Context-aware cybersecurity training systems, apparatuses, and methods

US 9,870,715 B2
Filed: 01/30/2017
Issued: 01/16/2018
Est. Priority Date: 04/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for assessing cybersecurity training needs, comprising:

by a sensor, sensing data corresponding to at least one action performed by a user with respect to a user computing device; and

by a computer system comprising a processor, executing computer-readable programming instructions that cause the computer system to;

access a data storage device that stores a training needs model,map the sensed data to the training needs model to determine whether the sensed data corresponds to a pattern associated with a threat scenario in the training needs model,in response to determining that the sensed data corresponds to a pattern associated with a threat scenario in the training needs model, identify a cybersecurity threat scenario for which the user is at risk, anduse the training needs model to estimate susceptibility of the user to the cybersecurity threat scenario for which the user is at risk.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system assesses the susceptibility of an electronic device user to a cybersecurity threat by sensing a user action with respect to the electronic device. The system maps the sensed data to a training needs model to determine whether the sensed data corresponds to a pattern associated with a threat scenario in the training needs model. When the system determines that the sensed data corresponds to a pattern associated with a threat scenario in the training needs model, identify a cybersecurity threat scenario for which the user is at risk, and use the training needs model to estimate susceptibility of the user to the cybersecurity threat scenario.

209 Citations

30 Claims

1. A computer-implemented method for assessing cybersecurity training needs, comprising:
- by a sensor, sensing data corresponding to at least one action performed by a user with respect to a user computing device; and
  
  by a computer system comprising a processor, executing computer-readable programming instructions that cause the computer system to;
  
  access a data storage device that stores a training needs model,map the sensed data to the training needs model to determine whether the sensed data corresponds to a pattern associated with a threat scenario in the training needs model,in response to determining that the sensed data corresponds to a pattern associated with a threat scenario in the training needs model, identify a cybersecurity threat scenario for which the user is at risk, anduse the training needs model to estimate susceptibility of the user to the cybersecurity threat scenario for which the user is at risk.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 further comprising, by the computer system, executing additional programming instructions that cause the system to:
    - access a collection of available cybersecurity training actions;
      
      based on the sensed data, the training needs model and the cybersecurity threat scenario, select a cybersecurity training action from the collection of available cybersecurity training actions; and
      
      cause the selected cybersecurity training action to be delivered to the user.
  - 3. The method of claim 1, further comprising:
    - directing a mock attack to the user computing device; and
      
      wherein the action comprises a response to the mock attack.
  - 4. The method of claim 1, wherein mapping the sensed data to the training needs model to determine whether the sensed data corresponds to a pattern associated with a threat scenario in the training needs model comprises determining whether the user repeated a particular action at least a threshold number of times.
  - 5. The method of claim 1, further comprising:
    - determining that the pattern or the estimated susceptibility satisfies a rule to implement a training intervention;
      
      selecting a cybersecurity training action that corresponds to one or more actions of the user, or to the user computing device; and
      
      causing the user computing device to present the cybersecurity training action to the user.
  - 6. The method of claim 1, wherein:
    - the sensed data comprises data corresponding to the user opening an attachment to a message;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises opening a malicious attachment or falling for a phishing email.
  - 7. The method of claim 1, wherein:
    - the sensed data comprises data corresponding to the user requesting a blacklisted website;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises falling for a phishing email.
  - 8. The method of claim 1, wherein:
    - the sensed data comprises data corresponding to the user posting on or spending time accessing a social networking site;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises disclosing sensitive information.
  - 9. The method of claim 1, wherein:
    - the sensed data comprises data corresponding to the user inserting a USB into the user computing device;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises downloading malware from a malicious USB device.
  - 10. The method of claim 1, wherein:
    - the sensed data comprises data corresponding to the user downloading an app;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises downloading a malicious app.
  - 11. The method of claim 1, wherein:
    - the sensed data comprises data corresponding to the user connecting to an unsecured wireless access point;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises connecting to a rogue wireless service.
  - 12. The method of claim 1, further comprising:
    - by a configuration sensor, detecting one or more hardware or software settings of the user computing device; and
      
      also using the one or more settings to identify the cybersecurity threat scenario for which the user is at risk.
  - 13. The method of claim 1, wherein:
    - the sensed data comprises data corresponding to the user connecting a memory device to the user computing device, opening a mock malicious file stored on a memory device, or downloading software; and
      
      the threat scenario involves installing malware.
  - 14. The method of claim 1, wherein the sensed data comprises at least one of the following:
    - perimeter security data, Mobile Device Management (MDM) data or Data Leakage Prevention (DLP) data.
  - 15. The method of claim 1, wherein:
    - the sensed data comprises or more of the following additional sensed data types;
      
      files in a directory of downloaded files,location data,data from a password vulnerability sensor indicating how often the user changes a password or the strength of the password,data from a social networking sensor that crawls social networking sites and estimates a level of social networking activities in which the user engages,data from a dangerous program sensor that inspects the code of software on one or more electronic devices operated by the user,incoming and outgoing data flows from the user computing device, orbehavioral characteristics associated with software running on the user computing device; and
      
      the method also comprises mapping the one or more additional sensed data types to the training needs model when determining whether the sensed data corresponds to a pattern associated with a threat scenario in the training needs model.

16. A system for assessing cybersecurity training needs, comprising:
- a sensor that is configured to sense data corresponding to at least one action performed by a user with respect to a user computing device;
  
  a data storage device that stores a training needs model;
  
  a processor; and
  
  a computer-readable non-transitory memory containing programming instructions that are configured to cause the processor to;
  
  map the sensed data to the training needs model to determine whether the sensed data corresponds to a pattern associated with a threat scenario in the training needs model,in response to determining that the sensed data corresponds to a pattern associated with a threat scenario in the training needs model, identify a cybersecurity threat scenario for which the user is at risk, anduse the training needs model to estimate susceptibility of the user to the cybersecurity threat scenario for which the user is at risk.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system of claim 16 further comprising:
    - a memory containing a collection of available cybersecurity training actions; and
      
      additional programming instructions that are configured cause the processor to;
      
      access the collection of available cybersecurity training actions,based on the sensed data, the training needs model and the cybersecurity threat scenario, select a training action from the collection of available cybersecurity training actions, andcause the selected cybersecurity training action to be delivered to the user.
  - 18. The system of claim 16, further comprising:
    - additional programming instructions that are configured cause the processor to direct a mock attack to the user computing device, andwherein the action comprises a response to the mock attack.
  - 19. The system of claim 16, wherein the instructions to map the sensed data to the training needs model to determine whether the sensed data corresponds to a pattern associated with a threat scenario in the training needs model comprise instructions to determine whether the user repeated a particular action at least a threshold number of times.
  - 20. The system of claim 16, further comprising additional programming instructions that are configured cause the processor to:
    - determine that the pattern or the estimated susceptibility satisfies a rule to implement a training intervention;
      
      select a cybersecurity training action that corresponds to one or more actions of the user, or to the user computing device; and
      
      cause the user computing device to present the cybersecurity training action to the user.
  - 21. The system of claim 16, wherein:
    - the sensed data comprises data corresponding to the user using the user computing device to open an attachment to a message;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises opening a malicious attachment or falling for a phishing email.
  - 22. The system of claim 16, wherein:
    - the sensed data comprises data corresponding to the user using the user computing device to request a blacklisted website;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises falling for a phishing email.
  - 23. The system of claim 16, wherein:
    - the sensed data comprises data corresponding to the user using the user computing device to post on or spend time accessing a social networking site;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises disclosing sensitive information.
  - 24. The system of claim 16, wherein:
    - the sensed data comprises data corresponding to the user inserting a USB into the user computing device;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises downloading malware from a malicious USB device.
  - 25. The system of claim 16, wherein:
    - the sensed data comprises data corresponding to the user downloading an app to the user computing device;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises downloading a malicious app.
  - 26. The system of claim 16, wherein:
    - the sensed data comprises data corresponding to the user connecting the user computing device to an unsecured wireless access point;
      
      the given pattern comprises equaling or exceeding a frequency threshold; and
      
      the threat scenario comprises connecting to a rogue wireless service.
  - 27. The system of claim 16, further comprising:
    - a configuration sensor configured to detect one or more hardware or software settings of the user computing device; and
      
      additional programming instructions configured to also use the one or more settings when identifying the cybersecurity threat scenario for which the user is at risk.
  - 28. The system of claim 16, wherein:
    - the sensed data comprises data corresponding to the user connecting a memory device to the user computing device, opening a mock malicious file stored on a memory device, or downloading software to the user computing device; and
      
      the threat scenario involves delivery of malware.
  - 29. The system of claim 16, wherein the sensor comprises:
    - a firewall system;
      
      a Mobile Device Management (MDM) client;
      
      ora Data Leakage Prevention (DLP) application.
  - 30. The system of claim 16, wherein:
    - the sensed data comprises or more of the following additional sensed data types;
      
      files in a directory of downloaded files of the user computing device,location data for the user computing device,data from a password vulnerability sensor indicating how often the user changes a password for the user computing device or the strength of the password,data from a social networking sensor that crawls social networking sites and estimates a level of social networking activities in which the user engages,data from a dangerous program sensor that inspects the code of software on the user computing device,incoming and outgoing data flows from the user computing device, orbehavioral characteristics associated with software running on the user computing device; and
      
      the method also comprises mapping the one or more additional sensed data types to the training needs model when determining whether the sensed data corresponds to a pattern associated with a threat scenario in the training needs model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Wombat Security Technologies, Inc (Proofpoint Incorporated)
Inventors
Sadeh-Koniecpol, Norman, Wescoe, Kurt, Brubaker, Jason, Hong, Jason
Primary Examiner(s)
Gishnock, Nikolai A

Application Number

US15/418,867
Publication Number

US 20170140663A1
Time in Patent Office

351 Days
Field of Search

726 11, 726 22, 726 23, 726 26
US Class Current
CPC Class Codes

A63F 13/80   Special adaptations for exe...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G09B 19/00   Teaching not covered by oth...

G09B 19/0053   Computers, e.g. programming

G09B 5/00   Electrically-operated educa...

G09B 5/065   Combinations of audio and v...

G09B 7/02   of the type wherein the stu...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 63/1475 : Passive attacks, e.g. eaves...

H04L 63/1483 : service impersonation, e.g....

H04L 63/1491 : using deception as counterm...

View All

Context-aware cybersecurity training systems, apparatuses, and methods

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

209 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Context-aware cybersecurity training systems, apparatuses, and methods

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

209 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links