公开(公告)号：US20080263197A1

公开(公告)日：2008-10-23

申请号：US11790037

申请日：2007-04-23

Applicant: Gregory D. Stephens

Inventor： Gregory D. Stephens

IPC: G06F15/173

CPC classification number: H04L63/126 ,  H04L41/0622 ,  H04L63/1416

Abstract: Systems, methods, and computer program products for passively attributing anonymous network events to their associated users are provided herein. Embodiments include filtering network events over a pre-determined time interval to generate a filtered event list. In an embodiment, event attribution includes attributing an anonymous network event to a user associated with a nearest-neighbor event relative to the anonymous network event. In another embodiment, event attribution includes attributing an anonymous network event to a user associated with an event in the filtered event list, wherein that user maximizes an event attribution function. In a further embodiment, event attribution includes determining a first potential attribution user for an anonymous network event based on a nearest-neighbor attribution approach; determining a second potential attribution user for the anonymous network event based on an event attribution function approach; and comparing the first and second potential attribution users to determine the attribution of the anonymous event.

Abstract translation: 本文提供了将匿名网络事件归因于其关联用户的系统，方法和计算机程序产品。 实施例包括通过预定时间间隔过滤网络事件以生成经过滤的事件列表。 在一个实施例中，事件属性包括将匿名网络事件归因于与相对于匿名网络事件的最近邻居事件相关联的用户。 在另一个实施例中，事件属性包括将匿名网络事件归因于与过滤的事件列表中的事件相关联的用户，其中该用户使事件归属功能最大化。 在另一实施例中，事件属性包括基于最近邻归属方法来确定匿名网络事件的第一潜在归属用户; 基于事件归属函数方法确定所述匿名网络事件的第二潜在归属用户; 以及比较第一和第二潜在归属用户以确定匿名事件的属性。

公开(公告)号：US08996681B2

公开(公告)日：2015-03-31

申请号：US11790037

申请日：2007-04-23

Applicant: Gregory D. Stephens

Inventor： Gregory D. Stephens

IPC: G06F15/173 ,  G06F15/16 ,  H04L29/06 ,  H04L12/24

CPC classification number: H04L63/126 ,  H04L41/0622 ,  H04L63/1416

Abstract: Systems, methods, and computer program products for passively attributing anonymous network events to their associated users are provided herein. Embodiments include filtering network events over a pre-determined time interval to generate a filtered event list. In an embodiment, event attribution includes attributing an anonymous network event to a user associated with a nearest-neighbor event relative to the anonymous network event. In another embodiment, event attribution includes attributing an anonymous network event to a user associated with an event in the filtered event list, wherein that user maximizes an event attribution function. In a further embodiment, event attribution includes determining a first potential attribution user for an anonymous network event based on a nearest-neighbor attribution approach; determining a second potential attribution user for the anonymous network event based on an event attribution function approach; and comparing the first and second potential attribution users to determine the attribution of the anonymous event.

Abstract translation: 本文提供了将匿名网络事件归因于其关联用户的系统，方法和计算机程序产品。 实施例包括通过预定时间间隔过滤网络事件以生成经过滤的事件列表。 在一个实施例中，事件属性包括将匿名网络事件归因于与相对于匿名网络事件的最近邻居事件相关联的用户。 在另一个实施例中，事件属性包括将匿名网络事件归因于与过滤的事件列表中的事件相关联的用户，其中该用户使事件归属功能最大化。 在另一实施例中，事件属性包括基于最近邻归属方法来确定匿名网络事件的第一潜在归属用户; 基于事件归属函数方法确定所述匿名网络事件的第二潜在归属用户; 以及比较第一和第二潜在归属用户以确定匿名事件的属性。

公开(公告)号：US08707431B2

公开(公告)日：2014-04-22

申请号：US11790225

申请日：2007-04-24

Applicant: Gregory D. Stephens ,  Marcus A. Maloof

Inventor： Gregory D. Stephens ,  Marcus A. Maloof

IPC: G06F12/14 ,  G08B21/00 ,  H04L29/06

CPC classification number: H04L63/1425 ,  H04L41/5061 ,  H04L63/1408 ,  H04L63/1416

Abstract: Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior. Embodiments provide a user threat ranking system and a user interface to examine user threat scores and analyze user activity.

Abstract translation: 提供了内部威胁检测的方法，系统和计算机程序产品。 根据身份，过去活动和/或组织环境，实施者会检测对他们有权访问的文档和/或文件采取行动的内部人员，但他们的行为是不适当的或不具体的。 实施例通过监视网络来检测与一组网络协议相关联的网络活动; 处理检测到的活动以产生信息使用事件; 生成与网络的用户相关联的上下文信息; 以及基于所生成的上下文信息来处理所述信息使用事件以生成所述网络用户的警报和威胁分数。 实施例提供了几种信息滥用检测器，用于根据收集的上下文信息来检查产生的信息使用事件以检测体积异常，可疑和/或回避行为。 实施例提供用户威胁评估系统和用户界面来检查用户威胁分数并分析用户活动。

公开(公告)号：US20080271143A1

公开(公告)日：2008-10-30

申请号：US11790225

申请日：2007-04-24

Applicant: Gregory D. Stephens ,  Marcus A. Maloof

Inventor： Gregory D. Stephens ,  Marcus A. Maloof

IPC: G08B23/00

CPC classification number: H04L63/1425 ,  H04L41/5061 ,  H04L63/1408 ,  H04L63/1416

Abstract: Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior. Embodiments provide a user threat ranking system and a user interface to examine user threat scores and analyze user activity.

Abstract translation: 提供了内部威胁检测的方法，系统和计算机程序产品。 根据身份，过去活动和/或组织环境，实施者会检测对他们有权访问的文档和/或文件采取行动的内部人员，但他们的行为是不适当的或不具体的。 实施例通过监视网络来检测与一组网络协议相关联的网络活动; 处理检测到的活动以产生信息使用事件; 生成与网络的用户相关联的上下文信息; 以及基于所生成的上下文信息来处理所述信息使用事件以生成所述网络用户的警报和威胁分数。 实施例提供了几种信息滥用检测器，用于根据收集的上下文信息来检查产生的信息使用事件以检测体积异常，可疑和/或回避行为。 实施例提供用户威胁评估系统和用户界面来检查用户威胁分数并分析用户活动。