Context-aware network-based malicious activity warning systems

US 10,728,262 B1
Filed: 10/27/2017
Issued: 07/28/2020
Est. Priority Date: 12/21/2016
Status: Active Grant

First Claim

Patent Images

1. A computing system configured to generate an alert related to malicious activity on an audited computing system, the computing system comprising:

a computer readable storage medium having program instructions embodied therewith; and

one or more processors configured to execute the program instructions to cause the one or more processors to;

receive entity activity information associated with an activity of an entity performed on an audited computing system, wherein the entity activity information comprises a plurality of indicators of potentially malicious activity;

access contextual information associated with the entity;

select, based at least in part on the contextual information associated with the entity, a set of weights, from a plurality of sets of weights, to apply to the plurality of indicators of potentially malicious activity;

combine the set of weights and the plurality of indicators to generate a risk score, wherein the risk score indicates a probability that the entity activity information is indicative of malicious activity of the entity on the audited computing system; and

in response to the risk score satisfying a threshold value, generate an alert.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system is configured to generate alerts related to malicious activity on an audited computing system. The computing system is provided with instructions to receive activity information associated with activity of an entity performed in an audited computing network, access contextual information associated with the entity, determine, based on the contextual information, a set of weights associated with the activity information and combine the weight and the entity activity information to generate a risk score. In response to the risk score satisfying a threshold value, the computer system may generate an alert, and, in response to receiving a user input associated with the alert, update the set of weights. In certain embodiments, the updated weights may be used for determining the risk score of future alerts.

340 Citations

20 Claims

1. A computing system configured to generate an alert related to malicious activity on an audited computing system, the computing system comprising:
- a computer readable storage medium having program instructions embodied therewith; and
  
  one or more processors configured to execute the program instructions to cause the one or more processors to;
  
  receive entity activity information associated with an activity of an entity performed on an audited computing system, wherein the entity activity information comprises a plurality of indicators of potentially malicious activity;
  
  access contextual information associated with the entity;
  
  select, based at least in part on the contextual information associated with the entity, a set of weights, from a plurality of sets of weights, to apply to the plurality of indicators of potentially malicious activity;
  
  combine the set of weights and the plurality of indicators to generate a risk score, wherein the risk score indicates a probability that the entity activity information is indicative of malicious activity of the entity on the audited computing system; and
  
  in response to the risk score satisfying a threshold value, generate an alert.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computing system of claim 1, wherein the contextual information comprises organizational roles, wherein the plurality of sets of weights are associated with different organizational roles, and wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - in response to receiving an input associated with the alert, update the set of weights.
  - 3. The computing system of claim 1, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - in response to the risk score not satisfying the threshold value, randomly determine whether or not to generate the alert for presentation to a user.
  - 4. The computing system of claim 1, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - generate user interface data configured to be rendered as a user interface including at least;
      
      an indication of the alert,a historic comparison comprising information about one or more similar prior alerts, anda graphical representation of the activity of the entity.
  - 5. The computing system of claim 4, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - provide a first view of the user interface presenting a plurality of alerts, wherein the first view comprises, for each alert in the plurality of alerts, a first graphical representation of the activity of the entity related to the alert;
      
      receive a selection of a selected alert from the plurality of alerts; and
      
      provide a second view of the user interface including additional information related to the selected alert, wherein the second view of the user interface includes a second graphical representation of the activity of the entity related to the selected alert,wherein the second graphical representation represents similar data as the first graphical representation and the second graphical representation is larger in size than the first graphical representation.
  - 6. The computing system of claim 4, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - configure the user interface to present a plurality of alerts, wherein the plurality of alerts are sorted according to respective associated risk scores.
  - 7. The computing system of claim 1, wherein different weights from the set of weights are applied to different corresponding indicators of the plurality of indicators.
  - 8. The computing system of claim 1, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - store the plurality of sets of weights in a two-dimensional table, extending along a plurality of rows and a plurality of columns, wherein each row in the plurality of rows corresponds to an indicator, and wherein each column in the plurality of columns corresponds to a context of the entity.
  - 9. The computing system of claim 1, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - receive a comment from an auditor corresponding to the alert;
      
      store the comment in association with the alert; and
      
      provide the comment when providing the alert for display in a user interface.
  - 10. The computing system of claim 1, wherein the contextual information comprises as least one of:
    - a role of the entity in an organization, a department associated with the entity, an indication whether the entity has been found to previously have engaged in a malicious activity, an indication whether the entity'"'"'s department has been found to previously have engaged in a malicious activity, an access history of the entity, an indication of an association of the entity with a competitor, an indication whether the entity has unsuccessfully attempted to access a computer resource of the organization, a policy violation of the entity, or an indication of whether the entity is allowed to access a particularly sensitive information.
  - 11. The computing system of claim 1, wherein the alert comprises information that at least partly indicates the contextual information that contributed to the risk score satisfying the threshold value.
  - 12. The computing system of claim 1, wherein the entity activity information comprises at least one of:
    - email logs, print logs, proxy logs, Data Loss Prevention logs, operating system logs, web server logs, database server logs, voice over IP server logs, firewall logs, wireless access point logs, or intrusion detection system logs.
  - 13. The computing system of claim 1, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - update the weights of the set of weights for a future alert based on an auditor'"'"'s response to the alert.
  - 14. The computing system of claim 1, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - receive an input in response to the alert; and
      
      based on the input, perform at least one of;
      
      present the alert to a supervisor, mark the alert as dismissed and update the weights for a future alert, or mark the alert as dismissed without updating the weights for a future alert.
  - 15. The computing system of claim 1, wherein the one or more processors are configured to execute the program instructions to further cause the one or more processors to:
    - receive information related to a prior alert related to the entity;
      
      determine whether a prior activity related to the prior alert is similar to a suspicious activity;
      
      determine whether the prior activity has been determined to not be malicious; and
      
      if the prior activity has been determined not to be malicious, modify the set of weights so as to reduce one or more weights in the set of weights that correspond to the suspicious activity that is similar the prior activity.

16. A method of generating an alert related to malicious activity on an audited computer system, the method comprising:
- receiving entity activity information associated with an activity of an entity performed on an audited computing system, wherein the entity activity information comprises a plurality of indicators of potentially malicious activity;
  
  accessing contextual information associated with the entity;
  
  selecting, based at least in part on the contextual information associated with the entity, a set of weights, from a plurality of sets of weights, to apply to the plurality of indicators of potentially malicious activity;
  
  combining the set of weights and the plurality of indicators to generate a risk score, wherein the risk score indicates a probability that the entity activity information is indicative of malicious activity of the entity on the audited computing system; and
  
  in response to the risk score satisfying a threshold value, generating an alert.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - in response to receiving an input associated with the alert, update the set of weights, wherein the contextual information comprises organizational roles, and wherein the plurality of sets of weights are associated with different organizational roles.
  - 18. The method of claim 16, further comprising:
    - in response to the risk score not satisfying the threshold value, randomly determining whether or not to generate the alert for presentation to a user.
  - 19. The method of claim 16, further comprising:
    - generating user interface data configured to be rendered as a user interface including at least;
      
      an indication of the alert,a historic comparison comprising information about one or more similar prior alerts, anda graphical representation of the activity of the entity.
  - 20. The method of claim 19, further comprising:
    - providing a first view of the user interface presenting a plurality of alerts, wherein the first view comprises, for each alert in the plurality of alerts, a first graphical representation of the activity of the entity related to the alert;
      
      receiving a selection of a selected alert from the plurality of alerts; and
      
      providing a second view of the user interface including additional information related to the selected alert, wherein the second view of the user interface includes a second graphical representation of the activity of the entity related to the selected alert,wherein the second graphical representation represents similar data as the first graphical representation and the second graphical representation is larger in size than the first graphical representation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Vaswani, Akash, Sinha, Asavari, Punukollu, Gautam, McLain, Kyle, Yu, Vivian
Primary Examiner(s)
To, Baotran N

Application Number

US15/796,529
Time in Patent Office

1,005 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/62   Protecting access to data v...

G06F 3/0482   Interaction with lists of s...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Context-aware network-based malicious activity warning systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

340 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Context-aware network-based malicious activity warning systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

340 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links