METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR
First Claim
1. A method for detecting masquerade attacks, the method comprising:
- monitoring a first plurality of user actions and access of decoy information in a computing environment;
generating a user intent model for a category that includes at least one of the first plurality of user actions;
monitoring a second plurality of user actions;
comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model;
identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and
generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.
307 Citations
36 Claims
-
1. A method for detecting masquerade attacks, the method comprising:
-
monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for detecting masquerade attacks, the system comprising:
-
a processor that; monitors a first plurality of user actions and access of decoy information in a computing environment; generates a user intent model for a category that includes at least one of the first plurality of user actions; monitors a second plurality of user actions; compares the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifies whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generates an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting masquerade attacks, the method comprising:
-
monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
Specification