Within a computing environment, a user may occasionally encounter a computer issue, such as a computer security threat. In such an example, computer security software may be used to provide protection from the computer security threat. However, while computing security software may provide real-time and/or remedial protection, such software may not offer preventative functionality so as to minimize the potential for future computer issues.
It is with respect to these and other general considerations that the aspects disclosed herein have been made. Also, although relatively specific problems may be discussed, it should be understood that the examples should not be limited to solving the specific problems identified in the background or elsewhere in this disclosure.
Examples of the present disclosure describe systems and methods for contextual security training. In an example, a user may use a user device to perform a variety of actions within a computing environment. Occasionally, the user may encounter a computer issue. An issue detection processor may identify the issue, which may cause remedial and/or preventative action to be taken. In some examples, it may be determined that the user should receive contextual training based on the identified issue to improve the likelihood that the user will avoid encountering a similar issue in the future.
In another example, contextual training may be provided to a user based on whether the user has a high incidence of encountering similar issues, among other criteria. If it is determined that the criteria are satisfied, the contextual training may be mandatory. In some examples, contextual training may be adapted based on issue attributes so as to provide training tailored to the specific issue and/or issue type. As such, contextual training may be provided to a user contemporaneously with identifying an issue (e.g., intercepting a threat, encountering a misconfigured computing device, etc.) in order to provide relevant training while the user may be aware of the circumstances surrounding the issue.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Additional aspects, features, and/or advantages of examples will be set forth in part in the description which follows and, in part, will be apparent from the description, or may be learned by practice of the disclosure.
Non-limiting and non-exhaustive examples are described with reference to the following figures.
Various aspects of the disclosure are described more fully below with reference to the accompanying drawings, which form a part hereof, and which show specific example aspects. However, different aspects of the disclosure may be implemented in many different forms and should not be construed as limited to the aspects set forth herein; rather, these aspects are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the aspects to those skilled in the art. Aspects may be practiced as methods, systems or devices. Accordingly, aspects may take the form of a hardware implementation, an entirely software implementation or an implementation combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.
In an example, a user may use a user device to perform a variety computing actions within a computing environment. For example, the user device may be used to access webpages, use an email messaging service, browse local or remote files, or execute applications, among other actions. However, in some examples, the user may encounter or experience an issue. For example, the user may encounter a computer security threat, wherein the user may direct the user device to perform an action that may jeopardize the security of the user device and/or at least a part of the computing environment. In another example, the user may encounter a computing device that is misconfigured or an application of the user's device may be outdated so as to cause incompatibilities within the computing environment. Traditionally, computing software and/or hardware may be used to identify and/or remedy computer issues as they happen or after they happen. However, unless relevant training is provided, subsequent computer issues may continue to be encountered. For example, the user may continue to engage in potentially risky behavior and, as a result, may continue to encounter computing security threats.
Accordingly, the present disclosure provides systems and methods for contextual security training. An issue detection processor may be used to identify an issue. In an example, the issue may be associated with a user action (e.g., opening an email, navigating to a phishing link, misconfiguring an application, incorrectly accessing a shared network resource, etc.) at a user device. The identified issue may be used to determine relevant contextual training for the user, which may comprise a variety of information, including, but not limited to, the type of issue, common issue causes or sources (e.g., threat vectors, application version mismatches, etc.), and techniques for identifying and/or resolving the issue. The contextual training may be presented to the user, which may improve the likelihood that the user will not encounter a similar issue in the future. In some examples, contextual training may only occasionally be presented to the user based on a variety of factors, including, but not limited to, the frequency with which the user encounters a given type of issue or the severity of the issue. Statistics relating to user behavior and issue frequency may be generated and used to provide a report, which may be used to gauge the effectiveness of the training and/or provide subsequent contextual training.
A variety of issue detection processors may be used to identify issues within a computing environment. As an example, an issue detection processor may comprise computer security software executing on a computing device, deep packet inspection performed by a networking device, a plugin or other software package that integrates with another software package (e.g., a browser plugin, an email client extension, etc.), or any combination thereof. In some examples, an issue detection processor may be implemented as hardware, as software, as a single computing device, across multiple computing devices, or any combination thereof. An issue detection processor may analyze network traffic, disk activity, file or memory content, executing processes, software and/or hardware configuration, user account credentials, and/or user activity, among other examples. In another example, other computing device and/or computing environment information may be analyzed, such as application or operating system version information, network configuration information, web browsing or file access history, etc.
In an example, an issue detection processor may identify an issue within a computing environment. In some examples, an issue may comprise a computing security threat, which may be categorized as “malicious,” thereby indicating that the issue is known to be potentially detrimental to computing security. In other examples, an issue may be categorized as “suspicious” or “unknown,” which may indicate that the issue has the potential to be malicious, but with less certainty as compared to issues that are categorized as malicious. Example issues include bot nets, spam messages, keyloggers and other monitoring techniques, malware websites, phishing messages, proxy avoidance or communication anonymizers, spyware, adware, viruses, trojans, rootkits, backdoors, exploits, vulnerabilities, misconfigured or malfunctioning applications or computing devices, or out-of-date software, among other issues. While example categories and issues are described, it will be appreciated that aspects disclosed herein may be applied to any category and/or type of issue.
When an issue is identified, contextual training may be determined for display to a user. In some examples, contextual training may be displayed whenever an issue is identified, or may be displayed based on one or more criteria. Example criteria include past user behavior (e.g., how often a user encounters issues of a similar type, how recent a user last received training, etc.), relative statistics (e.g., how the user compares to similar users with the user's division, how the company compares to similar companies, etc.), and attributes relating to the issue (e.g., issue severity, how recently the issue was discovered, etc.). In some examples, the training may be mandatory, while in other examples the training may be optional or suggested.
Contextual training may be determined from a training data store, which may comprise training information. In an example, the training information may be associated with one or more issues or issue types, such that relevant training information may be identified using the issue and/or issue type. In another example, training information may comprise a variety of stages or levels, wherein a first stage may be presented to a user when the user first encounters an issue, while a subsequent stage may be presented if the user continues to encounter similar issues. In some examples, aspects of the training information may be adapted based on the issue (e.g., based on the issue type or the source of the issue, among other issue attributes). As a result, the user may receive relevant training that is tailored to the identified issue. Further, the training may be provided contemporaneously, thereby enabling the user to better understand the training while the issue is still recent in the memory of the user.
In some examples, a report may be generated to provide information relating to the effectiveness of contextual training, the state of users and/or devices in the network, and/or historical metrics, among other information. A report may be generated based on user behavior information, which may comprise information relating to user behavior before and/or after receiving contextual training. In an example, the user behavior information may be collected on an opt-in basis, wherein a user may indicate that user behavior information may be collected in order to perform analysis. In some examples, a report may provide information for a subset of users (e.g., a user group, a division, a team, etc.), a company, or a geographic region. In other examples, a report may provide a comparison for a set of users as compared to information from a comparable set of users (e.g., at a division-level, company-level, or geographic-level, etc.).
As used herein, a user may occupy any of a variety of roles. For example, a user may be an employee of a company, a personal user, or an administrative user. In some examples, contextual training may be determined based on a user's role, experience, or other user attributes. As an example, an administrative user may receive more technical or in-depth contextual training. In another example, a personal user may not receive training relating to network or firewall issues, as such training may be more relevant for an administrative user. In some examples, an issue may comprise the behavior of one or more other users. For example, for an administrative user, contextual training may be received based on the behavior of users within the computing environment.
User devices 102 and 104 may be computing devices, including, but not limited to, mobile computing devices, tablet computing devices, desktop computing devices, and/or laptop computing devices. In examples, user devices 102 and 104 may comprise local applications 114 and 116, respectively. In an example, each of local applications 114 and 116 may be an email application, a web browser application, a document editor, an image or portable document format (PDF) file viewer, a cloud-based or web-based application, or a locally-executed application, among other applications. It will be appreciated that local applications 114 and 116 may be similar or different applications from one another, and may be any of a variety of applications. In some examples, local application 114 or 116 may be a client used to interact with a remote service, such as a service which may be provided by server device 108. For example, user device 102 may access a website provided by server device 108. In some examples, request processor 120 may comprise a webserver, which may process requests from user device 102 and generate responses accordingly. In another example, user device 104 may access files stored by data store 122 of server device 108. In some examples, IoT device 106 may be any of a wide array of “smart” devices, including, but not limited to, connected appliances, entertainment devices, or wearable devices. In some examples, local applications 114 and/or 116 may be used to interact with IoT device 106. While example actions are discussed with reference to system 100, it will be appreciated that any of a variety of other actions may be performed as well.
As illustrated, user device 104 further comprises issue detection processor 118. In some examples, issue detection processor 118 may be used to identify issues relating to user device 104. In other examples, external issue detection processor 110 and/or issue detection processor 124 of security service 112 may be used in conjunction with issue detection processor 118 in order to detect issues within system 100. In an example, issue detection processor 118 may be a locally executing application or may be a plugin or other software package that integrates with another software package (e.g., local application 116). In another example, user device 102 may not comprise local issue detection (e.g., similar to that of issue detection processor 118) and may instead use aspects of external issue detection processor 110 and/or issue detection processor 124 to identify issues.
External issue detection processor 110 may comprise computer security software. In another example, external issue detection processor may engage in deep packet inspection of network 132, or may receive deep packet inspection information from one or more network devices of network 132. In some examples, external issue detection processor 110 may be implemented as hardware, as software, as a single computing device, across multiple computing devices, or any combination thereof. In another example, external issue detection processor 110 may be provided by a third party, or may be provided as a standalone security offering. It will be appreciated that issue detection processor 124 of security service 112 and issue detection processor 118 of user device 104 may provide similar or different functionality, as was described herein with respect to external issue detection processor 118.
Security service 112 may be a service for providing computing security within a computing environment. It will be appreciated that while security service 112 is illustrated as comprising elements 124-130, fewer, additional, or alternative elements may be used, or security service 112 may be provided as part of a distributed computing device or a cloud-computing system. As illustrated, security service 112 further comprises training data store 126, user behavior data store 128, and contextual training generator 130. In an example, training data store 126 may comprise training information according to aspects disclosed herein. In another example, the training information may be associated with one or more issues or issue types, such that relevant training information may be identified using the issue and/or issue type. While training data store 126 is illustrated as part of security service 112, it will be appreciated that training information may be accessed from any of a variety of other sources, including, but not limited to, a third party security service or a training data store that is remote from security service 112.
User behavior data store 128 may comprise information relating to the behavior of one or more users (e.g., users of user devices 102 and/or 104, as well as IoT device 106). In an example, user behavior information may be collected on an opt-in basis. In some examples, user behavior data store 128 may comprise information relating to a user's behavior before and/or after receiving contextual training. For example, user behavior data store 128 may comprise information relating to user actions, logs or diagnostic information from one or more user devices used by the user, or previously received training, among other information. According to aspects described herein, information stored by user behavior data store 128 may be used to generate analytics and/or reports relating to the effectiveness of contextual training, as well as the current and/or historical state of at least a subpart of system 100.
Contextual training generator 130 may be used to determine contextual training for an identified issue (e.g., as may be identified by external issue detection processor 110, issue detection processor 118, and/or issue detection processor 124). In some examples, determining contextual training may comprise evaluating training information stored by training data store 126. In an example, the training information may be identified based on an association with a given issue and/or issue type. In other examples, contextual training generator 130 may adapt training information based on attributes of the identified issue, including, but not limited to, the source of the issue or the type of issue. While example generation techniques are described herein, it will be appreciated that any of a variety of techniques may be used.
In an example, a user may use local application 114 of user device 102 to access an email inbox stored by server device 108. The user may open an email message from the email inbox, wherein the email message may comprise a phishing link. When the user clicks on the link to load the website associated with the link, external issue detection processor 110 and/or issue detection processor 124 may identify the phishing threat and may intercept the request for the website. As a result, a different website indicating the issue was blocked may be loaded. In an example where external issue detection processor 110 intercepts the request, an indication may be provided to security service 112, which may be used to determine whether contextual training should be provided. Similarly, if issue detection processor 124 intercepts the request, contextual training generator 130 may be used to determine whether contextual training should be provided.
The determination may comprise an analysis of user behavior information stored by user behavior data store 128 according to aspects disclosed herein. For example, if it is determined that the user frequently clicks on phishing links, contextual training may be generated by contextual training generator 130 (e.g., based on training information stored by training data store 126). The contextual training may be provided as part of the different website provided to user device 102. For example, the contextual training may comprise at least a part of a webpage or video content relating to the issue type. As a result, the phishing website may not be accessed by the user, and the user may instead contemporaneously receive contextual training relating to the identified issue.
In another example, network activity of IoT device 106 over network 136 may be monitored by external issue detection processor 110 and/or issue detection processor 124. If malicious or suspicious network activity is identified as an issue, contextual training may be generated according to aspects disclosed herein. For example, it may be determined that a user uses local application 116 of user device 104 to interact with IoT device 106, such that contextual training regarding the identified issue may be provided to the user of user device 104. In some examples, it may be determined that the user rarely experiences issues similar to the identified issue and/or the issue is unlikely to occur again. As a result, in such examples, the issue may be remedied without providing contextual training to the user. While examples are discussed above with respect to system 100, it will be appreciated that a wide variety of issues may be identified and used to generate contextual training according to aspects disclosed herein.
Moving to operation 204, user behavior information may be accessed. In an example, user behavior information may be accessed from a user behavior data store, such as user behavior data store 128 in
At determination 206, it may be determined whether to provide training to the user. The determination may comprise evaluating the accessed user behavior information based on one or more criteria. Example criteria include past user behavior (e.g., how often a user encounters issues of a similar type, how recent a user last received training, etc.), relative statistics (e.g., how the user compares to similar users with the user's division, how the company compares to similar companies, etc.), and attributes relating to the issue (e.g., issue severity, how recently the issue was discovered, etc.). In some examples, the training may be mandatory, while in other examples the training may be optional or suggested.
If it is determined that training should not be provided to the user, flow branches “NO” to operation 208, where remedial action may be determined for the identified issue. In some examples, the remedial action may be determined by an issue detection processor, or may be determined by another processor. In other examples, a remedial action may be determined based on information relating to the issue and/or to the user. In another example, no remedial action may be determined. Flow terminates at operation 208.
If, however, it is determined that training should be provided to the user, flow branches “YES” to operation 210, where contextual training may be generated based on the identified issue. In an example, contextual training may be generated by contextual training generator 130 in
Flow progresses to operation 212, where the generated contextual training may be provided to the user. In an example, providing the contextual training may comprise inserting the contextual training as part of a response to the determined issue. For example, the contextual training may be part of a website to which a user's device may be redirected when an issue is blocked. In another example, the contextual training may be provided to the user as a video for playback by a user device. It will be appreciated that contextual training may comprise any of a variety of content, including, but not limited to, text, images, video, and/or presentation slides, etc. Flow then moves to operation 208, where a remedial action may be determined for the issue, as was discussed above. Flow terminates at operation 208.
At operation 304, training information may be determined from a data store. In an example, training information may be accessed from a training data store, such as training data store 126 in
Flow progresses to determination 306, where it may be determined whether to adapt the identified training information to the identified issue. The determination may comprise evaluating the determined training information (e.g., whether the training information comprises one or more placeholders that may be updated to contain issue-specific information) or information associated with the user (e.g., how often the user encounters the type of issue, the role of the user, etc.), among other information. For example, if the user often encounters the type of issue, it may be determined that the training information should be adapted to comprise additional training beyond the contextual training ordinarily provided to users that less frequently encounter the issue type. As another example, if the user is an administrative user, it may be determined that additional or different training may be provided so as to educate the administrative user on techniques that may be used to avoid or mitigate the issue in the future.
If it is determined that the training information should not be adapted, flow branches “NO” to operation 308, where the contextual training may be provided for display to the user. As an example, the contextual training may be provided as part of a website to which the user's device was redirected when the issue was blocked. In another example, the contextual training may be provided to the user as a video for playback by a user device. It will be appreciated that contextual training may comprise any of a variety of content, including, but not limited to, text, images, video, and/or presentation slides, etc. Flow terminates at operation 308.
If, however, it is determined that the training information should be adapted, flow branches “YES” to operation 310, where the training information may be adapted according to aspects disclosed herein. As an example, the training information may be adapted to incorporate issue-specific information, such as an issue source, a port number associated with the issue, or information relating to affected files, among other information. In another example, the training information may be adapted to select from one or more stages, wherein a first stage may be presented to a user when the user first encounters an issue, while a subsequent stage may be presented if the user continues to encounter similar issues. While example adaptation and generation techniques are discussed herein, it will be appreciated that any of a variety of other techniques may be used. Flow then progresses to operation 308, where the contextual training may be provided for display to the user, as was discussed above. Flow terminates at operation 308.
Flow progresses to operation 404, where a request may be generated for contextual training. The request may comprise information relating to the issue, such as an issue type or issue source. In some examples, the request may comprise user behavior information, which may be stored locally or accessed from a remote data store (e.g., user behavior data store 128 in
At operation 406, contextual training associated with the issue may be received. In some examples, the contextual training may have been generated according to aspects of methods 200 and/or 300 described above with respect to
Moving to operation 408, a display may be generated for the contextual training. In some examples, the display may comprise rendering a webpage comprising the contextual training. In other examples, the display may comprise an alert (e.g., as may be generated by a local issue detection processor or other application) comprising the contextual training. It will be appreciated that while example display techniques are described herein, any of a variety of other techniques may be used to display the contextual training. Flow terminates at operation 408.
In its most basic configuration, operating environment 500 typically includes at least one processing unit 502 and memory 504. Depending on the exact configuration and type of computing device, memory 504 (storing, among other things, contextual training information, user behavior information, issue detection information, instructions to perform the methods disclosed herein, etc.) may be volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.), or some combination of the two. This most basic configuration is illustrated in
Operating environment 500 typically includes at least some form of computer readable media. Computer readable media can be any available media that can be accessed by processing unit 502 or other devices comprising the operating environment. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other tangible, non-transitory medium which can be used to store the desired information. Computer storage media does not include communication media.
Communication media embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of the any of the above should also be included within the scope of computer readable media.
The operating environment 500 may be a single computer operating in a networked environment using logical connections to one or more remote computers. The remote computer may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above as well as others not so mentioned. The logical connections may include any method supported by available communications media. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.
As will be understood from the foregoing disclosure, one aspect of the technology relates to a system comprising: at least one processor; and memory storing instructions that, when executed by the at least one processor, causes the system to perform a set of operations. The set of operations comprises: receiving an indication of an issue associated with an action of a user; determining, based on behavior information for the user, whether the user should receive contextual training; based on determining the user should receive contextual training, accessing a training data store to identify training information associated with the issue; generating, based on the training information, contextual training for the issue based on the action of the user; and providing the generated contextual training for display to the user. In an example, the set of operations further comprises intercepting a request associated with the action of the user. In another example, providing the generated contextual training comprises providing the generated contextual training in response to the intercepted request. In a further example, determining whether the user should receive contextual training comprises an analysis of historical issue interactions for the user. In yet another example, generating contextual training comprises adapting the training information based on one or more attributes of the issue. In a further still example, the set of operations further comprises updating the behavior information for the user based on one or more user actions after providing the generated contextual training for display to the user. In another example, the indication of the issue is received from an issue detection processor.
In another aspect, the technology relates to a method for generating contextual training based on an issue. The method comprises: receiving, from an issue detection processor, an indication of the issue associated with an action of a user; determining whether the user should receive contextual training; based on determining the user should receive contextual training, identifying training information associated with the issue from a training data store; adapting the identified training information based on one or more attributes of the issue to generate contextual training; and providing the generated contextual training for display to the user. In an example, the method further comprises intercepting a request from a device of the user, wherein the request is associated with the action of the user. In another example, providing the generated contextual training comprises providing the generated contextual training in response to the intercepted request. In a further example, determining whether the user should receive contextual training comprises an analysis of historical issue interactions for the user. In yet another example, the method further comprises updating behavior information for the user based on one or more user actions after providing the generated contextual training for display to the user. In a further still example, providing the generated contextual training for display to the user comprises providing the contextual training to a device of the user for display contemporaneously with an occurrence of the issue associated with the action of the user.
In a further aspect, the technology relates to a method for generating contextual training based on an issue. The method comprises: receiving an indication of the issue associated with an action of a user; determining, based on behavior information for the user, whether the user should receive contextual training; based on determining the user should receive contextual training, accessing a training data store to identify training information associated with the issue; generating, based on the training information, contextual training for the issue based on the action of the user; and providing the generated contextual training for display to the user. In an example, the method further comprises intercepting a request associated with the action of the user. In another example, providing the generated contextual training comprises providing the generated contextual training in response to the intercepted request. In a further example, determining whether the user should receive contextual training comprises an analysis of historical issue interactions for the user. In yet another example, generating contextual training comprises adapting the training information based on one or more attributes of the issue. In a further still example, the method further comprises updating the behavior information for the user based on one or more user actions after providing the generated contextual training for display to the user. In another example, the indication of the issue is received from an issue detection processor.
Aspects of the present disclosure, for example, are described above with reference to block diagrams and/or operational illustrations of methods, systems, and computer program products according to aspects of the disclosure. The functions/acts noted in the blocks may occur out of the order as shown in any flowchart. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
The description and illustration of one or more aspects provided in this application are not intended to limit or restrict the scope of the disclosure as claimed in any way. The aspects, examples, and details provided in this application are considered sufficient to convey possession and enable others to make and use the best mode of claimed disclosure. The claimed disclosure should not be construed as being limited to any aspect, example, or detail provided in this application. Regardless of whether shown and described in combination or separately, the various features (both structural and methodological) are intended to be selectively included or omitted to produce an embodiment with a particular set of features. Having been provided with the description and illustration of the present application, one skilled in the art may envision variations, modifications, and alternate aspects falling within the spirit of the broader aspects of the general inventive concept embodied in this application that do not depart from the broader scope of the claimed disclosure.