User behavioral risk assessment
First Claim
1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive, at a computing device, first rule data corresponding to a first set of rules maintained at a remote risk assessment engine, wherein the first set of rules is associated with a particular user;
use the first rule data to monitor user activity on the computing device during a first session;
detect a particular activity performed by the particular user on the computing device during the first session;
determine, based on the first rule data, that the particular activity qualifies as a first potential violation;
send a first report to the risk assessment engine identifying the first potential violation detected at the computing device, wherein the first report identifies the particular user;
generate behavioral tendency data describing behavioral tendencies of the particular user detected by a behavior monitor executing on the computing device;
send the behavioral tendency data to the risk assessment engine to apply to a behavior profile of the particular user maintained by the risk assessment engine;
receive an indication from the risk assessment engine, responsive to the first report, that the first potential violation is a violation; and
perform a remediation action at the particular computing device based on the indication.
11 Assignments
0 Petitions
Accused Products
Abstract
A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation.
63 Citations
19 Claims
-
1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
-
receive, at a computing device, first rule data corresponding to a first set of rules maintained at a remote risk assessment engine, wherein the first set of rules is associated with a particular user; use the first rule data to monitor user activity on the computing device during a first session; detect a particular activity performed by the particular user on the computing device during the first session; determine, based on the first rule data, that the particular activity qualifies as a first potential violation; send a first report to the risk assessment engine identifying the first potential violation detected at the computing device, wherein the first report identifies the particular user; generate behavioral tendency data describing behavioral tendencies of the particular user detected by a behavior monitor executing on the computing device; send the behavioral tendency data to the risk assessment engine to apply to a behavior profile of the particular user maintained by the risk assessment engine; receive an indication from the risk assessment engine, responsive to the first report, that the first potential violation is a violation; and perform a remediation action at the particular computing device based on the indication. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
2. A method comprising:
-
receiving, at a computing device, rule data corresponding to a set of rules maintained at a remote risk assessment engine, wherein the set of rules is associated with a particular user; using the rule data to monitor user activity on the computing device during a first session; detecting, at the computing device, a particular activity performed by the particular user on a computing device during the first session; determining, based on the rule data, that the particular activity qualifies as a potential violation; sending a report to the risk assessment engine identifying the potential violation detected at the computing device, wherein the first report identifies the particular user; generating behavioral tendency data describing behavioral tendencies of the particular user detected by a behavior monitor executing on the computing device; sending the behavioral tendency data to the risk assessment engine to apply to a behavior profile of the particular user maintained by the risk assessment engine; receiving an indication from the risk assessment engine, responsive to the report, that the potential violation is a violation; and performing a remediation action at the particular computing device based on the indication.
-
-
3. A system comprising:
-
at least one processor device; at least one memory element; and a user behavioral risk agent installed on a particular computing device, wherein the user behavioral risk agent is executable to; receive, at a computing device, rule data corresponding to a set of rules maintained at a remote risk assessment engine, wherein the set of rules is associated with a particular user, and the rule data abstracts rules in the set of rules; use the rule data to monitor user activity on the computing device for violations of the rule data during a particular session; detect, at the particular computing device, a particular activity performed by the particular user on the particular computing device during the particular session; determine, based on the rule data, that the particular activity qualifies as a potential violation; send a report to the risk assessment engine identifying the potential violation detected at the computing device; generate behavioral tendency data describing behavioral tendencies of the particular user detected by a behavior monitor executing on the computing device; send the behavioral tendency data to the risk assessment engine to apply to a behavior profile maintained by the risk assessment engine; receive an indication from the risk assessment engine, responsive to the report, that the potential violation is a violation, wherein the indication is based at least in part on whether the potential violation deviates from the behavior profile; and perform a remediation action at the particular computing device based on the indication. - View Dependent Claims (18, 19)
-
Specification