Context-aware network-based malicious activity warning systems
First Claim
1. A computing system configured to generate an alert related to malicious activity on an audited computing system, the computing system comprising:
- a computer readable storage medium having program instructions embodied therewith; and
one or more processors configured to execute the program instructions to cause the one or more processors to;
receive entity activity information associated with an activity of an entity performed on an audited computing system, wherein the entity activity information comprises a plurality of indicators of potentially malicious activity;
access contextual information associated with the entity;
select, based at least in part on the contextual information associated with the entity, a set of weights, from a plurality of sets of weights, to apply to the plurality of indicators of potentially malicious activity;
combine the set of weights and the plurality of indicators to generate a risk score, wherein the risk score indicates a probability that the entity activity information is indicative of malicious activity of the entity on the audited computing system; and
in response to the risk score satisfying a threshold value, generate an alert.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer system is configured to generate alerts related to malicious activity on an audited computing system. The computing system is provided with instructions to receive activity information associated with activity of an entity performed in an audited computing network, access contextual information associated with the entity, determine, based on the contextual information, a set of weights associated with the activity information and combine the weight and the entity activity information to generate a risk score. In response to the risk score satisfying a threshold value, the computer system may generate an alert, and, in response to receiving a user input associated with the alert, update the set of weights. In certain embodiments, the updated weights may be used for determining the risk score of future alerts.
340 Citations
20 Claims
-
1. A computing system configured to generate an alert related to malicious activity on an audited computing system, the computing system comprising:
-
a computer readable storage medium having program instructions embodied therewith; and one or more processors configured to execute the program instructions to cause the one or more processors to; receive entity activity information associated with an activity of an entity performed on an audited computing system, wherein the entity activity information comprises a plurality of indicators of potentially malicious activity; access contextual information associated with the entity; select, based at least in part on the contextual information associated with the entity, a set of weights, from a plurality of sets of weights, to apply to the plurality of indicators of potentially malicious activity; combine the set of weights and the plurality of indicators to generate a risk score, wherein the risk score indicates a probability that the entity activity information is indicative of malicious activity of the entity on the audited computing system; and in response to the risk score satisfying a threshold value, generate an alert. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method of generating an alert related to malicious activity on an audited computer system, the method comprising:
-
receiving entity activity information associated with an activity of an entity performed on an audited computing system, wherein the entity activity information comprises a plurality of indicators of potentially malicious activity; accessing contextual information associated with the entity; selecting, based at least in part on the contextual information associated with the entity, a set of weights, from a plurality of sets of weights, to apply to the plurality of indicators of potentially malicious activity; combining the set of weights and the plurality of indicators to generate a risk score, wherein the risk score indicates a probability that the entity activity information is indicative of malicious activity of the entity on the audited computing system; and in response to the risk score satisfying a threshold value, generating an alert. - View Dependent Claims (17, 18, 19, 20)
-
Specification