TREA

Detecting Behavioral Patterns and Anomalies Using Activity Data

Follow

Information

  • Patent Application
  • 20070156696
  • Publication Number
    20070156696
  • Date Filed
    December 22, 2006
    18 years ago
  • Date Published
    July 05, 2007
    17 years ago
Information
Abstract
Activity data is analyzed or evaluated to detect behavioral patterns and anomalies. When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task. This activity data may be collected in an information management system, which may be policy based. Notification may be by way e-mail, report, pop-up message, or system message. Some tasks to perform upon detection may include implementing a policy in the information management system, disallowing a user from connecting to the system, and restricting a user from being allowed to perform certain actions. To detect a pattern, activity data may be compared to a previously defined or generated activity profile.
Description

BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 shows a diagram of distributed computing network connecting a server and clients.



FIG. 2 shows a more detailed diagram of a computer system which may be a client or server.



FIG. 3 shows a system block diagram of a computer system.



FIG. 4 shows a block diagram of a policy server that centrally manages policies that are used by workstations and servers according to a specific implementation of the invention.



FIG. 5 shows a block diagram of a number of workstations and document servers with policy enforcers installed and coexist within a system according to a specific implementation of the invention.



FIG. 6 shows a block diagram of minimal embodiments that utilize a number of workstations each with policy enforcers installed or a number of document servers each with policy enforcers installed according to a specific implementation of the invention.



FIG. 7 shows a block diagram of internal components of a policy server according to a specific implementation of the invention.



FIG. 8 shows a block diagram of the internal components of an intelligence server according to a specific implementation of the invention.



FIG. 9 shows a block diagram of an interceptor and a consequence applicator in a policy enforcement point (PEP) module according to a specific implementation of the invention.



FIG. 10 shows a block diagram of a policy enforcer that implements interception and enforcement functions using a PEP plug-in architecture according to a specific implementation of the invention.



FIG. 11 shows a block diagram of a policy enforcer installed on a workstation that controls access to files on the workstation according to the invention.



FIG. 12 shows a block diagram of a policy enforcer on a workstation enforcing access control to a nonfile system object according to the invention.



FIG. 13 shows a layer description of an implementation of a policy language system of the invention.



FIG. 14 shows the functional modes of an information system of the invention.



FIG. 15 shows an example of interactions between multiple policies and multiples policy abstractions and their interaction.



FIG. 16 shows an example of one policy and multiple policy abstractions, where one policy abstractions references other policy abstractions.



FIG. 17 shows accessing confidential document, seeking approval, with centralized decision.



FIG. 18 shows accessing confidential document, seeking approval, with distributed decision.



FIG. 19 shows blocking sending of a confidential document outside the company.



FIG. 20 shows encrypting a confidential document when copying to a removable device.



FIG. 21 shows sending of a confidential document between users who should observe separation of duties.



FIG. 22 shows an example of a deployment operation to a workstation of an information management system.



FIG. 23 shows an example of a deployment operation of rules associated with a user.



FIG. 24 shows an example of a push operation, pushing one set of rules to a workstation and another set of rules to a server.



FIGS. 25-50 show syntax diagrams for a specific implementation of a policy language, the Compliant Enterprise Active Control Policy Language (ACPL).



FIG. 51 provides a legend explaining the nodes used in FIGS. 25-50.


Claims
  • 1. A method of managing information of a system comprising: providing a plurality of information management rules;providing an activity database;gathering activity data from a first target in the activity database;gathering activity data from a second target in the activity database;associating at least a first rule of the information management rules to the first target;evaluating the data stored in the activity database according to a detection algorithm;based on the detection algorithm, associating a second rule to the first target; andfor the first target, controlling usage of information based on the at least first rule of information management rules and the second rule.
  • 2. The method of claim 1 wherein the activity database is stored on the first target.
  • 3. The method of claim 1 wherein the activity database is stored on a server where the plurality of information management rules is stored.
  • 4. The method of claim 1 wherein the activity database is stored on an intelligence server and the plurality of information management rules are stored on a policy server, where the policy and intelligence servers are separate.
  • 5. The method of claim 1 further comprising: based on the detection algorithm, adding the second rule to the plurality of information management rules.
  • 6. The method of claim 1 further comprising: based on the detection algorithm, activating the second rule of the plurality of information management rules.
  • 7. The method of claim 1 wherein the based on the detection algorithm, associating a second rule to the first target is replaced by based on the detection algorithm, altering a second rule of the plurality of information management rules and associating the second rule to the first target.
  • 8. The method of claim 1 wherein the based on the detection algorithm, associating a second rule to the first target is replaced by based on the detection algorithm, altering a value of a variable incorporated in an expression of a second rule of the plurality of information management rules; andassociating the second rule to the first target.
  • 9. The method of claim 1 wherein the detection algorithm comprises executing an OLAP task of the first target.
  • 10. The method of claim 1 wherein the detection algorithm detects the first target has attempted to access information more than X times in a Y time period.
  • 11. The method of claim 10 wherein the values of X and Y are user selectable.
  • 12. The method of claim 11 wherein the value of X is an integer.
  • 13. The method of claim 1 wherein the detection algorithm detects the first target has attempted to transfer a document classified as confidential to the second target.
  • 14. The method of claim 1 wherein the detection algorithm detects the first target has attempted to transfer a document classified as confidential to a removable media.
  • 15. The method of claim 14 wherein the removable media includes at least one of CDROM, CD-RW, DVD-ROM, DVD-RW, USB device, and floppy disk.
  • 16. The method of claim 1 wherein the detection algorithm detects the first target has attempted to transfer a document classified as confidential to a recipient outside the information management system.
  • 17. The method of claim 1 further comprising: logging in the activity database a denial of access at the first target for an attempt to access information of the system by the first target.
  • 18. The method of claim 1 further comprising: generating a report based on the detection algorithm.
  • 19. The method of claim 1 wherein the detection algorithm comprises at least one rule.
  • 20. The method of claim 1 wherein the evaluating the data stored in the activity database according to a detection algorithm detects at least one of information fraud, information misuse, operational inefficiency, potential improvement in workforce productivity, potential improvement in resource utilization, abnormal or suspicious activity pattern, or policy effectiveness.
  • 21. A method of operating a system comprising: providing a plurality of devices;providing an activity database;collecting information usage data from the plurality of devices in the activity database;analyzing the information usage data in the activity database to detect a condition; andwhen the condition is detected, generating a notification of the condition.
  • 22. The method of claim 21 wherein the information usage data comprises data associated with at least one of application program operation or document access.
  • 23. The method of claim 22 wherein the application program operation comprises at least one of sending an e-mail message, forwarding an e-mail message, attaching a file to an e-mail message, opening a file, saving a file, deleting a file, moving a file, changing file attribute, cutting application data to a clipboard, pasting application data from a clipboard, editing a cell in a spreadsheet, changing a formula associated with a cell in a spreadsheet, creating a macro, or editing a script.
  • 24. The method of claim 21 wherein the information usage data comprises at least one of time, duration, a resource identifier, type of resource, resource attributes, file name, file path, file attribute, e-mail sender, e-mail recipient, e-mail attachment, user, user attribute, name of application program, application program version information, type of application program host name, IP address, type of computer, computer configuration, application program command, application program function, application program event, file operation, database operation, or any other application program or operating system event.
  • 25. The method in claim 22 wherein the information usage data comprises data collected during evaluation of a rule at a device.
  • 26. The method in claim 26 wherein the data collected during rule evaluation comprises at least one of the time at which rule evaluation occurs, the outcome of evaluating at least one rule, the event that triggers a rule evaluation operation, a rule identifier indicating a particular rule being evaluated, information about a resource associated with an evaluated rule, information about a user related to a rule evaluation operation, information about an application program associated with a rule evaluation operation, or information about a device associated with a rule evaluation operation.
  • 27. The method of claim 21 wherein the generating a notification of the condition comprises sending an e-mail.
  • 28. The method of claim 21 wherein the generating a notification of the condition comprises adding an entry to a log.
  • 29. The method of claim 21 wherein the notification is at least one of an e-mail, pop-up message on a computer screen, and SNMP message.
  • 30. The method of claim 21 further comprising: when the condition is detected, sending the notification to an application program.
  • 31. The method of claim 21 further comprising: when the condition is detected, sending the notification to another device.
  • 32. The method of claim 21 wherein the condition is detected when a device has attempted to access a unit of information more than X times in a Y time period.
  • 33. The method of claim 21 wherein the condition is detected when a user logged on a device has attempted to access a unit of information more than X times in a Y time period.
  • 34. The method of claim 21 wherein the condition is detected when a username has connected to the system from a first location X at a first time T1 and the username has connected to the system from a second location Y at second time T2 and a distance between X and Y divided by (T2−T1) is greater than Z.
  • 35. The method of claim 21 wherein the condition is detected when a username has accessed information of the system from a first location X at a first time T1 and the username has accessed information of the system from a second location Y at second time T2 and a distance between X and Y divided by (T2−T1) is greater than Z.
  • 36. The method of claim 21 wherein the analyzing the information usage data in the activity database to detect a condition is replaced by collecting external event data collected outside the system; andanalyzing the information usage data and the external event data to detect a condition.
  • 37. The method of claim 21 wherein the devices comprise at least one of a file server, network attached storage (NAS) device, virtual file server, file gateway, e-mail server, messaging server, collaboration server, document management system (DMS), content management system, digital rights management server, Web server, portal server, application server, database server, integration server, customer relation management (CRM) system, enterprise resource (ERP) planning system, supply chain management system, any file-based or nonfile document repositories, desktop computer, laptop computer, personal digital assistant (PDA), smart phone, thin clients, an instance of client operating environment running on a terminal server, a guest operating system running on a virtual machine, a server making information resource operation request (acting as a client in the context of the request), information kiosk, or any computing device and computing environment from which an information resource operation request originates.
  • 38. The method of claim 21 wherein the collecting information usage data comprises: associating an interceptor program with an application program; andusing the interceptor program, while the application program is executing, gathering information about operations of the application program.
  • 39. The method of claim 21 wherein the analyzing the information usage data in the activity database further comprises generating a report.
  • 40. The method of claim 21 wherein the condition includes at least one of information fraud, information misuse, operational inefficiency, potential improvement in workforce productivity, potential improvement in resource utilization, or abnormal or suspicious activity pattern.
  • 41. A method of an information management system comprising: providing a plurality of devices;providing an activity database;providing a first activity profile;collecting information usage data from the plurality of devices and storing in the activity database;analyzing the information usage data in the activity database to generate a second activity profile;comparing the second activity profile with first activity profile to determine a set of differences;using the set of differences, detecting whether a condition has occurred; andwhen the condition has occurred, generating a notification of the condition.
  • 42. The method in claim 42 wherein the information usage data includes data collected during evaluation of a rule at a device.
  • 43. The method in claim 43 wherein the data collected during the rule evaluation comprises at least one of the time at which rule evaluation occurs, the outcome of evaluating at least one rule, the event that triggers a rule evaluation operation, a rule identifier indicating a particular rule being evaluated, information about a resource associated with an evaluated rule, information about a user related to a rule evaluation operation, information about an application program associated with a rule evaluation operation, or information about a device associated with a rule evaluation operation.
  • 44. The method of claim 41 wherein the information usage data comprises at least one of time, duration, a resource identifier, type of resource, resource attributes, file name, file path, file attribute, e-mail sender, e-mail recipient, e-mail attachment, user, user attribute, name of application program, application program version information, type of application program host name, IP address, type of computer, computer configuration, application program command, application program function, application program event, file operation, database operation, any other application program or operating system event, or type of connectivity a user used to connect to a device.
  • 45. The method of claim 41 wherein the information usage data comprises data associated with at least one of application program operation or document access.
  • 46. The method of claim 45 wherein the application program operation includes sending an e-mail message, forwarding an e-mail message, attaching a file to an e-mail message, opening a file, saving a file, deleting a file, moving a file, changing file attributes, cutting application data to a clipboard, pasting application data from a clipboard, editing a cell in a spreadsheet, changing a formula associated with a cell in a spreadsheet, creating a macro, or editing a script.
  • 47. The method of claim 41 wherein when the set of difference is zero, the condition will not have occurred.
  • 48. The method of claim 41 wherein the condition occurs when (X−Y) is greater than a threshold value Z, where X is a value in the first activity profile and Y is a value in the second activity profile.
  • 49. The method of claim 41 wherein the condition occurs when (X−Y) is greater than a threshold value Z, where X is a value derived from the first activity profile and Y is a value derived from the second activity profile.
  • 50. The method of claim 41 wherein the first activity profile comprises a threshold value X and the condition occurs when a value Y derived from the second activity profile is greater than X.
  • 51. The method of claim 49 wherein the X and Y times represent times spent in an application program.
  • 52. The method of claim 49 wherein the X and Y times represent typing rate.
  • 53. The method of claim 41 wherein the condition which is satisfied when the second activity profile indicates a user using instant messenger more than an amount of time specified in the first activity profile.
  • 54. The method of claim 41 wherein the first activity profile is generated from information usage data in the activity database.
  • 55. The method of claim 54 wherein first activity profile comprises data collected based on two or more users and the second activity profile comprises data collected based on one user.
  • 56. The method of claim 54 wherein first activity profile comprises information derived from data collected based on two or more users and the second activity profile comprises information derived from data collected based on one user.
  • 57. The method of claim 56 where the first activity profile includes an average productivity index of a group of users and the second activity profile includes a productivity index of a user in the group of users.
  • 58. The method of claim 56 where the first activity profile includes an average productivity index of a group of users and the second activity profile includes a productivity of a user not in the group of users.
  • 59. The method of claim 41 wherein the generating a notification of the condition comprises sending an e-mail.
  • 60. The method of claim 41 wherein the generating a notification of the condition comprises adding an entry to a log.
  • 61. The method of claim 41 wherein the notification is at least one of an e-mail, pop-up message on a computer screen, and SNMP message.
  • 62. The method of claim 41 further comprising: when the condition is detected, sending the notification to an application program.
  • 63. The method of claim 41 further comprising: when the condition is detected, sending the notification to another device.
  • 64. The method of claim 41 wherein the analyzing the information usage data in the activity database to detect a condition is replaced by gathering external event data collected outside the system; andanalyzing the information usage data and the external event data to detect a condition.
  • 65. The method of claim 41 wherein the devices comprise at least one of a file server, network attached storage (NAS) device, virtual file server, file gateway, e-mail server, messaging server, collaboration server, document management system (DMS), content management system, digital rights management server, Web server, portal server, application server, database server, integration server, customer relation management (CRM) system, enterprise resource (ERP) planning system, supply chain management system, any file-based or nonfile document repositories, desktop computer, laptop computer, personal digital assistant (PDA), smart phone, thin clients, an instance of client operating environment running on a terminal server, a guest operating system running on a virtual machine, a server making information resource operation request (acting as a client in the context of the request), information kiosk, or any computing device and computing environment from which an information resource operation request originates.
  • 66. The method of claim 41 wherein the collecting information usage data comprises: associating an interceptor program with an application program; andusing the interceptor program, while the application program is executing, gathering information about operations of the application program.
  • 67. The method of claim 41 wherein the analyzing the information usage data in the activity database further comprises generating a report.
  • 68. The method of claim 41 wherein the condition includes at least one of information fraud, information misuse, operational inefficiency, potential improvement in workforce productivity, potential improvement in resource utilization, a change in user behavior, a change in group behavior, a change in application program behavior, change in resource utilization, or abnormal or suspicious activity pattern.
Provisional Applications (5)
Number Date Country
60755019 Dec 2005 US
60766036 Dec 2005 US
60743121 Jan 2006 US
60821050 Aug 2006 US
60870195 Dec 2006 US
Continuation in Parts (3)
Number Date Country
Parent 11383159 May 2006 US
Child 11615657 US
Parent 11383161 May 2006 US
Child 11383159 US
Parent 11383164 May 2006 US
Child 11383161 US