Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizati
Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior. Embodiments provide a user threat ranking system and a user interface to examine user threat scores and analyze user activity.
대표청구항▼
1. A method for insider threat detection in a network, comprising: collecting network packets associated with a set of network protocols, wherein the network packets are transmitted over the network;processing the collected network packets to generate information-use events for a user of the network
1. A method for insider threat detection in a network, comprising: collecting network packets associated with a set of network protocols, wherein the network packets are transmitted over the network;processing the collected network packets to generate information-use events for a user of the network, wherein the information-use events provide information regarding information-use activities performed by said user;generating contextual information, wherein said contextual information includes at least one of: user directory information of said user, past information-use activity of said user, and meta-data associated with information residing on the network;processing the information-use events in view of the generated contextual information to generate an alert for said user when the information-use activities performed by said user substantially matches one or more types of targeted behaviors,wherein processing the information-use events further comprises: generating a probability distribution function that provides a probability that the user performs a particular information-use activity of said information-use activities a number of times over a predetermined time period;determining, using said probability distribution function, a current probability based on the information-use activities performed by the user; andgenerating said alert for the user when the current probability is lower than a pre-determined threshold; andprocessing the generated alert using a Bayesian network system to determine a threat score of said user. 2. The method of claim 1, wherein processing the collected network packets comprises: applying protocol decoders to the collected network packets; andattributing the generated information-use events to said user. 3. The method of claim 1, wherein generating contextual information comprises: generating contextual information associated with at least one of: a group of users of the network and all users of the network. 4. The method of claim 1, wherein generating contextual information comprises: retrieving information associated with users of the network; andcollecting information related to at least one of: past network activity and current network activity of the users of the network. 5. The method of claim 1, wherein the meta-data is associated with documents residing on the network. 6. The method of claim 1, wherein said step of generating contextual information comprises: generating contextual information associated with an organization employing the network, wherein said contextual information includes information associated with organization-specific properties, rules, and policies. 7. The method of claim 1, wherein said step of generating contextual information is performed periodically. 8. The method of claim 1, wherein said step of processing the information-use events comprises: processing the information-use events to determine at least one of volumetric anomalies, suspicious and evasive behavior. 9. The method of claim 1, further comprising: further examining the information-use activities performed by said user when the threat score associated with said user is above a pre-determined threshold. 10. The method of claim 1, wherein said step of processing the information-use events comprises: receiving a time period; andproviding the information-use events associated with said user during said time period and appropriate context to a set of detectors, wherein each of said detectors is configured to detect a respective type of anomalous behavior. 11. A system for insider threat detection in a network, comprising: a plurality of network sensors embedded within the network configured to collect network packets associated with a set of protocols, wherein the network packets are transmitted over the network;a plurality of context sensors configured to generate contextual information, wherein said contextual information includes at least one of: user directory information of a user of the network, past information-use activity of said user, and meta-data associated with information residing on the network;a plurality of protocol decoders configured to process the collected network packets to generate information-use events for said user, wherein the information-use events provide information regarding information-use activities performed by said user;a database configured to maintain an analysis data set, wherein said analysis data set includes said information-use events and contextual information;a plurality of detectors configured to process the information-use events in view of the generated contextual information to generate an alert when the information-use activities performed by said user substantially matches one or more types of targeted behaviors,wherein at least one of the plurality of detectors is further configured to: generate a probability distribution function that provides a first probability that the user performs a particular information-use activity of said information-use activities a number of times over a predetermined time period;determine, using said probability distribution function, a current probability based on the information-use activities performed by the user; andgenerate said alert for the user when the current probability is lower than a pre-determined threshold; anda Bayesian network module configured to receive the generated alert and to generate a threat score of said user of the network based on the generated alert. 12. The system of claim 11, further comprising: a user interface configured to control said network sensors, context sensors, protocol decoders, database, detectors, and Bayesian network module. 13. The system of claim 11, further comprising: a user interface configured to present events, context, alerts, threat scores, and analysis results in textual, numeric, and graphical forms. 14. The system of claim 11, wherein said network sensors are located between clients and servers of the network. 15. The system of claim 11, wherein each of said plurality of detectors is configured to detect a respective targeted behavior. 16. The system of claim 11, wherein said detectors are configured to detect at least one of volumetric anomalies, suspicious and evasive behavior in the information-use activities performed by said user. 17. The system of claim 11, wherein one or more of said detectors are developed based on a priori knowledge of at least one of: typical user behavior in the network, consultation with insider threat experts, and public information about past cases of malicious insiders. 18. The system of claim 11, wherein at least one of said detectors is a rule-based detector that is configured to determine whether a respective behavior occurs in the network. 19. The system of claim 11, wherein at least one of said detectors is a statistics-based detector that is configured to determine whether an observed behavior is anomalous based on a statistical distribution function associated with the behavior. 20. The system of claim 11, wherein the Bayesian network module is further configured to generate a second probability that said user is a malicious insider given the generated alerts associated with the user. 21. A computer program product comprising a computer useable hardware medium having computer program logic recorded thereon, the computer logic when executed by a processor enabling insider threat detection in a network according to a method, the method comprising: collecting network packets associated with a set of network protocols, wherein the network packets are transmitted over the network;processing the collected network packets to generate information-use events for a user of the network, wherein the information-use events provide information regarding information-use activites performed by said user;generating contextual information, wherein said contextual information includes at least one of: user directory information of said user, past information-use activity of said user, and meta-data associated with information residing on the network;processing the information-use events in view of the generated contextual information to generate an alert for said user when the information-use activites performed by said user substantially matches one or more types of targeted behaviors,wherein processing the information-use events further comprises:generating a probability distribution function that provides a probability that the user performs a particular information-use activity of said information-use activities a number of times over a predetermined time period;determining, using said probability distribution function, a current probability based on the information-use activities performed by the user; andgenerating said alert for the user when the current probability is lower than a pre-determined threshold; andprocessing the generated alert using a Bayesian network system to determine a threat score of said user. 22. The computer program product of claim 21, wherein the method further comprises: applying protocol decoders to the collected network packets; andattributing the generated information-use events to their associated users. 23. The computer program product of claim 21, wherein the method further comprises: generating contextual information associated with at least one of: a group of users of the network and all users of the network.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (1)
Porras, Phillip Andrew; Fong, Martin Wayne, Network-based alert management.
Thomson, Allan; Coleman, Christopher D., Apparatuses, methods and systems for a cyber threat confidence rating visualization and editing user interface.
Tumanov, Ilya; Perantatos, George; Wana, John Surapunt; Meyers, Brian R., Presentation of information describing user activities with regard to resources.
Thomas, Roshan K.; Hatfield, Mary C.; Lozano, Ivan; Overly, Edward; Korb, Joel G.; Vu, Jimmy, System and method for modeling and analyzing the impact of cyber-security events on cyber-physical systems.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.