US2019081968A1PendingUtilityA1

Method and Apparatus for Network Fraud Detection and Remediation Through Analytics

47
Assignee: CENTRIFY CORPPriority: Sep 13, 2017Filed: Sep 13, 2017Published: Mar 14, 2019
Est. expirySep 13, 2037(~11.2 yrs left)· nominal 20-yr term from priority
H04L 63/1441H04L 63/1425G06F 21/552H04L 63/20H04L 63/102G06F 21/31G06N 20/00H04L 67/22G06N 99/005H04L 67/535G06F 21/50
47
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method for assessing the identity fraud risk of an entity's (a user's, computer process's, or device's) behavior within a computer network and then to take appropriate action. The system uses real-time machine learning for its assessment. It records the entity's log-in behavior (conditions at log-in) and behavior once logged in to create an entity profile that helps identify behavior patterns. The system compares new entity behavior with the entity profile to determine a risk score and a confidence level for the behavior. If the risk score and confidence level indicate a credible identity fraud risk at log-in, the system can require more factors of authentication before log-in succeeds. If the system detects risky behavior after log-in, it can take remedial action such as ending the entity's session, curtailing the entity's privileges, or notifying a human administrator.

Claims

exact text as granted — not AI-modified
1 . A system including an event reporting agent, an access control service, a directory service, and an administrative access portal for detecting and remediating fraudulent attempts to access a network, said system comprising:
 a) an event ingestion service which i) receives data corresponding to an event from said event reporting agent, ii) filters out malformed or irrelevant events corresponding to said received event data, and iii) prepares each event's data by deleting unnecessary event data and converting remaining event data, if necessary, into values;   b) a risk assessment engine which i) receives said values from said event ingestion service and builds and periodically updates an entity profile for each entity using said values corresponding to said filtered and prepared event data for that entity, and ii) accepts requests from one of a streaming threat remediation engine and a risk assessment service to perform a risk assessment for an event by comparing said filtered and prepared event data to the entity's entity profile and returning a result of said risk assessment to one of said streaming threat remediation engine and risk assessment service;   c) said streaming threat remediation engine which receives said filtered and prepared event data from said risk assessment engine and applies an ordered sequence of rules to said filtered and prepared event data, each rule testing each event for conditions that may require action, which action said streaming threat remediation engine then initiates if required;   d) said risk assessment service which i) accepts authenticated connections from an on demand threat remediation engine receives risk assessment requests for events or attempted events from said on demand threat remediation engine requests said risk assessments from said risk assessment engine, and iv) returns said risk assessments for each request to said on demand threat remediation engine;   e) said on-demand threat remediation engine which i) receives data corresponding to requests for risk assessment of an external event or attempted external event and ii) applies said ordered sequence of rules to said data corresponding to said external event or attempted external event, each rule testing each external event or attempted external event for conditions that may require action, which action said on-demand threat remediation engine then initiates if required.   
     
     
         2 . The system defined by  claim 1  wherein said request for said risk assessment for said event from said risk assessment engine initiated by said streaming threat remediation engine, is followed by a further application of rules within said ordered sequence of rules for testing each event for conditions that may require action, which action said streaming threat remediation engine then initiates if required. 
     
     
         3 . The system defined by  claim 1  wherein said request for said risk assessment for said event from said risk assessment service initiated by said on-demand threat remediation engine for said event or attempted event, is followed by a further application of rules within said ordered sequence of rules for testing each event or attempted event for conditions that may require action, which action said on-demand threat remediation engine then initiates if required. 
     
     
         4 . The system defined by  claim 1  wherein said requests for risk assessment of said external event or attempted external event are initiated by said access control service, or said directory service. 
     
     
         5 . A method for detecting and remediating risky entity activity in a network based on an executed entity event comprising:
 a) sending an entity event to an event ingestion service which determines ( 41 ) whether said entity event is an event appropriate for analysis;   b) if said event is appropriate for analysis, said entity event ingestion service converting said entity event's data into a form usable for analysis and sending said converted entity event to a risk assessment engine;   c) said risk assessment engine receiving said converted entity event and using it to build and periodically update an entity profile for each entity by adding said converted entity event to previously converted entity events for the same entity;   d) said risk assessment engine passing each of said received entity events along to a streaming threat remediation engine;   e) said streaming threat remediation engine evaluating said entity event through an ordered sequence of rules;   f) if said rule sequence detects a condition in said entity event that requires risk assessment, then said streaming threat remediation engine requesting a risk assessment for said entity event from said risk assessment engine;   g) said risk assessment engine calculating a risk assessment score and confidence score by comparing said entity event to said entity profile and then providing said risk assessment score and confidence score to said streaming threat remediation engine;   h) if said streaming threat remediation engine determines that said risk assessment score and confidence score constitute a threat to the network, then instructing an access control service to take appropriate action to mitigate said entity's activity.   
     
     
         6 . The method defined by  claim 5  wherein said requesting for said risk assessment is followed by a further application of rules within said ordered sequence of rules testing each event for conditions that may require action, which action said streaming threat remediation engine then initiates if required. 
     
     
         7 . The method defined by  claim 6  wherein said action initiated by said streaming threat remediation engine is instructing said access control service to take appropriate action to mitigate said entity's activity. 
     
     
         8 . The method defined by  claim 5  wherein said requesting for risk assessment of said executed entity event is initiated by said access control service, or a directory service. 
     
     
         9 . A method for detecting and remediating a fraudulent attempt to access a network based on an attempted entity event comprising:
 a) sending an attempted entity event to an on-demand threat remediation engine which determines whether said entity event is an event which requires a threat assessment prior to being authorized;   b) if said entity event requires said threat assessment, said on-demand threat remediation engine passing said entity event along with a risk assessment request to a risk assessment service;   c) said risk assessment service converting values of said entity event into a form usable for risk assessment and passing said converted entity event to a risk assessment engine with a request to assess risk for said event;   c) said risk assessment engine receiving said converted entity event and comparing said entity event to an entity profile created for each entity with reported entity events, forming a risk assessment score and confidence score and providing said risk assessment score and confidence score to said risk assessment service;   d) said risk assessment service sending said risk assessment score and confidence score to said on-demand threat remediation engine.   
     
     
         10 . The method defined by  claim 9  wherein said request for said risk assessment is followed by a further application of rules within said ordered sequence of rules testing each event for conditions that may require action, which action said on-demand threat remediation engine then initiates if required. 
     
     
         11 . The method defined by  claim 9  wherein said action initiated by said on-demand threat remediation engine is instructing said access control service to take appropriate action to mitigate said attempted entity event. 
     
     
         12 . The method defined by  claim 9  wherein said request for risk assessment of said attempted entity event is initiated by said access control service or a directory service.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.