Insider threat correlation tool

US 8,800,034 B2
Filed: 11/17/2011
Issued: 08/05/2014
Est. Priority Date: 01/26/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:

for each of a plurality of users, calculating a baseline activity score, comprising;

determining values of controls for electronic transmissions associated with the user over a first time period, wherein the controls comprise;

a bandwidth control relating to a quantity of bandwidth associated with the user over a first network during the first time period;

a blocked transmission control relating to blocked transmissions associated with the user over the first network during the first time period;

a non-blocked transmission control relating to non-blocked transmissions associated with the user over the first network during the first time period that violate at least one predefined criterion; and

calculating the baseline activity score based upon the values of the controls over the first time period;

for each of a plurality of users, calculating a second activity score, including;

determining values of the controls for electronic transmissions associated with a second time period; and

calculating a second activity score based upon the values of the controls over the second time period; and

for each of a plurality of users, calculating a predictive threat score, including;

comparing the baseline activity score with the second activity score,wherein both of the baseline activity score and the second activity score each include sub-scores and the comparing of the baseline activity score with the second activity score includes;

comparing a sub-score of the baseline activity score with a sub-score of the second activity score.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.

141 Citations

10 Claims

1. A non-transitory computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:
- for each of a plurality of users, calculating a baseline activity score, comprising;
  
  determining values of controls for electronic transmissions associated with the user over a first time period, wherein the controls comprise;
  
  a bandwidth control relating to a quantity of bandwidth associated with the user over a first network during the first time period;
  
  a blocked transmission control relating to blocked transmissions associated with the user over the first network during the first time period;
  
  a non-blocked transmission control relating to non-blocked transmissions associated with the user over the first network during the first time period that violate at least one predefined criterion; and
  
  calculating the baseline activity score based upon the values of the controls over the first time period;
  
  for each of a plurality of users, calculating a second activity score, including;
  
  determining values of the controls for electronic transmissions associated with a second time period; and
  
  calculating a second activity score based upon the values of the controls over the second time period; and
  
  for each of a plurality of users, calculating a predictive threat score, including;
  
  comparing the baseline activity score with the second activity score,wherein both of the baseline activity score and the second activity score each include sub-scores and the comparing of the baseline activity score with the second activity score includes;
  
  comparing a sub-score of the baseline activity score with a sub-score of the second activity score.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-readable medium of claim 1, wherein at least one sub-score of each of the baseline activity score and the second activity score is a control sub-score based upon one of the controls.
  - 3. The computer-readable medium of claim 2, wherein there are a plurality of sub-scores and each of the sub-scores are control sub-scores.
  - 4. The computer-readable medium of claim 2, wherein the computer readable medium further comprises instructions that when executed by a processor perform:
    - comparing a control sub-score of the baseline activity score against the same control sub-score of the second activity score to determine if a threshold variance exists; and
      
      weighting the sub-score upon determining that the threshold various exists.
  - 5. The computer-readable medium of claim 2, wherein the computer readable medium further comprises instructions that when executed by a processor perform:
    - weighting at least one sub-score of a first user upon determining that the user is in the group consisting of;
      
      granted access rights to a specific collection of data, exempt from having at least one software application, the at least one software application is absent;
      
      access rights to at least one service that has been deactivated, and combinations thereof.

6. A non-transitory computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:
- for each of a plurality of users, calculating a baseline activity score, comprising;
  
  determining values of controls for electronic transmissions associated with the user over a first time period, wherein the controls comprise;
  
  a bandwidth control relating to a quantity of bandwidth associated with the user over a first network during the first time period;
  
  a blocked transmission control relating to blocked transmissions associated with the user over the first network during the first time period;
  
  a non-blocked transmission control relating to non-blocked transmissions associated with the user over the first network during the first time period that violate at least one predefined criterion; and
  
  calculating the baseline activity score based upon the values of the controls over the first time period;
  
  for each of a plurality of users, calculating a second activity score, including;
  
  determining values of the controls for electronic transmissions associated with a second time period; and
  
  calculating a second activity score based upon the values of the controls over the second time period; and
  
  for each of a plurality of users, calculating a predictive threat score, including;
  
  comparing the baseline activity score with the second activity score;
  
  categorizing at least one transmission associated with a first user into a category of a plurality of categories comprising;
  
  a security threat, an ethics threat, and combinations thereof; and
  
  weighting transmissions categorized in the security threat category according to a first weight.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable medium of claim 6, wherein the computer readable medium further comprises instructions that when executed by a processor perform:
    - weighting transmissions categorized in the security threat category according to a second weight.
  - 8. The computer-readable medium of claim 6, wherein each time period consists of a plurality of discrete time frames;
    - andwherein the computer readable medium further comprises instructions that when executed by a processor perform;
      
      applying a first activity weight to at least one activity if the at least one activity occurred during a first time frame of the respective time period.
  - 9. The computer-readable medium of claim 8, wherein the computer readable medium further comprises instructions that when executed by a processor perform:
    - applying a second activity weight to at least one activity selected from the group consisting of;
      
      a security threat, an ethics threat, blocked communication of a targeted communication application, communication through the targeted communication application meeting the predefined criterion, an access attempt of the centralized store, an attempted illegal storage attempt, and combinations thereof.
  - 10. The computer-readable medium of claim 8, wherein the first time frame comprises a portion of time selected from a predefined quantity of time before the user is scheduled to utilize a network resource, a predefined quantity of time before or after an average time point the user is active on a network and combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
McHugh, Brian, Ramcharran, Ronald, Langsam, Peter J., Metzger, Timothy C., Antilley, Dan P., Deats, Jonathan W.
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US13/298,594
Publication Number

US 20120066763A1
Time in Patent Office

992 Days
Field of Search

726/22, 726/23, 726/24, 726/25, 726/26
US Class Current

726/22
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

G06F 2221/2117   User registration

G06F 2221/2151   Time stamp

G06F 2221/2153   Using hardware token as a s...

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Insider threat correlation tool

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

141 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Insider threat correlation tool

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links