User behavioral risk assessment

US 9,635,047 B2
Filed: 05/27/2015
Issued: 04/25/2017
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

receive, at a computing device, first rule data corresponding to a first set of rules maintained at a remote risk assessment engine, wherein the first set of rules is associated with a particular user;

use the first rule data to monitor user activity on the computing device during a first session;

detect a particular activity performed by the particular user on the computing device during the first session;

determine, based on the first rule data, that the particular activity qualifies as a first potential violation;

send a first report to the risk assessment engine identifying the first potential violation detected at the computing device, wherein the first report identifies the particular user;

generate behavioral tendency data describing behavioral tendencies of the particular user detected by a behavior monitor executing on the computing device;

send the behavioral tendency data to the risk assessment engine to apply to a behavior profile of the particular user maintained by the risk assessment engine;

receive an indication from the risk assessment engine, responsive to the first report, that the first potential violation is a violation; and

perform a remediation action at the particular computing device based on the indication.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation.

63 Citations

View as Search Results

19 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive, at a computing device, first rule data corresponding to a first set of rules maintained at a remote risk assessment engine, wherein the first set of rules is associated with a particular user;
  
  use the first rule data to monitor user activity on the computing device during a first session;
  
  detect a particular activity performed by the particular user on the computing device during the first session;
  
  determine, based on the first rule data, that the particular activity qualifies as a first potential violation;
  
  send a first report to the risk assessment engine identifying the first potential violation detected at the computing device, wherein the first report identifies the particular user;
  
  generate behavioral tendency data describing behavioral tendencies of the particular user detected by a behavior monitor executing on the computing device;
  
  send the behavioral tendency data to the risk assessment engine to apply to a behavior profile of the particular user maintained by the risk assessment engine;
  
  receive an indication from the risk assessment engine, responsive to the first report, that the first potential violation is a violation; and
  
  perform a remediation action at the particular computing device based on the indication.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 4. The storage medium of claim 1, wherein the first rule data is stored locally at the computing device together with at least second rule data corresponding to a second set of rules associated with a second user.
  - 5. The storage medium of claim 4, wherein the particular activity is not determined to be a potential violation when the second rule data is applied at the computing device.
  - 6. The storage medium of claim 4, wherein the instructions when executed further cause the machine to:
    - identify that a second user uses the computing device during a second session;
      
      use the second rule data to monitor user activity on the computing device during the second session;
      
      detect, at the computing device, the particular activity performed by the second user on the computing device during the second session;
      
      determine, based on the second rule data, that the particular activity performed by the second user comprises a second potential violation;
      
      send a second report to the risk assessment engine identifying the second potential violation detected at the computing device; and
      
      receive an indication from the risk assessment engine, responsive to the second report, that the second potential violation is not a violation.
  - 7. The storage medium of claim 4, wherein the instructions when executed further cause the machine to:
    - identify that a second user uses the computing device during a second session;
      
      use the second rule data to monitor user activity on the computing device during the second session;
      
      detect, at the computing device, the particular activity performed by the second user on the computing device during the second session; and
      
      determine, based on the second rule data, that the particular activity performed by the second user does not comprise a second potential violation.
  - 8. The storage medium of claim 1, wherein the first set of rules is generated at the risk assessment engine based on the behavior profile.
  - 9. The storage medium of claim 8, wherein the first set of rules is modified based on the first report.
  - 10. The storage medium of claim 1, wherein the report describes context information related to the particular activity.
  - 11. The storage medium of claim 10, wherein the context information describes another activity performed by the user at the computing device during the first session.
  - 12. The storage medium of claim 1, wherein the first rule data is used by a software-implemented agent installed on the computing device and the agent determines that the particular activity performed by the first user comprises the first potential violation.
  - 13. The storage medium of claim 12, wherein the agent communicates directly with the risk assessment engine.
  - 14. The storage medium of claim 12, wherein the indication of the violation triggers a countermeasure to be applied at the computing device.
  - 15. The storage medium of claim 14, wherein the countermeasure is deployed, at least in part, using the agent.
  - 16. The storage medium of claim 14, wherein the indication comprises instructions for use by the agent in deploying the countermeasure.
  - 17. The storage medium of claim 1, wherein the report includes an indication that the particular activity was performed by the first user.

2. A method comprising:
- receiving, at a computing device, rule data corresponding to a set of rules maintained at a remote risk assessment engine, wherein the set of rules is associated with a particular user;
  
  using the rule data to monitor user activity on the computing device during a first session;
  
  detecting, at the computing device, a particular activity performed by the particular user on a computing device during the first session;
  
  determining, based on the rule data, that the particular activity qualifies as a potential violation;
  
  sending a report to the risk assessment engine identifying the potential violation detected at the computing device, wherein the first report identifies the particular user;
  
  generating behavioral tendency data describing behavioral tendencies of the particular user detected by a behavior monitor executing on the computing device;
  
  sending the behavioral tendency data to the risk assessment engine to apply to a behavior profile of the particular user maintained by the risk assessment engine;
  
  receiving an indication from the risk assessment engine, responsive to the report, that the potential violation is a violation; and
  
  performing a remediation action at the particular computing device based on the indication.

3. A system comprising:
- at least one processor device;
  
  at least one memory element; and
  
  a user behavioral risk agent installed on a particular computing device, wherein the user behavioral risk agent is executable to;
  
  receive, at a computing device, rule data corresponding to a set of rules maintained at a remote risk assessment engine, wherein the set of rules is associated with a particular user, and the rule data abstracts rules in the set of rules;
  
  use the rule data to monitor user activity on the computing device for violations of the rule data during a particular session;
  
  detect, at the particular computing device, a particular activity performed by the particular user on the particular computing device during the particular session;
  
  determine, based on the rule data, that the particular activity qualifies as a potential violation;
  
  send a report to the risk assessment engine identifying the potential violation detected at the computing device;
  
  generate behavioral tendency data describing behavioral tendencies of the particular user detected by a behavior monitor executing on the computing device;
  
  send the behavioral tendency data to the risk assessment engine to apply to a behavior profile maintained by the risk assessment engine;
  
  receive an indication from the risk assessment engine, responsive to the report, that the potential violation is a violation, wherein the indication is based at least in part on whether the potential violation deviates from the behavior profile; and
  
  perform a remediation action at the particular computing device based on the indication.
- View Dependent Claims (18, 19)
- - 18. The system of claim 3, wherein the rule data comprises first rule data, and the first rule data is stored in the memory together with second rule data corresponding to a second set of rules associated with a second user.
  - 19. The system of claim 3, wherein the system further comprises the risk assessment engine, and the risk assessment engine is executable to:
    - receive reports from a plurality of computing devices reporting respective potential violations determined at the computing devices;
      
      determine whether the potential violations qualify as one of a plurality of defined use violations; and
      
      determine a behavioral risk score for the first user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Moyle, Michael Mason, Basavapatna, Prasanna Ganapathi, Schrecker, Sven
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US14/723,192
Publication Number

US 20150334129A1
Time in Patent Office

699 Days
Field of Search

726 1, 726 2, 726 22, 726 23, 726 28
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

User behavioral risk assessment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

User behavioral risk assessment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links