DETECTING ANOMALOUS BEHAVIOR VIA USER AUTHENTICATION GRAPHS
First Claim
1. A computer-implemented method, comprising:
- determining, by a computing system, a set of reachable vertices and a respective distance to each of the reachable vertices from a starting vertex within a graph, wherein the set of reachable vertices represent other computers that a computer, represented by the starting vertex, has authenticated to during a period of time on behalf of its user; and
outputting the set of reachable vertices and the respective distance to each of the vertices, by the computing system, as a Person'"'"'s Authentication Subgraph (PAS) for the starting vertex of the graph.
4 Assignments
0 Petitions
Accused Products
Abstract
Significant and aggregate user authentication activity may be analyzed across a population of users and computers in one or more networks to differentiate between authorized users and intruders in a network, and/or to detect inappropriate behavior by otherwise authorized users. Dynamic graphs and graph models over user and computer authentication activity, including time-constrained models, may be used for the purposes of profiling and analyzing user behavior in computer networks. More specifically, an edge-based breadth first search of graphs may be used that enforces time-constraints while maintaining traditional breadth first search computational complexity equivalence.
28 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
determining, by a computing system, a set of reachable vertices and a respective distance to each of the reachable vertices from a starting vertex within a graph, wherein the set of reachable vertices represent other computers that a computer, represented by the starting vertex, has authenticated to during a period of time on behalf of its user; and outputting the set of reachable vertices and the respective distance to each of the vertices, by the computing system, as a Person'"'"'s Authentication Subgraph (PAS) for the starting vertex of the graph. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method, comprising:
-
determining, by a computing system, that a computer or its user is potentially malicious by computing statistical measures to compare one or more attributes of a Person'"'"'s Authentication Subgraph (PAS) based on user authentication events for the computer with one or more attributes indicative of normal user behavior; estimating, by the computing system, a statistical model for baseline behavior of the attributes; evaluating probabilities of observed attributes, by the computing system, under the baseline models; and outputting the PAS, by the computing system, for review by a security analyst to determine whether the PAS represents a compromised computer or malicious user when the PAS exceeds a statistical threshold. - View Dependent Claims (14, 15)
-
-
16. A computer-implemented method, comprising:
-
comparing, by a computing system, a plurality of Person'"'"'s Authentication Subgraphs (PASs) for a computer over a series of sliding time windows; determining, by the computing system, based on a statistical comparison of the PASs, whether a deviation between an estimated statistical model and observed PAS attributes at a given time window exceeds an expected deviation for a user; and when the expected deviation for the user has been exceeded, outputting an identification of the computer, the computing system, for review by a security analyst to determine whether the computer has been compromised or a malicious user is using the computer. - View Dependent Claims (17, 18, 19, 20)
-
Specification