INSIDER THREAT CORRELATION TOOL

US 20110184877A1
Filed: 01/26/2010
Published: 07/28/2011
Est. Priority Date: 01/26/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:

transmitting electronic signals configured to display a ranking of plurality of user accounts that represent a threat to an organization, wherein the ranking is determined by monitoring values of at least four controls for each of the plurality of user accounts over a first time period, wherein the controls are selected from the group consisting of;

a quantity of bandwidth utilized by a user account over a first network;

blocked transmissions by a user account over the first network;

blocked communication through a targeted communication application;

non-blocked communication through the targeted communication application that violates at least one predefined criterion;

an association of at least one security application with the user account, wherein if a at least one software application is associated with the user account, then;

monitoring illegal storage attempts; and

recording a filename associated with illegal storage attempts; and

determining if communications through the first network are transmitted or received through an unauthorized protocol;

comparing the values of the at least four controls over the first time period with values of the at least four controls over a second time period; and

transmitting electronic signals configured to display a ranking of plurality of user accounts.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.

139 Citations

21 Claims

1. A computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:
- transmitting electronic signals configured to display a ranking of plurality of user accounts that represent a threat to an organization, wherein the ranking is determined by monitoring values of at least four controls for each of the plurality of user accounts over a first time period, wherein the controls are selected from the group consisting of;
  
  a quantity of bandwidth utilized by a user account over a first network;
  
  blocked transmissions by a user account over the first network;
  
  blocked communication through a targeted communication application;
  
  non-blocked communication through the targeted communication application that violates at least one predefined criterion;
  
  an association of at least one security application with the user account, wherein if a at least one software application is associated with the user account, then;
  
  monitoring illegal storage attempts; and
  
  recording a filename associated with illegal storage attempts; and
  
  determining if communications through the first network are transmitted or received through an unauthorized protocol;
  
  comparing the values of the at least four controls over the first time period with values of the at least four controls over a second time period; and
  
  transmitting electronic signals configured to display a ranking of plurality of user accounts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer-readable medium of claim 1, wherein the blocked transmissions by the user account over the first network are classified into a category selected from the group consisting of:
    - a security threat, an ethics threat, and combinations thereof.
  - 3. The computer-readable medium of claim 2, the computer-executable instructions further comprising:
    - receiving a user input selecting a graphical representation of the blocked communication through the first network; and
      
      displaying whether the blocked communication was a security threat, an ethics threat or combinations thereof.
  - 4. The computer-readable medium of claim 1, wherein an account weight has been applied to at least one user account displayed, wherein the account weight is assigned to the at least one user account, if the user account is within a category selected from the group consisting of:
    - granted access rights to a specific collection of data, exempt from having the at least one security application, the at least one security application is absent;
      
      access rights to at least one service has been deactivated, and combinations thereof.
  - 5. The computer-readable medium of claim 4, wherein the at least one user account are weighted according to the values set forth in Table 2.
  - 6. The computer-readable medium of claim 4, the instruction further comprising:
    - receiving a user input providing a new account weight to be applied to at least one of the plurality of user accounts; and
      
      re-ranking a plurality of accounts using the new account weight.
  - 7. The computer-readable medium of claim 2, the instruction further comprising:
    - receiving a user input requesting the re-ranking of the plurality of user accounts based upon one of the controls.
  - 8. The computer-readable medium of claim 4, the instructions further comprising:
    - receiving a user input selecting a user account from the plurality of user accounts; and
      
      displaying the user accounts ranking for a plurality of controls selected from the group consisting of;
      
      the quantity of bandwidth utilized by the user account over the first network, denied access attempts by the user account over the first network, blocked communications through the targeted communication application, non-blocked communications through the targeted communication application that violates at least one predefined criterion, the presence of at least one security application with the user account, communications through the first network is transmitted or received through an unauthorized protocol, and combinations thereof.
  - 9. The computer-readable medium of claim 1, wherein the first time period is less than about 3 days and the second time period is more than about 40 days.
  - 10. The computer-readable medium of claim 1, wherein a control weight has been applied to at least one control utilized in determining the threat rating, wherein the weight is assigned to the at least one user account if the user account is within a group selected from the groups consisting of:
    - a security threat, an ethics threat, blocked communication through the targeted communication application, communication through the targeted communication application meeting the predefined criterion, accessing the centralized store, an attempted illegal storage attempt, and combinations thereof.
  - 11. The computer-readable medium of claim 10, the instruction further comprising:
    - receiving a user input providing a new control weight to be applied to at least one of the plurality of controls; and
      
      re-ranking a plurality of accounts using the new control weight.
  - 12. The method of claim 10, further comprising:
    - determining that an activity of one of the controls occurred during a first time frame during either the first time period or the second time period; and
      
      applying a second weight to the activity that occurred during the time frame.
  - 13. The method of claim 10, further comprising:
    - further weighting a control if incidence of activity for that control is above a predetermined threshold.
  - 14. The method of claim 13, wherein the predetermined threshold is based upon, the user account'"'"'s average activity, average activity of other user accounts, or combinations thereof.
  - 15. The method of claim 10, wherein the activities that occurred during the first time period are weighted differently than the activities that occurred during the second time period.
  - 16. The method of claim 15, wherein the activities that occurred during the first time period and the second time period are weighted according to the values set forth in Table 2.

17. An apparatus comprising:
- a communications module configured to receive data from a plurality of applications, the data relating to values of at least four controls for each of the plurality of user accounts over a first time period, wherein the controls are selected from the group consisting of;
  
  a quantity of bandwidth utilized by a user account over a first network;
  
  blocked transmissions by a user account over the first network;
  
  blocked communication through a targeted communication application;
  
  non-blocked communication through the targeted communication application that violates at least one predefined criterion;
  
  determining if any communications through the first network is transmitted or received through an unauthorized protocol;
  
  an application detection module configured to determine an association of at least one security application with each of the user accounts; and
  
  a processor configured to calculate a predictive threat score for a plurality of user accounts that compares the values of the at least four controls over the first time period with values of the at least four controls over a second time period; and
- View Dependent Claims (18, 19, 20, 21)
- - 18. The apparatus of claim 17, wherein the processor is further configured to determine that an activity of one of the controls occurred during a first time frame during either the first time period or the second time period;
    - andapplying a second weight to the activity that occurred during the time frame.
  - 19. The apparatus of claim 17, further comprising:
    - further weighting a control if incidence of activity for that control is above a predetermined threshold.
  - 20. The apparatus of claim 19, wherein the predetermined threshold is based upon, the user account'"'"'s average activity, average activity of other user accounts, or combinations thereof.
  - 21. The apparatus of claim 17, wherein the activities that occurred during the first time period are weighted differently than the activities that occurred during the second time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
McHugh, Brian, Metzger, Timothy C., Ramcharran, Ronald, Langsam, Peter J.

Granted Patent

US 9,038,187 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/318
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06Q 10/10   Office automation; Time man...

G06Q 30/018   Certifying business or prod...

G06Q 30/0185   Product, service or busines...

INSIDER THREAT CORRELATION TOOL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

139 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

INSIDER THREAT CORRELATION TOOL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others