Insider threat detection utilizing user group data object access analysis
US10771496B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Aug 10, 2017 |
| Grant date | Sep 8, 2020 |
| Priority date | — |
| Expiry date | May 6, 2038 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L67/02
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
Techniques for detecting suspicious file access requests indicative of potential insider threats are described. A suspicious access detection module (SADM) determines, based on access data describing a access requests issued on behalf of multiple users, groups of the users having similar patterns of accesses to folders, a set of the folders accessed by each of the user groups, and ones of the user groups that are to be considered nearby others of the user groups based on having a threshold amount of folder access similarities. The SADM causes an alert to be generated responsive to a determination that a subsequent access request is suspicious because it accesses a file of a folder that is not within the set of accessed folders of the issuing user's user group, and because the folder is not within the sets of accessed folders of any nearby user groups.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.