Systems and methods for anomaly-based detection of compromised IT administration accounts

US 9,485,271 B1
Filed: 03/11/2014
Issued: 11/01/2016
Est. Priority Date: 03/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

establishing a set of permissible IT administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of;

a time of day the task is permissible;

a location where the task is permissible; and

a first type of computing device permitted to perform the task;

monitoring the IT administration account for activities outside the set of permissible IT administration tasks;

detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised; and

in response to detecting the suspicious activity, performing, by a security action module on the computing device that is programmed to respond to the suspicious activity, a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts may (1) include establishing a set of permissible IT administration tasks for an IT administration account, (2) monitoring the IT administration account for activities outside the set of permissible IT administration tasks, (3) detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised, and (4) in response to detecting the suspicious activity, performing a security action with respect to the potentially compromised IT administration account. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- establishing a set of permissible IT administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of;
  
  a time of day the task is permissible;
  
  a location where the task is permissible; and
  
  a first type of computing device permitted to perform the task;
  
  monitoring the IT administration account for activities outside the set of permissible IT administration tasks;
  
  detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised; and
  
  in response to detecting the suspicious activity, performing, by a security action module on the computing device that is programmed to respond to the suspicious activity, a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein:
    - the IT administration account includes a domain administrator account;
      
      the predefined white list of tasks includes at least one of;
      
      managing domain credentials; and
      
      creating and/or modifying domain accounts.
  - 3. The computer-implemented method of claim 1, wherein:
    - the IT administration account includes a local administrator account;
      
      the predefined white list of tasks includes at least one of;
      
      installing software; and
      
      creating and/or modifying local accounts.
  - 4. The computer-implemented method of claim 1, wherein establishing the predefined white list of tasks comprises:
    - determining suspicious activities on the IT administration account that can compromise the IT administration account; and
      
      excluding the suspicious activities from the set of permissible IT administration tasks for the IT administration account.
  - 5. The computer-implemented method of claim 1, wherein:
    - the first type of computing device comprises an administrator computing device; and
      
      the second type of computing device comprises a non-administrator computing device.
  - 6. The computer-implemented method of claim 1, wherein:
    - establishing the predefined white list of tasks comprises categorizing tasks by the types of computing devices used by the IT administrator;
      
      categorizing tasks by the types of computing devices used by the IT administrator comprises categorizing the first type of computing device as an administrator computing device used for administrative tasks and categorizing the second type of computing device as a non-administrator computing device used for non-administrative tasks.
  - 7. The computer-implemented method of claim 1, wherein monitoring the IT administration account, detecting the suspicious activity, and/or performing the security action comprises:
    - performing the security action prior to executing the activities that can potentially compromise the IT administration account.
  - 8. The computer-implemented method of claim 1, wherein:
    - the IT administration account includes at least one of;
      
      a local administrator account, where the set of permissible IT administration tasks includes tasks for managing an endpoint device; and
      
      a domain administrator account, where the set of permissible IT administration tasks includes tasks for;
      
      managing a website; and
      
      managing a network.
  - 9. The computer-implemented method of claim 1, wherein the set of permissible IT administration tasks performed using the IT administration account differs from other activities performed using a personal user account.
  - 10. The computer-implemented method of claim 1, further comprising:
    - retrieving a non-administrator user account credential for a user of the IT administration account;
      
      retrieving an IT administration account credential for the user of the IT administration account;
      
      comparing a credential hash of the non-administrator user account credential with a credential hash of the IT administration account credential;
      
      determining the credential hash of the non-administrator user account credential and the credential hash of the IT administration account credential are the same; and
      
      in response to the determination that the credential hashes of the non-administrator user account credential and the IT administration account credential are the same, performing a security action prompting a change in the non-administrator user account credential or the IT administration account credential so the account credentials are different to protect the IT administration account.
  - 11. The computer-implemented method of claim 1, wherein the activity that is outside the set of permissible IT administration tasks further comprises at least one of:
    - accessing, copying, and/or downloading source-code;
      
      reading an email;
      
      composing a document;
      
      accessing the Internet;
      
      remote accessing another computing device from a non-administrator computing device;
      
      creating a temporary account and/or a temporary user account;
      
      raising and/or changing a privilege level of another user;
      
      clearing an event log; and
      
      resetting passwords of other users.
  - 12. The computer-implemented method of claim 1, wherein:
    - the IT administration account includes at least one of;
      
      a network administrator account, a system administrator account, a database administrator account, and/or a backup administrator account; and
      
      the predefined white list of tasks includes at least one of;
      
      modifying new user accounts, creating new user accounts, host administration, network administration, maintaining network resources, and/or hosting a website.

13. A system for anomaly-based detection of compromised information technology (IT) administration accounts, the system comprising:
- an establishing module, stored in memory, that establishes a set of permissible IT administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of;
  
  a time of day the task is permissible;
  
  a location where the task is permissible; and
  
  a first type of computing device permitted to perform the task;
  
  a monitoring module, stored in memory, that monitors the IT administration account for activities outside the set of permissible IT administration tasks;
  
  a detection module, stored in memory, that detects a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised;
  
  a security action module, stored in memory, that in response to detecting the suspicious activity, performs a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device; and
  
  at least one physical processor that executes the establishing module, the monitoring module, the detection module, and the security action module.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein:
    - the IT administration account includes a domain administrator account;
      
      the predefined white list of tasks includes at least one of;
      
      managing domain credentials; and
      
      creating and/or modifying domain accounts.
  - 15. The system of claim 13, wherein:
    - the IT administration account includes a local administrator account;
      
      the predefined white list of tasks includes at least one of;
      
      installing software; and
      
      creating and/or modifying local accounts.
  - 16. The system of claim 13, wherein the establishing module establishes the predefined white list of tasks for the IT administration account by categorizing tasks by the types of computing devices used by an IT administrator.
  - 17. The system of claim 13, wherein the set of permissible IT administration tasks performed using the IT administration account differs from other activities performed using a personal user account.
  - 18. The system of claim 13, wherein the security action module performs a security action by:
    - retrieving a non-administrator user account credential for a user of the IT administration account;
      
      retrieving an IT administration account credential for the user of the IT administration account;
      
      comparing a credential hash of the non-administrator user account credential with a credential hash of the IT administration account credential;
      
      determining the credential hash of the non-administrator user account credential and the credential hash of the IT administration account credential are the same; and
      
      in response to the determination that the credential hashes of the non-administrator user account credential and the IT administration account credential are the same, performing a security action prompting a change in the non-administrator user account credential or the IT administration account credential so the account credentials are different to protect the IT administration account.
  - 19. The system of claim 13, wherein the activity that is outside the set of permissible IT administration tasks further comprises at least one of:
    - accessing, copying, or downloading source-code;
      
      reading an email;
      
      composing a document;
      
      accessing the Internet;
      
      remote accessing another computing device from a non-administrator computing device;
      
      creating a temporary account and/or a temporary user account;
      
      raising and/or changing a privilege level of another user;
      
      clearing an event log; and
      
      resetting passwords of other users.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- establish a set of permissible information technology (IT) administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of;
  
  a time of day the task is permissible;
  
  a location where the task is permissible; and
  
  a first type of computing device permitted to perform the task;
  
  monitor the IT administration account for activities outside the set of permissible IT administration tasks;
  
  detect a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised; and
  
  in response to detecting the suspicious activity, perform a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Roundy, Kevin, Bhatkar, Sandeep, Guo, Fanglu
Primary Examiner(s)
Thiaw, Catherine

Application Number

US14/205,335
Time in Patent Office

966 Days
Field of Search

726 5- 7, 726/23, 726/25
US Class Current

1/1
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

Systems and methods for anomaly-based detection of compromised IT administration accounts

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for anomaly-based detection of compromised IT administration accounts

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links