System, method, and computer program product for detecting and assessing security risks in a network
First Claim
1. A method, performed by one or more computer devices, for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
- building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user and includes the user'"'"'s geo-location logon patterns;
comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model and determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including monitoring for a user account switch in moving from one device to another;
determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;
calculating the risk assessment score for the plurality of user events; and
determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;
in response to the plurality of user events satisfying the criteria for an alert, displaying an alert in an administrative interface, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with session data.
2 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise'"'"'s computer network. A behavior model is built for a user in the network based on the user'"'"'s interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user'"'"'s behavior during a period of time is compared to the user'"'"'s behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user'"'"'s behavior and the user'"'"'s behavior model, wherein any one of certain anomalies between the user'"'"'s behavior and the user'"'"'s behavior model increase the risk assessment.
135 Citations
29 Claims
-
1. A method, performed by one or more computer devices, for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
-
building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user and includes the user'"'"'s geo-location logon patterns; comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model and determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including monitoring for a user account switch in moving from one device to another; determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score; calculating the risk assessment score for the plurality of user events; and determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein; in response to the plurality of user events satisfying the criteria for an alert, displaying an alert in an administrative interface, and in response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with session data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable medium comprising a computer program, that, when executed by a computer system, enables the computer system to perform the following method for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
-
building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user and includes the user'"'"'s geo-location logon patterns; comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model and determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including monitoring for a user account switch in moving from one device to another; determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score; calculating the risk assessment score for the plurality of user events; and determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein; in response to the user logon session plurality of user events satisfying the criteria for an alert, displaying an alert in an administrative interface, and in response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with session data. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer system for detecting and assessing security risks in an enterprise'"'"'s computer network, the system comprising:
-
one or more processors; one or more memory units coupled to the one or more processors, wherein the one or more memory units store instructions that, when executed by the one or more processors, cause the system to perform the operations of; building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user and includes the user'"'"'s geo-location logon patterns; comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model and determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including monitoring for a user account switch in moving from one device to another; determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score; calculating the risk assessment score for the plurality of user events; and determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein; in response to the plurality of user events satisfying the criteria for an alert, displaying an alert in an administrative interface, and in response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with session data. - View Dependent Claims (26, 27, 28, 29)
-
Specification