Insider threat correlation tool

US 8,799,462 B2
Filed: 01/08/2013
Issued: 08/05/2014
Est. Priority Date: 01/26/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

calculating, by a computing device having a processor, a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, comprising, for each user account determining, by the computing device, an overall threat score (f_overall), where

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.

109 Citations

18 Claims

1. A computer-implemented method comprising:
- calculating, by a computing device having a processor, a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, comprising, for each user account determining, by the computing device, an overall threat score (f_overall), where
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein spike_xis assigned, by the computing device, the first integer when the first threshold level of spike_xis about 40% greater than the average of the same user account during the second time period.
  - 3. The method of claim 1, wherein the aboveavg_xis assigned, by the computing device, the first integer when the first threshold level of aboveavg_xis above about 30% greater than the activity of the plurality of user accounts for the same time period.
  - 4. The method of claim 1, wherein the offhours_xis assigned, by the computing device, the first integer when the activity level is detected about 6 hours before or after the average start or end time for that user account.
  - 5. The method of claim 1, wherein activities of the plurality of activities are selected from the group consisting of:
    - a security threat, an ethics threat, blocked transmission through the targeted communication application, transmission through the targeted communication application meeting the predefined criterion, attempted access of the centralized store, an attempted illegal storage attempt, and combinations thereof.
  - 6. The method of claim 1, wherein f_personis calculated, by the computing device, according to:

7. One or more non-transitory computer-readable media comprising computer-executable instructions that, when executed by a processor, cause the processor to:
- calculate a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, comprising, for each user account determining an overall threat score (f_overall), where
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The one or more non-transitory computer-readable media of claim 7, further including instructions that, when executed, cause the processor to assign spike_xthe first integer when the first threshold level of spike_xis about 40% greater than the average of the same user account during the second time period.
  - 9. The one or more non-transitory computer-readable media of claim 7, further including instructions that, when executed, cause the processor to assign aboveavg_xthe first integer when the first threshold level of aboveavg_xis above about 30% greater than the activity of the plurality of user accounts for the same time period.
  - 10. The one or more non-transitory computer-readable media of claim 7, further including instructions that, when executed, cause the processor to assign offhours_xthe first integer when the activity level is detected about 6 hours before or after the average start or end time for that user account.
  - 11. The one or more non-transitory computer-readable media of claim 7, wherein activities of the plurality of activities are selected from the group consisting of:
    - a security threat, an ethics threat, blocked transmission through the targeted communication application, transmission through the targeted communication application meeting the predefined criterion, attempted access of the centralized store, an attempted illegal storage attempt, and combinations thereof.
  - 12. The one or more non-transitory computer-readable media of claim 7, further including instructions that, when executed, cause f_personto be calculated according to:

13. An apparatus, comprising:
- a processor;
  
  memory storing computer-readable instructions that, when executed, cause the apparatus to;
  
  calculate a threat score for a plurality of user accounts having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, comprising, for each user account determining an overall threat score (f_overall), where
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, further including instructions that, when executed, cause the apparatus to assign spike_xthe first integer when the first threshold level of spike_xis about 40% greater than the average of the same user account during the second time period.
  - 15. The apparatus of claim 13, further including instructions that, when executed, cause the apparatus to assign aboveavg_xthe first integer when the first threshold level of aboveavg_xis above about 30% greater than the activity of the plurality of user accounts for the same time period.
  - 16. The apparatus of claim 13, further including instructions that, when executed, cause the apparatus to assign offhours_xthe first integer when the activity level is detected about 6 hours before or after the average start or end time for that user account.
  - 17. The apparatus of claim 13, wherein activities of the plurality of activities are selected from the group consisting of:
    - a security threat, an ethics threat, blocked transmission through the targeted communication application, transmission through the targeted communication application meeting the predefined criterion, attempted access of the centralized store, an attempted illegal storage attempt, and combinations thereof.
  - 18. The apparatus of claim 13, further including instructions that, when executed, cause f_personto be calculated according to:

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
McHugh, Brian, Ramcharran, Ronald, Langsam, Peter J., Metzger, Timothy C., Antilley, Dan P., Deats, Jonathan W.
Primary Examiner(s)
Osman, Ramy M

Application Number

US13/736,594
Publication Number

US 20130125239A1
Time in Patent Office

574 Days
Field of Search

709/203, 709/223, 709/224, 726 22- 24
US Class Current

709/224
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2117   User registration

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Insider threat correlation tool

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Insider threat correlation tool

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links