Privileged analytics system

US 9,712,548 B2
Filed: 10/27/2014
Issued: 07/18/2017
Est. Priority Date: 10/27/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for managing a parallel profiling paradigm for a common network entity in a network, comprising:

using at least one hardware processor of at least one server for;

building, based on analysis of actions documented in an input data and associated with a network entity in a computer network, a first entity behavioral profile for said network entity, said first entity behavioral profile reflects first metrics associated with behavioral characteristics of said network entity;

monitoring additional actions in additional input data to identify one or more anomalies from said first entity behavioral profile;

using said one or more anomalies as a regular sample for building at least one second entity behavioral profile for said network entity;

wherein said first entity behavioral profile and said at least one second entity behavior profile are representations of expected behaviors of the network entity, said at least one second entity behavioral profile reflects second metrics associated with said behavioral characteristics of said network entity, wherein said first metrics and said second metrics are different from one another and said behavioral characteristics comprise at least two members of a group consisting of;

time of day or time of week of network events of by said network entity,access distribution of said network entity,distribution of originating internet protocol (IP) addresses of said network entity,a rate of access to a target by said network entity,a rate of input by of said network entity,a geographical location of said network entity, andtype of network events initiated by of said network entity;

managing said first entity behavioral profile and said at least one second entity behavioral profile in parallel for analysis of further additional actions of said network entity in said computer network;

calculating, according to at least one of;

said first entity behavioral profile and said second entity behavioral profile, a leading entity behavioral profile for said network entity; and

using said leading entity behavioral profile for a detection of further anomalies in said further additional actions of said network entity in said computer network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network. The computer-implemented method comprises identifying a behavioral anomaly of an entity on the computer network, classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold, updating an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly, updating a system status based on at least the incident, and assigning a system status score to the system status, and, determining whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised.

78 Citations

View as Search Results

16 Claims

1. A computer implemented method for managing a parallel profiling paradigm for a common network entity in a network, comprising:
- using at least one hardware processor of at least one server for;
  
  building, based on analysis of actions documented in an input data and associated with a network entity in a computer network, a first entity behavioral profile for said network entity, said first entity behavioral profile reflects first metrics associated with behavioral characteristics of said network entity;
  
  monitoring additional actions in additional input data to identify one or more anomalies from said first entity behavioral profile;
  
  using said one or more anomalies as a regular sample for building at least one second entity behavioral profile for said network entity;
  
  wherein said first entity behavioral profile and said at least one second entity behavior profile are representations of expected behaviors of the network entity, said at least one second entity behavioral profile reflects second metrics associated with said behavioral characteristics of said network entity, wherein said first metrics and said second metrics are different from one another and said behavioral characteristics comprise at least two members of a group consisting of;
  
  time of day or time of week of network events of by said network entity,access distribution of said network entity,distribution of originating internet protocol (IP) addresses of said network entity,a rate of access to a target by said network entity,a rate of input by of said network entity,a geographical location of said network entity, andtype of network events initiated by of said network entity;
  
  managing said first entity behavioral profile and said at least one second entity behavioral profile in parallel for analysis of further additional actions of said network entity in said computer network;
  
  calculating, according to at least one of;
  
  said first entity behavioral profile and said second entity behavioral profile, a leading entity behavioral profile for said network entity; and
  
  using said leading entity behavioral profile for a detection of further anomalies in said further additional actions of said network entity in said computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, additionally comprising, obtaining user feedback obtained through an interface, wherein said detection is further based on said obtained user feedback.
  - 3. The computer-implemented method of claim 1, further comprising calculating a system status score of said computer network indicative whether said computer network is compromised.
  - 4. The computer-implemented method of claim 1, wherein said network entity is a member of a group consisting of:
    - a human user, an application, a client machine, a device, an account and a command.
  - 5. The computer implemented method of claim 1, wherein said building said first entity behavioral profile is performed before said building said at least second entity behavioral profile.
  - 6. The computer implemented method of claim 1, wherein said building said first entity behavioral profile is performed in parallel to said building said at least second entity behavioral profile.
  - 7. The computer implemented method of claim 1, wherein said leading entity behavioral profile is a member of a group consisting of:
    - said second entity behavioral profile and a combination of said first entity behavioral profile and said second entity behavioral profile.
  - 8. The computer implemented method of claim 1, wherein said one or more anomalies are identifiedbased on a deviation of said analyzed additional input data from said first entity behavioral profile.
  - 9. The computer implemented method of claim 1, further comprising upon receiving additional input data that is different from said first input data and from said second input data, updating, based on analysis of said additional input data, at least one of said first entity behavioral profile and said second entity behavioral profile.
  - 10. Computer implemented method of claim 9, further comprising updating said leading entity behavioral profile based on said updating said at least one of said first entity behavioral profile and said second entity behavioral profile.
  - 11. The computer-implemented method of claim 1, wherein said using comprises issuing an alert indicative of said further anomalies based on said detection.

12. A computer system for managing a parallel profiling paradigm for a common network entity comprising:
- at least one non-transitory computer readable storage medium having program instructions embodied therewith;
  
  at least a processor configured to execute said program instructions, said program instructions comprising;
  
  code instructions for building, based on analysis of actions documented in an input data and associated with a network entity in a computer network, a first entity behavioral profile for said network entity, said first entity behavioral profile reflects first metrics associated with behavioral characteristics of said network entity;
  
  code instructions for monitoring additional actions in additional input data to identify one or more anomalies from said first entity behavioral profile;
  
  code instructions for using said one or more anomalies as a regular sample for building at least one second entity behavioral profile for said network entity, said at least one second entity behavioral profile reflects second metrics associated with said behavioral characteristics of said network entity, wherein said first metrics and said second metrics are different from one another and said behavioral characteristics comprise at least two members of a group consisting of;
  
  time of day or time of week of network events of by said network entity,access distribution of said network entity,distribution of originating internet protocol (IP) addresses of said network entity,a rate of access to a target by said network entity,a rate of input by of said network entity,a geographical location of said network entity, andtype of network events initiated by of said network entity;
  
  code instructions for managing said first entity behavioral profile and said at least one second entity behavioral profile in parallel for detection of one or more further anomalies in further additional actions of said network entity in said computer network; and
  
  code instructions for calculating, according to at least one of;
  
  said first entity behavioral profile and said second entity behavioral profile, a leading entity behavioral profile for said network entity; and
  
  code instructions for using said leading entity behavioral profile for a detection of further anomalies in said further additional actions of said network entity in said computer network;
  
  wherein said first entity behavioral profile and said at least one second entity behavior profile are representation of expected behaviors of the network entity.

13. A computer program product for managing a parallel profiling paradigm for a common network entity, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause one or more servers to:
- building, based on analysis of actions documented in an input data and associated with a network entity in a computer network, a first entity behavioral profile for said network entity, said first entity behavioral profile reflects first metrics associated with behavioral characteristics of said network entity;
  
  monitor additional actions in additional input data to identify one or more anomalies from said first entity behavioral profile;
  
  use said one or more anomalies as a regular sample for building at least one second entity behavioral profile for said network entity, said at least one second entity behavioral profile reflects second metrics associated with said behavioral characteristics of said network entity, wherein said first metrics and said second metrics are different from one another and said behavioral characteristics comprise at least two members of a group consisting of;
  
  time of day or time of week of network events of by said network entity,access distribution of said network entity,distribution of originating internet protocol (IP) addresses of said network entity,a rate of access to a target by said network entity,a rate of input by of said network entity,a geographical location of said network entity, andtype of network events initiated by of said network entity;
  
  manage said first entity behavioral profile and said at least one second entity behavioral profile in parallel for detection of one or more further anomalies in further additional actions of said network entity in said computer network; and
  
  calculate, according to at least one of;
  
  said first entity behavioral profile and said second entity behavioral profile a leading entity behavioral profile for said network entity; and
  
  use said leading entity behavioral profile for a detection of further anomalies in said further additional actions of said network entity in said computer network;
  
  wherein said first entity behavioral profile and said at least one second entity behavior profile are representation of expected behaviors of the network entity.
- View Dependent Claims (14, 15, 16)
- - 14. The computer program product of claim 13, wherein said program instructions are adapted to cause the one or more servers to determine whether said computer network is compromised based on said farther anomalies based on user feedback obtained through an interface.
  - 15. The computer program product of claim 13, wherein said program instructions are adapted to cause the one or more servers to calculate a system status score of said computer network indicative whether said computer network is compromised.
  - 16. The computer program product of claim 13, wherein said network entity is a member of a group consisting of:
    - a human user, an application, a client machine, a device, an account and a command.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Original Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Inventors
Shmueli, Aviram, Weiss, Assaf, Dulkin, Andrey, Sade, Yair
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
VU, PHY ANH TRAN

Application Number

US14/524,145
Publication Number

US 20150121518A1
Time in Patent Office

995 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Privileged analytics system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Privileged analytics system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links