User profile definition and management

US 10,447,718 B2
Filed: 05/14/2018
Issued: 10/15/2019
Est. Priority Date: 05/15/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implementable method for performing a security analysis operation within a security environment, comprising:

monitoring electronically-observable user behavior about a particular entity;

maintaining a state about the particular entity, the state representing a context of a particular event;

converting the electronically-observable user behavior into electronic information representing the electronically-observable user behavior;

generating a user behavior profile based upon the electronic information representing the electronically-observable user behavior, the user behavior profile comprising a collection of information that describes the particular entity, the collection of information comprising at least one of a user profile attribute, a user behavior factor and a user mindset factor;

generating a mindset profile for the particular entity, the mindset profile representing aspects of the particular entity that are inferred based upon the electronically-observable user behavior, the mindset profile being generated using a combination of the user behavior profile and the state;

performing a security analysis operation via a security analytics system, the security analysis operation analyzing the event using the state of the entity, the mindset profile and the user behavior profile, the analyzing determining whether the electronically-observable user behavior about the particular entity does not correspond to known good behavior, the security analysis operation determining that the particular entity represents a security threat to an organization associated with the security analytics system when the electronically-observable user behavior about the particular entity does not correspond to known good behavior; and

,performing an enforcement operation when the electronically-observable user behavior about the particular entity does not correspond to known good behavior.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer-usable medium for performing a security analysis operation within a security environment, comprising: monitoring electronically-observable user behavior about a particular entity; maintaining a state about the particular entity, the state representing a context of a particular event; converting the electronically-observable user behavior into electronic information representing the electronically-observable user behavior; generating a user behavior profile based upon the electronic information representing the electronically-observable user behavior; and, analyzing the event using the state of the entity and the user behavior profile.

149 Citations

20 Claims

1. A computer-implementable method for performing a security analysis operation within a security environment, comprising:
- monitoring electronically-observable user behavior about a particular entity;
  
  maintaining a state about the particular entity, the state representing a context of a particular event;
  
  converting the electronically-observable user behavior into electronic information representing the electronically-observable user behavior;
  
  generating a user behavior profile based upon the electronic information representing the electronically-observable user behavior, the user behavior profile comprising a collection of information that describes the particular entity, the collection of information comprising at least one of a user profile attribute, a user behavior factor and a user mindset factor;
  
  generating a mindset profile for the particular entity, the mindset profile representing aspects of the particular entity that are inferred based upon the electronically-observable user behavior, the mindset profile being generated using a combination of the user behavior profile and the state;
  
  performing a security analysis operation via a security analytics system, the security analysis operation analyzing the event using the state of the entity, the mindset profile and the user behavior profile, the analyzing determining whether the electronically-observable user behavior about the particular entity does not correspond to known good behavior, the security analysis operation determining that the particular entity represents a security threat to an organization associated with the security analytics system when the electronically-observable user behavior about the particular entity does not correspond to known good behavior; and
  
  ,performing an enforcement operation when the electronically-observable user behavior about the particular entity does not correspond to known good behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - associating the mindset profile within the user behavior profile.
  - 3. The method of claim 1, further comprising:
    - associating a higher-level meaning with the event based upon the analyzing.
  - 4. The method of claim 1, wherein:
    - the analyzing calculates how anomalous the event is.
  - 5. The method of claim 1, wherein:
    - the monitoring electronically-observable user behavior comprises monitoring a plurality of points of observability, at least some of the plurality of points of observability corresponding to respective layers of user interaction; and
      
      ,each of the plurality of points of observability is converted into respective electronic information representing respective points of observability.
  - 6. The method of claim 5, wherein:
    - the plurality of points of observability comprise an action based point of observability, an activity based point of observability and a behavior based point of observability.
  - 7. The method of claim 5, wherein:
    - the plurality of points of observability observer user behavior within at least one of a physical domain and a cyberspace environment.
  - 8. The method of claim 1, wherein:
    - the user behavior profile comprises a multi-faceted user behavior profile comprising a plurality of facets, each of the plurality of facets corresponding to at least one of a user authentication factor, a user identification factor and a user behavior factor.
  - 9. The method of claim 1, further comprising:
    - identifying certain electronically-observable user behavior used for generating the user behavior profile as known good behavior;
      
      determining whether additional electronically-observable user behavior do not correspond to the known good behavior; and
      
      ,performing an enforcement operation when additional electronically-observable user behavior do not correspond to the known good behavior.
  - 10. The method of claim 8, further comprising:
    - monitoring an information technology environment using the user behavior profile;
      
      performing an enforcement operation if a user interaction with the information technology environment does not correspond to interactions based upon the user behavior profile.

11. A system comprising:
- a processor;
  
  a data bus coupled to the processor; and
  
  a non-transitory, computer-readable storage medium embodying computer program code for generating a user behavior profile, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for;
  
  monitoring electronically-observable user behavior about a particular entity;
  
  maintaining a state about the particular entity, the state representing a context of a particular event;
  
  converting the electronically-observable user behavior into electronic information representing the electronically-observable user behavior;
  
  generating a user behavior profile based upon the electronic information representing the electronically-observable user behavior, the user behavior profile comprising a collection of information that describes the particular entity, the collection of information comprising at least one of a user profile attribute, a user behavior factor and a user mindset factor;
  
  generating a mindset profile for the particular entity, the mindset profile representing aspects of the particular entity that are inferred based upon the electronically-observable user behavior, the mindset profile being generated using a combination of the user behavior profile and the state;
  
  performing a security analysis operation via a security analytics system, the security analysis operation analyzing the event using the state of the entity, the mindset profile and the user behavior profile, the analyzing determining whether the electronically-observable user behavior about the particular entity does not correspond to known good behavior, the security analysis operation determining that the particular entity represents a security threat to an organization associated with the security analytics system when the electronically-observable user behavior about the particular entity does not correspond to known good behavior; and
  
  ,performing an enforcement operation when the electronically-observable user behavior about the particular entity does not correspond to known good behavior.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the instructions executable by the processor are further configured for:
    - associating the mindset profile within the user behavior profile.
  - 13. The system of claim 11, wherein:
    - associating a higher-level meaning with the event based upon the analyzing.
  - 14. The system of claim 11, wherein:
    - the analyzing calculates how anomalous the event is.
  - 15. The system of claim 11, wherein:
    - the monitoring electronically-observable user behavior comprises monitoring a plurality of points of observability, at least some of the plurality of points of observability corresponding to respective layers of user interaction; and
      
      ,each of the plurality of points of observability is converted into respective electronic information representing respective points of observability.
  - 16. The system of claim 15, wherein:
    - the plurality of points of observability comprise an action based point of observability, an activity based point of observability and a behavior based point of observability.
  - 17. The system of claim 15, wherein:
    - the plurality of points of observability observer user behavior within at least one of a physical domain and a cyberspace environment.
  - 18. The system of claim 11, wherein:
    - the user behavior profile comprises a multi-faceted user behavior profile comprising a plurality of facets, each of the plurality of facets corresponding to at least one of a user authentication factor, a user identification factor and a user behavior factor.
  - 19. The system of claim 18, wherein the instructions executable by the processor are further configured for:
    - identifying certain electronically-observable user behavior used for generating the user behavior profile as known good behavior;
      
      determining whether additional electronically-observable user behavior do not correspond to the known good behavior; and
      
      ,performing an enforcement operation when additional electronically-observable user behavior do not correspond to the known good behavior.
  - 20. The system of claim 18, wherein the instructions executable by the processor are further configured for:
    - monitoring an information technology environment using the plurality of user behavior profiles;
      
      performing an enforcement operation if a user interaction with the information technology environment does not correspond to interactions based upon at least one of the plurality of user behavior profiles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Ford, Richard Anthony
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/979,023
Publication Number

US 20180332063A1
Time in Patent Office

519 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/10   in which an application is ...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

User profile definition and management

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

User profile definition and management

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links