Systems and methods for contextual and cross application threat detection and prediction in cloud applications

US 10,063,654 B2
Filed: 06/24/2015
Issued: 08/28/2018
Est. Priority Date: 12/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by a computer system of a network security system, for detecting threat activity related to a cloud application, comprising:

receiving, from a service provider system, activity data corresponding to one or more actions performed during use of the cloud application by a user account with the cloud application, wherein the service provider system hosts the cloud application, wherein the user account is one of a set of user accounts associated with a tenant account provided by the service provider system for a tenant, wherein the set of user accounts enables one or more users associated with the tenant to access the cloud application;

receiving, from a system that is different from the service provider system, contextual data associated with a user associated with the user account;

generating a profile for the user using the activity data and the contextual data, wherein the profile is associated with the user account;

determining a measure of anomalous activity using the profile;

determining one or more security controls of the service provider system, wherein the one or more security controls are used by the service provider system to configure access to the cloud application;

determining one or more instructions to send to the service provider system, wherein the one or more instructions are based on the measure of anomalous activity; and

sending the one or more instructions to the service provider system, wherein the one or more instructions cause at least one security control from the one or more security controls to be changed, and wherein the access to the cloud application when the user account is used to access the cloud application is modified due to the change to the at least one security control.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for contextual and cross application threat detection in cloud applications in accordance with embodiments of the invention are disclosed. In one embodiment, a method for detecting threat activity in a cloud application using past activity data from cloud applications includes receiving activity data concerning actions performed by a user account associated with a user within a monitored cloud application, receiving external contextual data about the user that does not concern actions performed using the user account within the monitored cloud application, where the external contextual data is retrieved from outside of the monitored cloud application, deriving a baseline user profile using the activity data and external contextual data and associating the baseline user profile with the user account, and determining the likelihood of anomalous activity using the baseline user profile.

60 Citations

View as Search Results

28 Claims

1. A method, implemented by a computer system of a network security system, for detecting threat activity related to a cloud application, comprising:
- receiving, from a service provider system, activity data corresponding to one or more actions performed during use of the cloud application by a user account with the cloud application, wherein the service provider system hosts the cloud application, wherein the user account is one of a set of user accounts associated with a tenant account provided by the service provider system for a tenant, wherein the set of user accounts enables one or more users associated with the tenant to access the cloud application;
  
  receiving, from a system that is different from the service provider system, contextual data associated with a user associated with the user account;
  
  generating a profile for the user using the activity data and the contextual data, wherein the profile is associated with the user account;
  
  determining a measure of anomalous activity using the profile;
  
  determining one or more security controls of the service provider system, wherein the one or more security controls are used by the service provider system to configure access to the cloud application;
  
  determining one or more instructions to send to the service provider system, wherein the one or more instructions are based on the measure of anomalous activity; and
  
  sending the one or more instructions to the service provider system, wherein the one or more instructions cause at least one security control from the one or more security controls to be changed, and wherein the access to the cloud application when the user account is used to access the cloud application is modified due to the change to the at least one security control.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the activity data includes a count of unique Internet Protocol (IP) addresses used by the user account per day.
  - 3. The method of claim 1, wherein the activity data includes one or more time differences corresponding to a use of different IP addresses by the user account.
  - 4. The method of claim 1, further comprising:
    - deriving, using the activity data, a baseline profile associated with the user account, wherein the measure of anomalous activity is determined by comparing the profile to the baseline profile.
  - 5. The method of claim 1, wherein the profile includes a list of IP addresses and valid geolocations associated with the IP addresses.
  - 6. The method of claim 5, further comprising:
    - based on the measure of anomalous activity, determining a threat related to use of the cloud application when activity occurs from a geolocation that is not on the list of IP addresses and valid geolocations associated with the IP addresses.
  - 7. The method of claim 1, wherein the profile is derived from activity data collected over a time period, wherein the time period is one of a first time period from eight weeks prior to four weeks prior to a target date, a second time period from four weeks prior to one week prior to the target date, or a third time period from one week prior to the target date.
  - 8. The method of claim 7, further comprising:
    - calculating a risk score for the user, wherein the risk score is based on the profile; and
      
      generating a ranking of a plurality of users of the cloud application based upon the risk score.
  - 9. The method of claim 8, wherein the risk score for the user is used to prioritize threat remediation actions associated with the cloud application, wherein prioritization enables the tenant to remediate most severe issues first.
  - 10. The method of claim 1, wherein the activity data includes a number of login failures associated with the user account.
  - 11. The method of claim 1, wherein the activity data includes a count of login failures greater than a predetermined threshold.
  - 12. The method of claim 1, wherein the activity data includes a count of number of downloads greater than a predetermined threshold.
  - 13. The method of claim 1, wherein the contextual data includes travel plans for the user.
  - 14. The method of claim 1, wherein the contextual data includes credit card transactions by the user.

15. A system for detecting threat activity related to a cloud application, the system comprising:
- a processor; and
  
  memory coupled to and readable by the processor, the memory including one or more instructions that, when executed by the processor, cause the processor to;
  
  receive, from a service provider system, activity data corresponding to one or more actions performed during use of the cloud application by a user account with the cloud application, wherein the service provider system hosts the cloud application, wherein the user account is one of a set of user accounts associated with a tenant account provided by the service provider system for a tenant, wherein the set of user accounts enables one or more users associated with the tenant to access the cloud application;
  
  receive, from a system that is different from the service provider system, contextual data associated with a user associated with the user account;
  
  generate a profile for the user using the activity data and the contextual data, wherein the profile is associated with the user account;
  
  determine a measure of anomalous activity using the profile;
  
  determine one or more security controls of the service provider system, wherein the one or more security controls are used by the service provider system to configure access to the cloud application;
  
  determine one or more instructions to send to the service provider system, wherein the one or more instructions are based on the measure of anomalous activity; and
  
  send the one or more instructions to the service provider system, wherein the one or more instructions cause at least one security control from the one or more security controls to be changed, and wherein the access to the cloud application when the user account is used to access the cloud application is modified due to the change to the at least one security control.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The system of claim 15, wherein the activity data includes a count of unique Internet Protocol (IP) addresses used by the user account per day.
  - 17. The system of claim 15, wherein the activity data includes one or more time differences corresponding to a use of different IP addresses by the user account.
  - 18. The system of claim 15, wherein the one or more instructions further include instructions that, when executed by the processor, cause the processor to:
    - derive, using the activity data, a baseline profile associated with the user account, wherein the measure of anomalous activity is determined by comparing the profile to the baseline profile.
  - 19. The system of claim 15, wherein the profile includes a list of IP addresses and valid geolocations associated with the IP addresses.
  - 20. The system of claim 19, wherein the one or more instructions further include instructions that, when executed by the processor, cause the processor to:
    - based on the measure of anomalous activity, determine a threat related to use of the cloud application when activity occurs from a geolocation that is not on the list of IP addresses and valid geolocations associated with the IP addresses.
  - 21. The system of claim 15, wherein the profile is derived from activity data collected over a time period, wherein the time period is one of a first time period from eight weeks prior to four weeks prior to a target date, a second time period from four weeks prior to one week prior to the target date, or a third time period from one week prior to the target date.
  - 22. The system of claim 21, wherein the one or more instructions further include instructions that, when executed by the processor, cause the processor to:
    - calculate a risk score for the user, wherein the risk score based on the profile; and
      
      generate a ranking of a plurality of users of the cloud application based upon the risk score.
  - 23. The system of claim 22, wherein the risk score for the user is used to prioritize threat remediation actions associated with the cloud application, wherein prioritization enables the tenant to remediate most severe issues first.
  - 24. The system of claim 15, wherein the activity data includes a number of login failures associated with the user account.
  - 25. The system of claim 15, wherein the activity data includes a count of login failures greater than a predetermined threshold.
  - 26. The system of claim 15, wherein the activity data includes a count of number of downloads greater than a predetermined threshold.
  - 27. The system of claim 15, wherein the contextual data includes travel plans for the user.
  - 28. The system of claim 15, wherein the contextual data includes credit card transactions by the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kirti, Ganesh, Biswas, Kamalendu, Gurumurthy, Prakash, Alomari, Raja S., Perera, Sumedha Nalin
Primary Examiner(s)
Thiaw, Catherine
Assistant Examiner(s)
Johnson, Carlton

Application Number

US14/749,522
Publication Number

US 20150319185A1
Time in Patent Office

1,161 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/10   in which an application is ...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

H04W 12/67   Risk-dependent, e.g. select...

Systems and methods for contextual and cross application threat detection and prediction in cloud applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for contextual and cross application threat detection and prediction in cloud applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links