Identifying changes in use of user credentials

US 10,686,829 B2
Filed: 09/04/2017
Issued: 06/16/2020
Est. Priority Date: 09/05/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

extracting, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource at a given time;

creating a set of first records, each first record comprising a sub-group of the extracted events of a single training user;

creating a set of second records, each second record including events of at least two different training users;

assigning safe labels to the first records suspicious labels to the second records;

performing, by a processor, an analysis to fit, to the first and the second records and their respective labels, a model for predicting the label for a given record;

filtering, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and

upon detecting a given sequence of events predicted as suspicious by the model, generating an alert,wherein filtering the subsequent data comprises extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users,wherein using the model comprises applying the model to the sequences of the additional events, andwherein when the model classifies a given sequence of events as suspicious, generating an alert or sending a message on a user interface device for one production user associated with the given sequence of events.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method including extracting, from initial data transmitted on a network, multiple events, each of the events including a user accessing a resource. First and second sets of records are created, each first set record including a sub-group of the events of a user, each second set record including a sub-group of the events of a multiple users during respective sub-periods of a training period. Safe labels are assigned to the first set records and suspicious labels are assigned to the second set records. An analysis fits, to the first and the second set records and their respective labels, a model for predicting the label for a given record. The model filters subsequent network data to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, an alert is generated.

106 Citations

12 Claims

1. A method, comprising:
- extracting, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource at a given time;
  
  creating a set of first records, each first record comprising a sub-group of the extracted events of a single training user;
  
  creating a set of second records, each second record including events of at least two different training users;
  
  assigning safe labels to the first records suspicious labels to the second records;
  
  performing, by a processor, an analysis to fit, to the first and the second records and their respective labels, a model for predicting the label for a given record;
  
  filtering, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and
  
  upon detecting a given sequence of events predicted as suspicious by the model, generating an alert,wherein filtering the subsequent data comprises extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users,wherein using the model comprises applying the model to the sequences of the additional events, andwherein when the model classifies a given sequence of events as suspicious, generating an alert or sending a message on a user interface device for one production user associated with the given sequence of events.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein the analysis comprises a machine learning algorithm.
  - 3. The method according to claim 1, wherein a given resource comprises a server.
  - 4. The method according to claim 1, wherein the data network comprises a workstation comprising a log, wherein a given training user is logged into the workstation, wherein the log comprising actions performed by the resource for a given training user, and wherein the data comprises the log.
  - 5. The method according to claim 1, wherein the data network comprises a workstation, wherein a given training user is logged into the workstation, and where in the extracted data comprises data packets transmitted between the workstation and the resources.
  - 6. The method according to claim 1, wherein creating the second records comprises creating a record including the events of a first training user at times up to a specified time and the events of a second user of times subsequent to the specified time.

7. An apparatus, comprising:
- a memory; and
  
  a hardware processor configured;
  
  to extract, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource at a given time,to create a set of first records, each first record comprising a sub-group of the extracted events of a single training user;
  
  to create a set of second records, each second record including events of at least two different training users;
  
  to assign safe labels to the first records suspicious labels to the second records;
  
  to perform an analysis to fit, to the first and the second records and their respective labels, a model for predicting the label for a given record,to filter, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, andupon detecting a given sequence of events predicted as suspicious by the model, to generate an alert,wherein the processor is configured to filter the subsequent data by extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users,wherein the processor is configured to use the model by applying the model to the sequences of the additional events, andwherein when the model classifies a given sequence of events as suspicious, the processor generates an alert or sends a message on a user interface device for one production user associated with the given sequence of events.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus according to claim 7, wherein the analysis comprises a machine learning algorithm.
  - 9. The apparatus according to claim 7, wherein a given resource comprises a server.
  - 10. The apparatus according to claim 7, wherein the data network comprises a workstation comprising a log, wherein a given training user is logged into the workstation, wherein the log comprising actions performed by the server for a given training user, and wherein the data comprises the log.
  - 11. The apparatus according to claim 7, wherein the data network comprises a workstation, wherein a given training user is logged into the workstation, and where in the extracted data comprises data packets transmitted between the workstation and the resources.

12. A computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
- to extract, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource at a given time;
  
  to create a set of first records, each first record comprising a sub-group of the extracted events of a single training user;
  
  to create a set of second records, each second record including events of at least two different training users;
  
  to assign safe labels to the first records suspicious labels to the second records;
  
  to perform an analysis to fit, to the first and the second records and their respective labels, a model for predicting the label for a given record;
  
  to filter, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and
  
  upon detecting a given sequence of events predicted as suspicious by the model, to generate an alert,wherein the filtering of the subsequent data includes extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users,wherein the instructions cause the computer to use the model by applying the model to the sequences of the additional events, andwherein when the model classifies a given sequence of events as suspicious, the computer generates an alert or sends a message on a user interface device for one production user associated with the given sequence of events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Inventors
Amit, Idan, Firstenberg, Eyal, Allon, Jonathan, Neuman, Yaron
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/694,891
Publication Number

US 20180069893A1
Time in Patent Office

1,016 Days
Field of Search

726 23, 713194, 706 12, 706 58
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Identifying changes in use of user credentials

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying changes in use of user credentials

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links