Detecting behavioral patterns and anomalies using information usage data

US 7,774,363 B2
Filed: 10/30/2007
Issued: 08/10/2010
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of operating a system comprising:

providing a plurality of devices;

providing an activity database, stored at a server;

storing on a first device of the plurality of devices a first set of rules;

storing on a second device of the plurality of devices a second set of rules, wherein the second set of rules is different from the first set of rules;

upon a first operation requested by a first user at the first device of the plurality of devices, evaluating at the first device a first rule of the first set of rules stored at the first device;

upon a second operation requested by a second user at the second device of the plurality of devices, evaluating at the second device a second rule of the second set of rules stored at the second device;

at the server, collecting information usage data from the first and second devices in the activity database, wherein the information usage data comprises data associated with the first operation requested by the first user at the first device that caused evaluating at the first device the first rule of the first set of rules stored at the first device and data associated with the second operation requested by the second user at the second device that caused evaluating at the second device the second rule of the second set of rules stored at the second device;

at the server, analyzing the information usage data in the activity database to detect a plurality of conditions that occurred at either the first or second devices, or both, wherein the plurality of conditions considered during the analyzing comprise;

a first condition is detected when the first device or second device, or both, has attempted to access a unit of information more than X times in a Y rolling time period;

a second condition is detected when a username has connected to the system from a first location E at a first time T1, via the first device, and the username has connected to the system from a second location F at a second time T2, via the second device, and a distance between the first location E and the second location F divided by (T2-T1) is greater than Z; and

a third condition is detected when an aggregated usage time of a program by the first user rises above a U1 amount in a V1 time period;

when one or more of the plurality of conditions is detected, generating a notification of the one or more conditions detected;

before the evaluating at the first device a first rule of the first set of rules stored at the first device, loading a policy enforcer program in a memory of the first device of the plurality of devices,wherein the first operation requested by the first user at the first device is to be performed by a first application program executing at the first device, the first application program being different from the policy enforcer program, and executing the policy enforcer program on the first device performs the evaluating at the first device a first rule of the first set of rules stored at the first device;

after the evaluating at the first device a first rule of the first set of rules stored at the first device, permitting the first operation requested by the first user to occur;

detecting when at least one of the plurality of conditions has occurred at the first device;

altering the first rule of the first set of rules stored at the first device to obtain a third rule;

upon a third operation requested by the first user at the first device, using the policy enforcer program to perform evaluating of the third rule; and

after the using the policy enforcer program to perform evaluating of the third rule, not permitting the third operation requested by the first user, wherein the first and third operations are performed by the same first application program.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Activity data is analyzed or evaluated to detect behavioral patterns and anomalies. When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task. This activity data may be collected in an information management system, which may be policy based. Notification may be by way e-mail, report, pop-up message, or system message. Some tasks to perform upon detection may include implementing a policy in the information management system, disallowing a user from connecting to the system, and restricting a user from being allowed to perform certain actions. To detect a pattern, activity data may be compared to a previously defined or generated activity profile.

149 Citations

View as Search Results

20 Claims

1. A method of operating a system comprising:
- providing a plurality of devices;
  
  providing an activity database, stored at a server;
  
  storing on a first device of the plurality of devices a first set of rules;
  
  storing on a second device of the plurality of devices a second set of rules, wherein the second set of rules is different from the first set of rules;
  
  upon a first operation requested by a first user at the first device of the plurality of devices, evaluating at the first device a first rule of the first set of rules stored at the first device;
  
  upon a second operation requested by a second user at the second device of the plurality of devices, evaluating at the second device a second rule of the second set of rules stored at the second device;
  
  at the server, collecting information usage data from the first and second devices in the activity database, wherein the information usage data comprises data associated with the first operation requested by the first user at the first device that caused evaluating at the first device the first rule of the first set of rules stored at the first device and data associated with the second operation requested by the second user at the second device that caused evaluating at the second device the second rule of the second set of rules stored at the second device;
  
  at the server, analyzing the information usage data in the activity database to detect a plurality of conditions that occurred at either the first or second devices, or both, wherein the plurality of conditions considered during the analyzing comprise;
  
  a first condition is detected when the first device or second device, or both, has attempted to access a unit of information more than X times in a Y rolling time period;
  
  a second condition is detected when a username has connected to the system from a first location E at a first time T1, via the first device, and the username has connected to the system from a second location F at a second time T2, via the second device, and a distance between the first location E and the second location F divided by (T2-T1) is greater than Z; and
  
  a third condition is detected when an aggregated usage time of a program by the first user rises above a U1 amount in a V1 time period;
  
  when one or more of the plurality of conditions is detected, generating a notification of the one or more conditions detected;
  
  before the evaluating at the first device a first rule of the first set of rules stored at the first device, loading a policy enforcer program in a memory of the first device of the plurality of devices,wherein the first operation requested by the first user at the first device is to be performed by a first application program executing at the first device, the first application program being different from the policy enforcer program, and executing the policy enforcer program on the first device performs the evaluating at the first device a first rule of the first set of rules stored at the first device;
  
  after the evaluating at the first device a first rule of the first set of rules stored at the first device, permitting the first operation requested by the first user to occur;
  
  detecting when at least one of the plurality of conditions has occurred at the first device;
  
  altering the first rule of the first set of rules stored at the first device to obtain a third rule;
  
  upon a third operation requested by the first user at the first device, using the policy enforcer program to perform evaluating of the third rule; and
  
  after the using the policy enforcer program to perform evaluating of the third rule, not permitting the third operation requested by the first user, wherein the first and third operations are performed by the same first application program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein the detecting when at least one of the plurality of conditions has occurred at the first device occurs before permitting the first operation requested by the first user to occur.
  - 3. The method of claim 1 wherein the first operation comprises at least one of sending an e-mail message, forwarding an e-mail message, attaching a file to an e-mail message, opening a file, saving a file, deleting a file, moving a file, changing a file attribute, cutting application data to a clipboard, pasting application data from a clipboard, editing a cell in a spreadsheet, changing a formula associated with a cell in a spreadsheet, creating a macro, or editing a script.
  - 4. The method of claim 1 wherein the information usage data comprises at least one of time, duration, a resource identifier, type of resource, resource attributes, file name, file path, file attribute, e-mail sender, e-mail recipient, e-mail attachment, user, user attribute, name of application program, application program version information, type of application program host name, IP address, type of computer, computer configuration, application program command, application program function, application program event, file operation, database operation, or any other application program or operating system event.
  - 5. The method in claim 1 wherein a fourth condition is detected when the first device or second device, or both, has attempted a cut-and-paste operation more than M times in an N time period.
  - 6. The method in claim 1 wherein the data collected comprises at least one of the time at which the first rule evaluation occurs, the outcome of evaluating the first rule, the event that triggered the first rule evaluation, a rule identifier indicating the first rule was evaluated, information about a resource associated with the first rule, information about the first user related to the first rule evaluation, information about an application program associated with the first rule evaluation, or information about the first device associated with the first rule evaluation.
  - 7. The method of claim 1 wherein during the evaluating at the first device a first rule of the first set of rules stored at the first device, the first device is disconnected from the server.
  - 8. The method of claim 1 wherein the generating a notification of the one or more conditions detected comprises adding an entry to a log.
  - 9. The method of claim 1 wherein the notification is at least one of an e-mail, pop-up message on a computer screen, and SNMP message.
  - 10. The method of claim 1 further comprising:
    - when the one or more of the plurality of conditions is detected, making a notification for an application program.
  - 11. The method of claim 1 further comprising:
    - when the one or more of the plurality of conditions is detected, producing a notification for a device other than the first device or the second device.
  - 12. The method of claim 1 wherein thealtering the first rule of the first set of rules stored at the first device to obtain a third rule comprises replacing the first rule with the third rule.
  - 13. The method of claim 1 wherein a fourth condition is detected when the first user logged on the first device has attempted to access a unit of information more than J times in a K time period.
  - 14. The method of claim 1 comprising:
    - sending information usage data from the first device to the server, wherein the information usage data is stored at the first device before the sending; and
      
      sending information usage data from the second device to the server, wherein the information usage data is stored at the second device before the sending.
  - 15. The method of claim 1 wherein a fourth condition is detected when a username has accessed information of the system from a first location G at a first time T3 and the username has accessed information of the system from a second location H at second time T4, and a distance between the first location G and the second location H divided by (T4-T3) is greater than P.
  - 16. The method of claim 1 comprising:
    - collecting external event data collected outside the system; and
      
      analyzing the information usage data and the external event data to detect a fourth condition.
  - 17. The method of claim 1 wherein the devices comprise at least one of a file server, network attached storage (NAS) device, virtual file server, file gateway, e-mail server, messaging server, collaboration server, document management system (DMS), content management system, digital rights management server, Web server, portal server, application server, database server, integration server, customer relation management (CRM) system, enterprise resource (ERP) planning system, supply chain management system, any file-based or nonfile document repositories, desktop computer, laptop computer, personal digital assistant (PDA), smart phone, thin clients, an instance of client operating environment running on a terminal server, a guest operating system running on a virtual machine, a server making information resource operation request (acting as a client in the context of the request), information kiosk, or any computing device and computing environment from which an information resource operation request originates.
  - 18. The method of claim 1 wherein the collecting information usage data comprises:
    - associating an interceptor program with an application program; and
      
      using the interceptor program, while the application program is executing, gathering information about operations of the application program.
  - 19. The method of claim 1 wherein the analyzing the information usage data in the activity database further comprises generating a report.
  - 20. The method of claim 1 wherein the plurality of conditions comprises at least one of information fraud, information misuse, operational inefficiency, potential improvement in workforce productivity, potential improvement in resource utilization, or abnormal or suspicious activity pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng
Primary Examiner(s)
LeRoux; Etienne P
Assistant Examiner(s)
Shmatov; Alexey

Application Number

US11/928,875
Publication Number

US 20080071728A1
Time in Patent Office

1,015 Days
Field of Search

707/999.001, 707/781
US Class Current

707/781
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 16/122   using management policies b...

G06F 16/176   Support for shared access t...

G06F 16/93   Document management systems

G06F 16/958   Organisation or management ...

G06F 21/125   by manipulating the program...

G06F 21/316   by observing the pattern of...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2216/03   Data mining

G06F 2221/032   Protect output to user by s...

G06F 3/0601   Interfaces specially adapte...

G06Q 10/06   Resources, workflows, human...

G06Q 10/10   Office automation; Time man...

H04L 41/0893   Assignment of logical group...

H04L 51/234   for tracking messages

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/102 : Entity profiles

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/20 : for managing network securi...

H04L 67/303 : Terminal profiles

H04L 67/535 : Tracking the activity of th...

H04L 67/60 : Scheduling or organising th...

Y10S 707/922 : Communications

View All

Detecting behavioral patterns and anomalies using information usage data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting behavioral patterns and anomalies using information usage data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links