Systems and methods for anomaly-based detection of compromised IT administration accounts
First Claim
1. A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- establishing a set of permissible IT administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of;
a time of day the task is permissible;
a location where the task is permissible; and
a first type of computing device permitted to perform the task;
monitoring the IT administration account for activities outside the set of permissible IT administration tasks;
detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised; and
in response to detecting the suspicious activity, performing, by a security action module on the computing device that is programmed to respond to the suspicious activity, a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts may (1) include establishing a set of permissible IT administration tasks for an IT administration account, (2) monitoring the IT administration account for activities outside the set of permissible IT administration tasks, (3) detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised, and (4) in response to detecting the suspicious activity, performing a security action with respect to the potentially compromised IT administration account. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
establishing a set of permissible IT administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of; a time of day the task is permissible; a location where the task is permissible; and a first type of computing device permitted to perform the task; monitoring the IT administration account for activities outside the set of permissible IT administration tasks; detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised; and in response to detecting the suspicious activity, performing, by a security action module on the computing device that is programmed to respond to the suspicious activity, a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for anomaly-based detection of compromised information technology (IT) administration accounts, the system comprising:
-
an establishing module, stored in memory, that establishes a set of permissible IT administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of; a time of day the task is permissible; a location where the task is permissible; and a first type of computing device permitted to perform the task; a monitoring module, stored in memory, that monitors the IT administration account for activities outside the set of permissible IT administration tasks; a detection module, stored in memory, that detects a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised; a security action module, stored in memory, that in response to detecting the suspicious activity, performs a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device; and at least one physical processor that executes the establishing module, the monitoring module, the detection module, and the security action module. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
establish a set of permissible information technology (IT) administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of; a time of day the task is permissible; a location where the task is permissible; and a first type of computing device permitted to perform the task; monitor the IT administration account for activities outside the set of permissible IT administration tasks; detect a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised; and in response to detecting the suspicious activity, perform a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device.
-
Specification