System, method, and computer program product for detecting and assessing security risks in a network

US 9,798,883 B1
Filed: 10/06/2014
Issued: 10/24/2017
Est. Priority Date: 10/06/2014
Status: Active Grant

First Claim

Patent Images

1. A method, performed by one or more computer devices, for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:

building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user and includes the user'"'"'s geo-location logon patterns;

comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model and determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including monitoring for a user account switch in moving from one device to another;

determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;

calculating the risk assessment score for the plurality of user events; and

determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;

in response to the plurality of user events satisfying the criteria for an alert, displaying an alert in an administrative interface, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with session data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise'"'"'s computer network. A behavior model is built for a user in the network based on the user'"'"'s interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user'"'"'s behavior during a period of time is compared to the user'"'"'s behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user'"'"'s behavior and the user'"'"'s behavior model, wherein any one of certain anomalies between the user'"'"'s behavior and the user'"'"'s behavior model increase the risk assessment.

135 Citations

29 Claims

1. A method, performed by one or more computer devices, for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
- building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user and includes the user'"'"'s geo-location logon patterns;
  
  comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model and determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including monitoring for a user account switch in moving from one device to another;
  
  determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;
  
  calculating the risk assessment score for the plurality of user events; and
  
  determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;
  
  in response to the plurality of user events satisfying the criteria for an alert, displaying an alert in an administrative interface, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with session data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the user'"'"'s behavior model includes the user'"'"'s time logon patterns and comparing the plurality of user events to the user'"'"'s behavior model also includes determining whether the user events are occurring or occurred at a time consistent with the time patterns in the user'"'"'s behavior model.
  - 3. The method of claim 1, wherein one or more of the following are factored into the risk assessment:
    - the user'"'"'s access authorization level in the system, a value of the data accessed, and threat intelligence.
  - 4. The method of claim 1, wherein, in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event.
  - 5. The method of claim 1, further comprising:
    - displaying a timeline for a plurality of user events in an administrative interface, wherein the timeline illustrates any events that satisfied one or more of the rules and, for each of said events, the time that the event occurred and a summary of the rule(s) satisfied by the event.
  - 6. The method of claim 1, wherein calculating the risk assessment score comprises associating a sub-total risk score with each of certain anomalies in the user events and aggregating all sub-total risk scores to calculate the risk assessment score for the plurality of user events.
  - 7. The method of claim 6, wherein the system stores rules that define types of anomalies associated with a positive risk score.
  - 8. The method of claim 7, wherein the system also stores one or more rules that define types of behavior associated with a negative risk score.
  - 9. The method of claim 1, wherein the plurality of user events is during a user logon session, wherein a user logon session begins at the user'"'"'s logon to the network and ends at the user'"'"'s subsequent logout of the network or a specified period of inactivity by the user.
  - 10. The method of claim 9, wherein the user events are identified from raw data logs, wherein enhanced events logs are created from the raw data logs by adding additional context information related to the user events, wherein the enhanced event logs are grouped by user logon session to track user actions during a user logon session, and wherein the enhanced event logs are used to build user behavior models.
  - 11. The method of claim 10, wherein the additional context information comprises one or more of the following:
    - additional user information, additional client device information, additional server information, and additional information about accessed data.
  - 12. The method of claim 9, wherein an alert is displayed if the user logon session meets at least one of the following criteria:
    - (i) the user logon session is a current session and the risk assessment score exceeds a threshold for a specified duration and (ii) the user logon session has ended and the final risk assessment score is above a threshold.

13. A non-transitory computer-readable medium comprising a computer program, that, when executed by a computer system, enables the computer system to perform the following method for detecting and assessing security risks in an enterprise'"'"'s computer network, the method comprising:
- building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user and includes the user'"'"'s geo-location logon patterns;
  
  comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model and determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including monitoring for a user account switch in moving from one device to another;
  
  determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;
  
  calculating the risk assessment score for the plurality of user events; and
  
  determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;
  
  in response to the user logon session plurality of user events satisfying the criteria for an alert, displaying an alert in an administrative interface, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with session data.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the user'"'"'s behavior model includes the user'"'"'s time logon patterns and comparing the plurality of user events to the user'"'"'s behavior model also includes determining whether the user events are occurring or occurred at a time consistent with the time patterns in the user'"'"'s behavior model.
  - 15. The non-transitory computer-readable medium of claim 13, wherein one or more of the following are factored into the risk assessment:
    - the user'"'"'s access authorization level in the system, a value of the data accessed, and threat intelligence.
  - 16. The non-transitory computer-readable medium of claim 13, wherein, in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event.
  - 17. The non-transitory computer-readable medium of claim 13, further comprising:
    - displaying a timeline for a plurality of user events in an administrative interface, wherein the timeline shows the events that occurred, wherein, for any user events that satisfied one or more of the rules, the timeline includes a summary of the rule(s) satisfied by the event.
  - 18. The non-transitory computer-readable medium of claim 13, wherein calculating the risk assessment score comprises associating a sub-total risk score with each of certain anomalies in the user events and aggregating all sub-total risk scores to calculate the risk assessment score for the plurality of user events.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the system stores rules that define types of anomalies associated with a positive risk score.
  - 20. The non-transitory computer-readable medium of claim 19, wherein the system also stores one or more rules that define types of behavior associated with a negative risk score.
  - 21. The non-transitory computer-readable medium of claim 13, wherein the plurality of user events is during a user logon session, wherein a user logon session begins at the user'"'"'s logon to the network and ends at the user'"'"'s subsequent logout of the network or a specified period of inactivity by the user.
  - 22. The non-transitory computer-readable medium of claim 21, wherein the user events are identified from raw data logs, wherein enhanced events logs are created from the raw data logs by adding additional context information related to the user events, wherein the enhanced event logs are grouped by user logon session to track user actions during a user logon session, and wherein the enhanced event logs are used to build user behavior models.
  - 23. The non-transitory computer-readable medium of claim 22, wherein the additional context information comprises one or more of the following:
    - additional user information, additional client device information, additional server information, and additional information about accessed data.
  - 24. The non-transitory computer-readable medium of claim 21, wherein an alert is displayed if the user logon session meets at least one of the following criteria:
    - (i) the user logon session is a current session and the risk assessment score exceeds a threshold for a specified duration and (ii) the user logon session has ended and the final risk assessment score is above a threshold.

25. A computer system for detecting and assessing security risks in an enterprise'"'"'s computer network, the system comprising:
- one or more processors;
  
  one or more memory units coupled to the one or more processors, wherein the one or more memory units store instructions that, when executed by the one or more processors, cause the system to perform the operations of;
  
  building a behavior model for a user based on the user'"'"'s interactions with the network, wherein the behavior model indicates client device(s), server(s), application(s), and data used by the user and includes the user'"'"'s geo-location logon patterns;
  
  comparing a plurality of user events in the network to the user'"'"'s behavior model, including comparing a client device used, server(s) accessed, any application(s) accessed, and any data accessed in the user events to the user'"'"'s behavior model and determining whether a geo-location from which the user logged in is consistent with the geo-location patterns in the user'"'"'s behavior model, wherein building the behavior model and comparing the user events include tracking user movement across devices in the network including monitoring for a user account switch in moving from one device to another;
  
  determining, based at least in part on a comparison between the user events and the user'"'"'s behavior model, whether the user events satisfy one or more of a plurality of rules that define types of anomalies that increase a risk assessment, wherein each rule is associated with points for a risk assessment score;
  
  calculating the risk assessment score for the plurality of user events; and
  
  determining whether the plurality of user events satisfies criteria for an alert, wherein the criteria includes a risk assessment score that exceeds a threshold, wherein;
  
  in response to the plurality of user events satisfying the criteria for an alert, displaying an alert in an administrative interface, andin response to the plurality of user events not satisfying the criteria for an alert, updating the user'"'"'s behavior model with session data.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The system of claim 25, wherein, in response to the plurality of user events satisfying the criteria for an alert, displaying a timeline for the plurality of user events in an administrative interface, wherein the timeline illustrates when user events that satisfied one or more of the rules occurred and, for each of said events, a summary of the rule(s) satisfied by the event.
  - 27. The system of claim 25, further comprising:
    - displaying a timeline for a plurality of user events in an administrative interface, wherein the timeline illustrates any user events that satisfied one or more of the rules and, for each of said events, the time that the event occurred and a summary of the rule(s) satisfied by the event.
  - 28. The system of claim 25, wherein the plurality of user events is during a user logon session, wherein a user logon session begins at the user'"'"'s logon to the network and ends at the user'"'"'s subsequent logout of the network or a specified period of inactivity by the user.
  - 29. The computer system of claim 28, wherein an alert is displayed if the user logon session meets at least one of the following criteria:
    - (i) the user logon session is a current session and the risk assessment score exceeds a threshold for a specified duration and (ii) the user logon session has ended and the final risk assessment score is above a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exabeam, Inc.
Original Assignee
Exabeam, Inc.
Inventors
Gil, Sylvain, Mihovilovic, Domingo, Polak, Nir, Stensmo, Magnus, Yip, Sing
Primary Examiner(s)
Harriman, Dant Shaifer

Application Number

US14/507,585
Time in Patent Office

1,114 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

System, method, and computer program product for detecting and assessing security risks in a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for detecting and assessing security risks in a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links