer-readable media are also disclosed.

100 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting security threats based on user profiles, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying behavior by a user on a computing system that is potentially indicative of a security threat by identifying at least one of;
  
  use of an administrative tool that causes remote execution on other computing systems;
  
  execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials;
  
  identifying a profile for the user that estimates a level of the user'"'"'s technical sophistication at least in part by;
  
  accessing a history of behavior by the user;
  
  matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical sophistication than a group of administrators;
  
  comparing the identified behavior of the user with the estimated level of the user'"'"'s technical sophistication;
  
  determining that the identified behavior of the user indicates a security threat at least in part by determining that the identified behavior is inconsistent with the estimated level of the user'"'"'s technical sophistication associated with the group of non-administrators.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein identifying behavior by the user on the computing system that is potentially indicative of a security threat comprises identifying:
    - execution of the network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials.
  - 3. The computer-implemented method of claim 1, further comprising identifying an additional profile for an additional user that estimates the level of the additional user'"'"'s technical sophistication at least in part by adjusting the additional profile for the additional user.
  - 4. The computer-implemented method of claim 3, wherein adjusting the additional profile for the additional user comprises increasing the estimated level of the additional user'"'"'s technical sophistication based on use of a command line interface.
  - 5. The computer-implemented method of claim 3, wherein adjusting the additional profile for the additional user comprises increasing the estimated level of the additional user'"'"'s technical sophistication based on use of system administrative tools.
  - 6. The computer-implemented method of claim 3, wherein adjusting the additional profile for the additional user comprises increasing the estimated level of the additional user'"'"'s technical sophistication based on presence of at least one of:
    - development tools;
      
      scripting tools.
  - 7. The computer-implemented method of claim 3, wherein adjusting the additional profile for the additional user comprises increasing the estimated level of the additional user'"'"'s technical sophistication based on a ratio of time spent within a web browser to time spent within other user-installed applications.
  - 8. The computer-implemented method of claim 1, further comprising determining that an additional identified behavior of an additional user does not indicate a security threat.
  - 9. The computer-implemented method of claim 8, wherein determining that the additional identified behavior of the additional user does not indicate a security threat comprises determining that the additional user was physically present at an additional computing system during the additional identified behavior.
  - 10. The computer-implemented method of claim 8, wherein determining that the additional identified behavior of the additional user does not indicate a security threat comprises determining that the additional user witnessed changes made by the additional identified behavior.
  - 11. The computer-implemented method of claim 8, wherein determining that the additional identified behavior of the additional user does not indicate a security threat comprises determining that behavior similar to the additional identified behavior of the additional user occurred on other network computing systems during a same period of time as the additional identified behavior of the additional user.
  - 12. The computer-implemented method of claim 8, wherein determining that the additional identified behavior of the additional user does not indicate a security threat comprises identifying a false positive.

13. A system for detecting security threats based on user profiles, the system comprising:
- an identification module, stored in a memory, that identifies;
  
  behavior by a user on a computing system that is potentially indicative of a security threat by identifying at least one of;
  
  use of an administrative tool that causes remote execution on other computing systems;
  
  execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials;
  
  a profile for the user that estimates a level of the user'"'"'s technical sophistication at least in part by;
  
  accessing a history of behavior by the user;
  
  matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical sophistication than a group of administrators;
  
  a comparing module, stored in the memory, that compares the identified behavior of the user with the estimated level of the user'"'"'s technical sophistication;
  
  a determination module, stored in the memory, that determines that the identified behavior of the user indicates a security threat at least in part by determining that the identified behavior is inconsistent with the estimated level of the user'"'"'s technical sophistication associated with the group of non-administrators;
  
  at least one physical processor that is coupled to the memory and that is configured to execute the identification module, the comparing module, and the determination module.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the identification module identifies behavior by the user on the computing system that is potentially indicative of a security threat by identifying:
    - execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials.
  - 15. The system of claim 13, wherein the identification module identifies an additional profile for an additional user that estimates the level of the additional user'"'"'s technical sophistication by adjusting the additional profile for the additional user.
  - 16. The system of claim 15, wherein the identification module adjusts the additional profile for the additional user by increasing the estimated level of the additional user'"'"'s technical sophistication based on use of a command line interface.
  - 17. The system of claim 15, wherein the identification module adjusts the additional profile for the additional user by increasing the estimated level of the additional user'"'"'s technical sophistication based on use of system administrative tools.
  - 18. The system of claim 15, wherein the identification module adjusts the additional profile for the additional user by increasing the estimated level of the additional user'"'"'s technical sophistication based on presence of at least one of:
    - development tools;
      
      scripting tools.
  - 19. The system of claim 15, wherein the identification module adjusts the additional profile for the additional user by increasing the estimated level of the additional user'"'"'s technical sophistication based on a ratio of time spent within a web browser to time spent within other user-installed applications.

20. A non-transitory computer-readable-storage medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify behavior by a user on a computing system that is potentially indicative of a security threat by identifying at least one of;
  
  use of an administrative tool that causes remote execution on other computing systems;
  
  execution of a network command that allows attackers to identify at least one of domain controllers and accounts with domain administrator credentials;
  
  identify a profile for the user that estimates a level of the user'"'"'s technical sophistication at least in part by;
  
  accessing a history of behavior by the user;
  
  matching the user, by analyzing the history of behavior, to a group of non-administrators having a lower level of technical sophistication than a group of administrators;
  
  compare the identified behavior of the user with the estimated level of the user'"'"'s technical sophistication;
  
  determine that the identified behavior of the user indicates a security threat at least in part by determining that the identified behavior is inconsistent with the estimated level of the user'"'"'s technical sophistication associated with the group of non-administrators.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Guo, Fanglu, Bhatkar, Sandeep, Roundy, Kevin
Primary Examiner(s)
Pyzocha, Michael

Application Number

US14/024,636
Time in Patent Office

1,048 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

Systems and methods for detecting security threats based on user profiles

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for detecting security threats based on user profiles

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others