SYSTEMS AND METHODS FOR EVALUATION OF EVENTS BASED ON A REFERENCE BASELINE ACCORDING TO TEMPORAL POSITION IN A SEQUENCE OF EVENTS

US 20140165140A1
Filed: 10/20/2011
Published: 06/12/2014
Est. Priority Date: 09/09/2011
Status: Active Grant

First Claim

Patent Images

1. A method for evaluation of events, the method comprising:

generating, by a computing device, a user-specific reference baseline comprising a set of temporally-ordered sequences of events;

receiving an event of a sequence of events in a current session;

determining whether the event at least partially matches the reference baseline using an attribute of the event and based on a temporal position of the event within the sequence of events in the current session; and

analyzing a condition of a rule based on the determination of whether the event least partially matches the reference baseline.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for evaluation of events are provided. A user-specific reference baseline comprising a set of temporally-ordered sequences of events. An event of a sequence of events in a current session is received. A determination is made as to whether the event at least partially matches the reference baseline using an attribute of the event and a temporal position of the event within the sequence of events in the current session.

60 Citations

View as Search Results

15 Claims

1. A method for evaluation of events, the method comprising:
- generating, by a computing device, a user-specific reference baseline comprising a set of temporally-ordered sequences of events;
  
  receiving an event of a sequence of events in a current session;
  
  determining whether the event at least partially matches the reference baseline using an attribute of the event and based on a temporal position of the event within the sequence of events in the current session; and
  
  analyzing a condition of a rule based on the determination of whether the event least partially matches the reference baseline.
- View Dependent Claims (2, 3, 4, 7, 8)
- - 2. The method of claim 1, wherein the reference baseline further comprises timing data associated with each sequence in the set of temporally-ordered sequences of events, wherein each sequence in the set is a distinctive pattern of historical events associated with the user.
  - 3. The method of claim 1, wherein determining whether the event least partially matches the reference baseline comprises:
    - identifying the user-specific reference baseline among plurality of reference baselines based on a user identifier associated with the received event;
      
      selecting an event in a sequence of the reference baseline having the temporal position as the temporal position of the received event;
      
      comparing the attribute of the received event to a same attribute of the event in the reference baseline, wherein the attribute of the received event is an event type.
  - 4. The method of claim 3, wherein determining whether the event at least partially matches the reference baseline further comprises determining whether the attribute of the received event is within a deviation threshold specified in the condition of the rule.
  - 7. The method of claim 1, wherein determining whether the received event at least partially matches the reference baseline comprises:
    - tracking a time gap between a time of occurrence of the received event and a time of occurrence of a previously received event of the sequence of events in the current session;
      
      comparing the time gap to timing data of the reference baseline.
  - 8. The method of claim 1, wherein each sequence in the set of temporally-ordered sequences of events is associated with timing data, and wherein the timing data includes statistics generated using a time of occurrence of events in a raw baseline.

5. The method of claim, wherein at least one sequence in the set of temporally-ordered sequences of events is flagged as being either normal user behavior or anomalous user behavior.
- View Dependent Claims (6)
- - 6. The method of claim 5, wherein analyzing the condition of the rule comprises:
    - determining the rule condition is “
      
      false”
      
      if the event matches the at least one sequence which is flagged as normal user behavior; and
      
      determining the rule condition is “
      
      true”
      
      if the event matches the at least one sequence which is flagged as anomalous user behavior.

9. A system for evaluation of events, the system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory configured to store a data list including a plurality of user-specific reference baselines;
  
  wherein the processor is configured to;
  
  generate a first user-specific reference baseline of the plurality of user-specific reference baselines, the first user-specific reference baseline comprising a set of temporally-ordered sequences of events;
  
  receive an event of a sequence of events in a current session;
  
  determine whether the event at least partially matches the reference baseline using an attribute of the event and based on a temporal position of the event within the sequence of events in the current session;
  
  analyze a condition of a rule based on the determination of whether the event at least partially matches the reference baseline; and
  
  generate a correlation event.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the reference baseline further comprises timing data associated with each sequence in the set of temporally-ordered sequences of events, wherein each sequence in the set is a distinctive pattern of historical events associated with the user.
  - 11. The system of claim 9, wherein the processor is configured to determine whether the event at least partially matches the reference baseline by:
    - identifying the user-specific reference baseline among a plurality of reference baselines based on a user identifier associated with the received event;
      
      selecting an event in a sequence of the reference baseline having the same temporal position as the temporal position of the received event;
      
      comparing the attribute of the received event to a same attribute of the event in the reference baseline, wherein the attribute of the received event is an event type.
  - 12. The system of claim 11, wherein the processor is configured to determine whether the event at least partially matches the reference baseline by:
    - determining whether the attribute of the received event is within a deviation threshold specified in the condition of the rule.
  - 13. The system of claim 9, wherein at least one sequence in the set of temporally-ordered sequences of events is flagged as being either normal user behavior or anomalous user behavior

14. A non-transitory computer-readable medium storing a plurality of instructions to control a data processor to evaluate events, the plurality of instructions comprising instructions that cause the data processor to:
- generate a first user-specific reference baseline of the plurality of user-specific reference baselines, the first reference baseline comprising a set of temporally-ordered sequences of transactional events, wherein each event is a part of a financial transaction;
  
  receive a transactional event of a sequence of transactional events in a current session;
  
  determine whether the transactional event at least partially matches the reference baseline using an attribute of the transactional event and based on a temporal position of the transactional event within the sequence of transactional events in the current session;
  
  analyze a condition of a rule based on the determination of whether the transactional event at least partially matches the reference baseline; and
  
  correlate the transactional event with a security-related event.
- View Dependent Claims (15)
- - 15. The non-transitory computer-readable medium of claim 14, wherein the instructions that cause the data processor to determine whether the event at least partially matches the reference baseline comprise instructions that cause the data processor to:
    - identify the user-specific reference baseline among a plurality of reference baselines based on a user identifier associated with the received event;
      
      select an event in a sequence of the reference baseline having the same temporal position as the temporal position of the received event;
      
      compare the attribute of the received event to a same attribute of the event in the reference baseline, wherein the attribute of the received event is an event type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
entIT Software LLC (Open Text Corporation)
Inventors
Singla, Anurag, Block, Robert

Granted Patent

US 9,646,155 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3072   where the reporting involve...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 2221/2107   File encryption

G06F 2221/2125   Just-in-time application of...

G06F 2221/2151   Time stamp

H04L 43/067   using time frame reporting

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

SYSTEMS AND METHODS FOR EVALUATION OF EVENTS BASED ON A REFERENCE BASELINE ACCORDING TO TEMPORAL POSITION IN A SEQUENCE OF EVENTS

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR EVALUATION OF EVENTS BASED ON A REFERENCE BASELINE ACCORDING TO TEMPORAL POSITION IN A SEQUENCE OF EVENTS

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links