Method of and system for enterprise information asset protection through insider attack specification, monitoring and mitigation
First Claim
Patent Images
1. Apparatus for protecting an enterprise data server against insider attack, comprising:
- at least one processor;
code executable on a processor for generating a display interface through which an authorized entity using a given policy specification language specifies an insider attack, wherein the given policy specification language enables the authorized entity to specify at least policy filter that is associated with a given enterprise data server type and defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given response that is to be taken upon detection of the given action;
code executable on a processor to monitor a trusted user'"'"'s given data access against a set of one or more policy filters;
code executable by a processor to analyze the trusted user'"'"'s given data access against the set of one or more policy filters;
code executable by a processor to determine whether the trusted user'"'"'s given data access is indicative of a given action as specified by a given policy filter in the set of policy filters; and
code executable by a processor if the trusted user'"'"'s given data access is indicative of a given action as specified by the given policy filter for taking the given response specified by the policy filter.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a policy specification framework to enable an enterprise to specify a given insider attack using a holistic view of a given data access, as well as the means to specify and implement one or more intrusion mitigation methods in response to the detection of such an attack. The policy specification provides for the use of“anomaly” and “signature” attributes that capture sophisticated behavioral characteristics of illegitimate data access. When the attack occurs, a previously-defined administrator (or system-defined) mitigation response (e.g., verification, disconnect, de-provision, or the like) is then implemented.
135 Citations
15 Claims
-
1. Apparatus for protecting an enterprise data server against insider attack, comprising:
-
at least one processor;
code executable on a processor for generating a display interface through which an authorized entity using a given policy specification language specifies an insider attack, wherein the given policy specification language enables the authorized entity to specify at least policy filter that is associated with a given enterprise data server type and defines (a) a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server, and (b) a given response that is to be taken upon detection of the given action;
code executable on a processor to monitor a trusted user'"'"'s given data access against a set of one or more policy filters;
code executable by a processor to analyze the trusted user'"'"'s given data access against the set of one or more policy filters;
code executable by a processor to determine whether the trusted user'"'"'s given data access is indicative of a given action as specified by a given policy filter in the set of policy filters; and
code executable by a processor if the trusted user'"'"'s given data access is indicative of a given action as specified by the given policy filter for taking the given response specified by the policy filter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of protecting an enterprise information asset against insider attack, comprising:
-
specifying a policy filter that defines a given action that a trusted user may attempt to take with respect to a given enterprise information asset stored on a given enterprise data server;
monitoring a trusted user'"'"'s given data access with respect to the given enterprise data server;
analyzing the given data access against the policy filter;
determining whether the trusted user'"'"'s given data access is indicative of the given action as specified by the policy filter;
if the trusted user'"'"'s given data access is indicative of the given action as specified in the policy filter, taking a given action. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system for protecting an enterprise information asset against insider attack, comprising:
-
at least one or more processors;
code executing on a given processor for generating a display interface through which an authorized entity using a given policy specification language specifies an insider attack;
code executing on a given processor that determines whether a trusted user'"'"'s given data access to an enterprise resource is indicative of the insider attack; and
code executing on a given processor and responsive to the insider attack for taking a given mitigation action.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeIBM Technology Corporation (International Business Machines Corporation)
-
Original AssigneeIBM International Group BV (International Business Machines Corporation)
-
InventorsMoghe, Pratyush
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current713/182
-
CPC Class CodesG06F 21/316 by observing the pattern of...G06F 21/552 involving long-term monitor...G06F 2221/2101 Auditing as a secondary aspectG06F 2221/2115 Third partyH04L 63/1441 Countermeasures against mal...
