Method and system for detecting unauthorized access to and use of network resources

US 9,876,804 B2
Filed: 10/20/2013
Issued: 01/23/2018
Est. Priority Date: 10/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by a computer system for detecting an unauthorized use of network resources, comprising:

using at least one hardware processor of a server connected to a network for executing a code, the code comprising code instructions for;

receiving action data indicating use of an account for performing an activity associated with a target resource accessible by the account over said network;

obtaining, over said network from an account management system, credential retrieval data documenting credential retrieval actions to retrieve credentials for using said network resources;

determining, from said credential retrieval data, an absence of a providing of credentials to said account by said account management system in response to a credential retrieval request from said account and prior to said use of said account for performing said activity; and

in response to said determining said absence of said providing of credentials by said account management system to said account, automatically limiting use of said target resource by said account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for detecting unauthorized actions associated with network resources, the actions including access to the resource and activity associated with the resource. The unauthorized actions are detected by analyzing action data of a client action associated with the network resource against credential retrieval data including records of authorized actions and/or procedures for performing an action associated with the network resource.

Citations

18 Claims

1. A computer-implemented method performed by a computer system for detecting an unauthorized use of network resources, comprising:
- using at least one hardware processor of a server connected to a network for executing a code, the code comprising code instructions for;
  
  receiving action data indicating use of an account for performing an activity associated with a target resource accessible by the account over said network;
  
  obtaining, over said network from an account management system, credential retrieval data documenting credential retrieval actions to retrieve credentials for using said network resources;
  
  determining, from said credential retrieval data, an absence of a providing of credentials to said account by said account management system in response to a credential retrieval request from said account and prior to said use of said account for performing said activity; and
  
  in response to said determining said absence of said providing of credentials by said account management system to said account, automatically limiting use of said target resource by said account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the action data is received over the network.
  - 3. The method of claim 1, further comprising, in response to determining a presence of a providing of credentials by said account management system to said account, authorizing said activity.
  - 4. The method of claim 1, further comprising providing a notification to one or more machines indicating an unauthorized use of said account when said absence of said providing of credentials by said account management system to said account is determined.
  - 5. The method of claim 1, further comprising controlling access to the target resource.
  - 6. The method of claim 1, further comprising controlling the activity associated with the target resource.
  - 7. The method of claim 6, wherein said absence of said providing of said credentials by said account management system to said account is indicative of an authorization status of said activity associated with said target resource.
  - 8. The method of claim 6, wherein the activity includes a privileged use of the target resource by a non-privileged user process.
  - 9. The method of claim 1, wherein the account is a privileged account.
  - 10. The method of claim 9, wherein said privileged account is managed by said account management system.
  - 11. The method of claim 1, wherein the target resource is selected from the group consisting of:
    - servers, computers, computer systems, computer devices, mobile devices, network devices, databases, computer components, computer modules, machines, engines, software and applications.
  - 12. The method of claim 1, wherein said credential retrieval data includes at least one of:
    - records documenting historical credential retrieval actions,records documenting historical certificate or password requests,records documenting historical requests to perform actions associated with the target resource, andactivity logs of credential requests.

13. A computer system for detecting an unauthorized use of network resources, comprising:
- a non-transient storage medium storing code instructions; and
  
  a hardware processor coupled to said storage medium and configured to execute said stored code, the code comprising code instructions for;
  
  receiving action data indicating use of an account for performing an activity associated with a target resource accessible by the account over a network;
  
  obtaining, over said network from an account management system, credential retrieval data documenting credential retrieval actions to retrieve credentials for using said network resources;
  
  determining, from said credential retrieval data, an absence of a providing of credentials to said account by said account management system in response to a credential retrieval request from said account and prior to said use of said account for performing said activity; and
  
  in response to said determining said absence of said providing of credentials by said account management system to said account, automatically limiting use of said target resource by said account.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer system of claim 13, wherein the hardware processor is adapted to execute said code for:
    - authorizing the activity when a presence of said providing of credentials by said account management system to said account is determined.
  - 15. The computer system of claim 13, wherein the hardware processor is adapted to execute said code for:
    - controlling the use of the account by not authorizing the activity when said absence of said providing of credentials by said account management system to said account is determined.
  - 16. The computer system of claim 15, wherein, when said absence of said providing of credentials by said account management system to said account is determined, said hardware processor is adapted to execute said code for at least one of:
    - changing the operation of the target resource; and
      
      informing a computerized module, configured for sending alerts of unauthorized activity to locations internal and external to the computer system, to send at least one alert of said unauthorized activity associated with the target resource.
  - 17. The computer system of claim 13, wherein said credential retrieval data includes at least one of:
    - records documenting historical credential retrieval actions,records documenting historical certificate or password requests,records documenting historical requests to perform actions associated with the target resource, andactivity logs of credential requests.

18. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a programmed system to determine an unauthorized use of network resources by performing the following steps when such program is executed on the system, the steps comprising:
- receiving action data indicating use of an account for performing an activity associated with a target resource accessible by the account over a network;
  
  obtaining, over said network from an account management system, credential retrieval data documenting credential retrieval actions to retrieve credentials for using said network resources;
  
  determining, from said credential retrieval data, an absence of a providing of credentials to said account by said account management system in response to a credential retrieval request from said account and prior to said use of said account for performing said activity; and
  
  in response to said determining said absence of said providing of credentials by said account management system to said account, automatically limiting use of said target resource by said account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Original Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Inventors
Dulkin, Andrey, Sade, Yair, Adar, Roy
Primary Examiner(s)
Davis, Zachary A

Application Number

US14/058,254
Publication Number

US 20150113600A1
Time in Patent Office

1,556 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

Method and system for detecting unauthorized access to and use of network resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting unauthorized access to and use of network resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links