Anomalous network monitoring, user behavior detection and database system

US 10,129,282 B2
Filed: 12/30/2016
Issued: 11/13/2018
Est. Priority Date: 08/19/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method performed by one or more computer systems, the method comprising:

accessing network access logs associated with a plurality of network accessible systems, the network access logs being generated in response to network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices;

determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and

providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for network monitoring, user account compromise determination, and user behavior database system. The system monitors network actions of user accounts including user account access across multitudes of network accessible systems, determines user account transitions, and determines different types of high-risk user behavior indicative of compromise. Network actions can be obtained from generated information by the network accessible systems, and correlated across additional data sets including contextual ones. User interfaces are generated describing network actions of user accounts, and are configured for user interaction, which cause generation of updated user interfaces and access to electronic data sources to determine information relevant to the user interaction.

156 Citations

20 Claims

1. A computerized method performed by one or more computer systems, the method comprising:
- accessing network access logs associated with a plurality of network accessible systems, the network access logs being generated in response to network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices;
  
  determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and
  
  providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computerized method of claim 1, wherein the determined information indicative of a particular user account exhibiting high-risk behavior comprises one or more of information indicating network accessible systems not normally used by the particular user account to access the one or more networks, likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used.
  - 3. The computerized method of claim 2, wherein determining information indicative of the particular user account exhibiting high-risk behavior is based, at least in part, on historical user behavior of the particular user account.
  - 4. The computerized method of claim 1, wherein the network access logs comprise virtual private network (VPN) logs, Active Directory (AD) logs, firewall logs, user account access records, system logs, and wherein the network accessible systems comprise server systems, domain controllers, computers, laptops, checkout systems, point of sale systems, firewalls, VPN servers.
  - 5. The computerized method of claim 1, further comprising:
    - receiving, from a user device presenting the interactive user interface, a request to receive information specific to a particular user account of the set of user accounts, the request identifying a particular time period;
      
      obtaining data describing network actions of the particular user account during the particular time period; and
      
      determining updated information indicative of the particular user account exhibiting high-risk behavior, thereby enabling comparisons based on time period.
  - 6. The computerized method of claim 1, wherein the interactive user interface:
    - presents summary information associated with the set of user accounts, the summary information;
      
      identifying transitions initiating from user accounts of the set of user accounts to respective subsequent user accounts, andidentifying whether each transition is associated with escalated user privileged; and
      
      enables user actions associated with preventing an attack.
  - 7. The computerized method of claim 6, wherein the interactive user interface presents information identifying that a first user account and a subsequent user account identified by a particular transition are user accounts of a same user.
  - 8. The computerized method of claim 6, further comprising:
    - receiving, from a user device presenting the interactive user interface, a selection of a particular user account of the set of user accounts; and
      
      updating the interactive user interface, such that the interactive user interface presents a visual representation of a graph illustrating transitions from (1) particular user account to subsequent user accounts, and/or (2) transitions from the subsequent user accounts to additional subsequent user accounts.
  - 9. The computerized method of claim 1, further comprising:
    - causing activation of an application executing on a particular user device, the application being triggered to present information describing the set of user accounts, such that time-sensitive information is presented to a user of the particular user device.

10. A system comprising one or more computer systems and one or more computer storage media storing instructions that when executed by the one or more computer systems cause the one or more computer systems to perform operations comprising:
- accessing network access logs associated with a plurality of network accessible systems, the network access logs indicating network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices;
  
  determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and
  
  providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the determined information indicative of a particular user account exhibiting high-risk behavior comprises one or more of information indicating network accessible systems not normally used by the particular user account to access the one or more networks, likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used.
  - 12. The system of claim 11, wherein determining information indicative of the particular user account exhibiting high-risk behavior is based, at least in part, on historical user behavior of the particular user account.
  - 13. The system of claim 10, wherein the operations further comprise:
    - receiving, from a user device presenting the interactive user interface, a request to receive information specific to a particular user account of the set of user accounts, the request identifying a particular time period;
      
      obtaining data describing network actions of the particular user account during the particular time period; and
      
      determining updated information indicative of the particular user account exhibiting high-risk behavior, thereby enabling comparisons based on time period.
  - 14. The system of claim 10, wherein the interactive user interface:
    - presents summary information associated with the set of user accounts, the summary information;
      
      identifying transitions initiating from user accounts of the set of user accounts to respective subsequent user accounts, andidentifying whether each transition is associated with escalated user privileged; and
      
      enables user actions associated with preventing an attack.
  - 15. The system of claim 14, wherein the interactive user interface presents information identifying that a first user account and a subsequent user account identified by a particular transition are user accounts of a same user.
  - 16. The system of claim 15, wherein the operations further comprise:
    - receiving, from a user device presenting the interactive user interface, a selection of a particular user account of the set of user accounts; and
      
      updating the interactive user interface, such that the interactive user interface presents a visual representation of a graph illustrating transitions from (1) particular user account to subsequent user accounts, and/or (2) transitions from the subsequent user accounts to additional subsequent user accounts.

17. Non-transitory computer storage media storing instructions that when executed one or more computer systems cause the one or more computer systems to perform operations comprising:
- accessing network access logs associated with a plurality of network accessible systems, the network access logs indicating network actions associated with a plurality of user accounts, the user accounts each associated with, in the network access logs, one or more IP addresses of corresponding user devices;
  
  determining, based at least on the network access logs, information indicative of user accounts exhibiting high-risk behavior, the information including, for each of one or more user accounts, a transition from the user account to a subsequent user account associated with a different user, the transition being associated with escalated user privileges, wherein the user account transitions are determined based, at least in part, on monitoring IP addresses indicated in the network access logs; and
  
  providing, for presentation in an interactive user interface, information describing a set of user accounts and corresponding determined information, wherein the interactive user interface is configured to receive user actions associated with preventing an attack on one or more networks, wherein the user actions comprise one or more of selecting specific user accounts for more detailed information or generating information to be presented to specific user accounts.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer storage of claim 17, wherein the determined information indicative of a particular user account exhibiting high-risk behavior comprises one or more of information indicating network accessible systems not normally used by the particular user account to access the one or more networks, likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used.
  - 19. The non-transitory computer storage of claim 17, wherein the interactive user interface:
    - presents summary information associated with the set of user accounts, the summary information;
      
      identifying transitions initiating from user accounts of the set of user accounts to respective subsequent user accounts, andidentifying whether each transition is associated with escalated user privileged; and
      
      enables user actions associated with preventing an attack.
  - 20. The non-transitory computer storage of claim 19, wherein the operations further comprise:
    - receiving, from a user device presenting the interactive user interface, a selection of a particular user account of the set of user accounts; and
      
      updating the interactive user interface, such that the interactive user interface presents a visual representation of a graph illustrating transitions from (1) particular user account to subsequent user accounts, and/or (2) transitions from the subsequent user accounts to additional subsequent user accounts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Jones, Samuel, Yousaf, Timothy, Dennison, Drew, Lakshmanan, Vivek, Staehle, Joseph, Kremin, Samuel, Kesin, Maxim, Heroux, Taylor
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US15/395,483
Publication Number

US 20170111381A1
Time in Patent Office

683 Days
Field of Search

726 25, 705 51, 713189
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 67/306   User profiles

Anomalous network monitoring, user behavior detection and database system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

156 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Anomalous network monitoring, user behavior detection and database system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links