Cyber-semantic account management system

US 9,686,305 B2
Filed: 11/20/2013
Issued: 06/20/2017
Est. Priority Date: 11/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method for identifying anomalous behavior of an entity, the method comprising:

receiving raw data comprising recorded activity for the entity, wherein the recorded activity is associated with a first objective related to a first event from a first data source and a second objective related to a second event from a second data source, wherein the first objective is unrelated to the second objective and the first event is unrelated to the second event;

dynamically generating, by a computing device, an on demand behavior profile for the entity based on the raw data, wherein the behavior profile defines a pattern of behavior for the entity related to one or more transactions, and wherein generating the behavior profile comprises transforming the raw data into one or more relational database objects;

receiving comparison data;

determining whether the comparison data deviates from the pattern of behavior defined in the behavior profile, for a specific transaction; and

when the comparison data deviates from the pattern of behavior, identifying the comparison data as anomalous behavior.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus for identifying anomalous behavior are provided. For example, a method may include receiving raw data, generating a behavior profile for the entity based on the raw data, receiving comparison data, determining whether the comparison data deviates from a pattern of behavior defined in the behavior profile, and identifying the comparison data as anomalous behavior when the comparison data deviates from the pattern of behavior. In one embodiment, the raw data includes recorded activity for the entity. In one embodiment, the behavior profile defines a pattern of behavior for the entity. In one embodiment, a countermeasure is performed upon identifying anomalous behavior. The countermeasure may include at least one of revoking the entity'"'"'s credentials, denying the entity access to a resource, shutting down access to a port, and denying access to the entity. The method may further include providing a report of the anomalous behavior.

10 Citations

View as Search Results

20 Claims

1. A method for identifying anomalous behavior of an entity, the method comprising:
- receiving raw data comprising recorded activity for the entity, wherein the recorded activity is associated with a first objective related to a first event from a first data source and a second objective related to a second event from a second data source, wherein the first objective is unrelated to the second objective and the first event is unrelated to the second event;
  
  dynamically generating, by a computing device, an on demand behavior profile for the entity based on the raw data, wherein the behavior profile defines a pattern of behavior for the entity related to one or more transactions, and wherein generating the behavior profile comprises transforming the raw data into one or more relational database objects;
  
  receiving comparison data;
  
  determining whether the comparison data deviates from the pattern of behavior defined in the behavior profile, for a specific transaction; and
  
  when the comparison data deviates from the pattern of behavior, identifying the comparison data as anomalous behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising providing a report of the anomalous behavior.
  - 3. The method of claim 1, further comprising upon identifying anomalous behavior, performing a countermeasure.
  - 4. The method of claim 3, wherein the countermeasure comprises at least one of:
    - revoking the entity'"'"'s credentials;
      
      denying the entity access to a resource;
      
      shutting down access to a port; and
      
      denying access to the entity.
  - 5. The method of claim 1, wherein the raw data is weblog data, and wherein the weblog data comprises at least one of:
    - IP address information;
      
      browsing history;
      
      download data; and
      
      time information.
  - 6. The method of claim 1, wherein the raw data comprises at least one of:
    - web service endpoints;
      
      mission role data;
      
      system transactions; and
      
      resource access.
  - 7. The method of claim 1, wherein generating the behavior profile further comprises:
    - constructing the behavior profile using relational algebra.
  - 8. The method of claim 7, wherein generating the behavior profile further comprises normalizing data in the behavior profile.
  - 9. The method of claim 1, wherein the behavior profile is constructed for a specific date range.
  - 10. The method of claim 1, wherein determining whether the comparison data deviates from the pattern of behavior further comprises:
    - comparing the comparison data to the behavior profile; and
      
      identifying a first portion of the comparison data that does not exist in the behavior profile as anomalous behavior.
  - 11. The method of claim 1, wherein determining whether the comparison data deviates from the pattern of behavior is based upon statistical analysis, wherein portions of the comparison data that lie outside a standard deviation of the behavior profile are identified as anomalous behavior.

12. A computer storage device encoding computer executable instructions that, when executed by at least one processor, perform a method for identifying anomalous behavior of an entity, the method comprising:
- receiving raw data comprising recorded activity for the entity, wherein the recorded activity is associated with a first objective related to a first event from a first data source and a second objective related to a second event from a second data source, wherein the first objective is unrelated to the second objective and the first event is unrelated to the second event ;
  
  dynamically generating, by a computing device, an on demand behavior profile for the entity based on the raw data, wherein the behavior profile defines a pattern of behavior for the entity related to one or more transactions, and wherein generating the behavior profile comprises transforming the raw data into one or more relational database objects;
  
  receiving comparison data;
  
  comparing the comparison data to the behavior profile for a specific transaction; and
  
  identifying a first portion of the comparison data that does not exist in the behavior profile as anomalous behavior.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer storage device of claim 12, wherein comparing the comparison data to the behavior data further comprises performing a statistical analysis on the behavior profile, wherein portions of the comparison data that lie outside a standard deviation of the behavior profile are identified as anomalous behavior.
  - 14. The computer storage device of claim 12, wherein generating the behavior profile further comprises:
    - constructing the behavior profile using relational algebra.
  - 15. The computer storage device of claim 12, wherein the method further comprises providing a report of the anomalous behavior.
  - 16. The computer storage device of claim 12, wherein the method further comprises, upon identifying anomalous behavior, performing a countermeasure, wherein the countermeasure comprises at least one of:
    - revoking the entity'"'"'s credentials;
      
      denying the entity access to a resource;
      
      shutting down access to a port; and
      
      denying access to the entity.
  - 17. The computer storage device of claim 12, wherein the raw data is weblog data, and wherein the weblog data comprises at least one of:
    - IP address information;
      
      browsing history;
      
      download data; and
      
      time information.

18. A system comprising:
- a server comprising;
  
  at least one processor; and
  
  memory encoding computer executable instructions that, when executed by at least one processor, perform a method for identifying anomalous behavior of an entity, the method comprising;
  
  receiving raw data comprising past recorded activity for the entity, wherein the past recorded activity is associated with a first objective related to a first event from a first data source and a second objective related to a second event from a second data source, wherein the first objective is unrelated to the second objective and the first event is unrelated to the second event;
  
  dynamically generating an on demand behavior profile for the entity based on the raw data, the behavior profile defining a pattern of behavior for the entity related to one or more transactions, wherein generating the behavior profile comprises transforming the raw data into one or more relational database objects;
  
  receiving comparison data;
  
  comparing the comparison data to the behavior profile for a specific transaction;
  
  identifying a first portion of the comparison data that does not exist in the behavior profile as anomalous behavior; and
  
  generating a report of the anomalous behavior.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the method further comprises generating a cache table to store the behavior profile.
  - 20. The system of claim 18, further comprising:
    - a client in communication with the sever, wherein the client receives and displays the report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tautuk Incorporated
Original Assignee
Securboration, Inc.
Inventors
Stirtzinger, Anthony, Shapiro, Keith, Warhover, Brian, McQueary, Bruce
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US14/085,493
Publication Number

US 20140143873A1
Time in Patent Office

1,308 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04W 12/12   Detection or prevention of ...

H04W 12/126   Anti-theft arrangements, e....

Cyber-semantic account management system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Cyber-semantic account management system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others