US2019116193A1PendingUtilityA1

Risk assessment for network access control through data analytics

Assignee: WANG YANLINPriority: Oct 17, 2017Filed: Oct 17, 2017Published: Apr 18, 2019
Est. expiryOct 17, 2037(~11.3 yrs left)· nominal 20-yr term from priority
H04L 63/205G06N 20/00H04L 63/1416H04L 63/08H04L 63/1425H04L 63/1433G06N 99/005
48
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods and systems of risk assessment for network access control through data analytics. An embodiment of the invention employs well-known machine-learning clustering methods to learn normal entity behavior by looking for patterns in the events that stream in continuously. In an embodiment of the invention, normal entity behaviors are represented as clusters of event vectors. An embodiment of the invention evaluates the risk level for a new event of an entity by comparing the event with the entity's profile represented as clusters of event vectors. In an embodiment of the invention, the risk level is associated with a confidence level. Confidence level indicates how well the system knows about the entity. Embodiments of the invention do not need human administration in the process of building entity profile and assessing risk level of events associated with an entity.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for assessing risk levels of network access events, the method comprising:
 receiving event reports which record network access events of an entity, wherein said event reports contain said network access events in form of event vectors;   building an entity profile for said entity with said event reports, wherein said entity profile in form of event vector clusters represents normal network access behavior of said entity; and   in order to determine a risk level of an event in form of an event vector associated with said entity, calculating a risk score by comparing said event vector of said event with said event vector clusters of said entity profile and a confidence score associated with said risk score based on number of said network access events contained in said event reports.   
     
     
         2 . The method of  claim 1 , wherein said event vectors representing network access events associated with long-term network access behavior of said entity are kept for a long period in said event vector clusters. 
     
     
         3 . The method of  claim 1 , wherein said event vectors representing network access events associated with short-term network access behavior of said entity are kept for a short period in said event vector clusters. 
     
     
         4 . The method of  claim 1 , wherein said event vectors are converted from strings to numeric values before events represented by said event vectors are assessed with risk levels. 
     
     
         5 . The method of  claim 1 , wherein said risk score of said network access event is calculated based on vector distance between said event vector and the center vector of said event vector cluster. 
     
     
         6 . The method of  claim 1 , wherein said risk score of said network access event is calculated based on configurable risk assessment rules. 
     
     
         7 . The method of  claim 1 , wherein said entity profile for said entity is built based on configurable machine learning rules. 
     
     
         8 . A system for assessing risk levels of network access events comprising:
 one or more computers; and   a computer-readable medium coupled to said one or more computers having instructions stored thereon which, when executed by said one or more computers, cause said one or more computers to perform operations comprising:
 receiving event reports which record network access events of an entity, wherein said event reports contain said network access events of said in form of event vectors; 
 building an entity profile for said entity with said event reports, wherein said entity profile in form of event vector clusters represents normal network access behavior of said entity; and 
 in order to determine a risk level of an event in form of an event vector associated with said entity, calculating a risk score by comparing said event vector of said event with said event vector clusters of said entity profile and a confidence score associated with said risk score based on number of said network access events contained in said event reports. 
   
     
     
         9 . The system of  claim 8 , wherein said event vectors representing network access events associated with long-term network access behavior of said entity are kept for a long period in said event vector clusters. 
     
     
         10 . The system of  claim 8 , wherein said event vectors representing network access events associated with short-term network access behavior of said entity are kept for a short period in said event vector clusters. 
     
     
         11 . The system of  claim 8 , wherein said event vectors are converted from strings to numeric values before events represented by said event vectors are assessed with risk levels. 
     
     
         12 . The system of  claim 8 , wherein said risk score of said network access event is calculated based on vector distance between said event vector and the center vector of said event vector cluster. 
     
     
         13 . The method of  claim 8 , wherein said risk score of said network access event is calculated based on configurable risk assessment rules. 
     
     
         14 . The method of  claim 8 , wherein said entity profile for said entity is built based on configurable machine learning rules. 
     
     
         15 . A method for assessing risk levels of network access events, the method comprising:
 receiving an event report which records a network access event of an entity, wherein said event report contains said network access event;   receiving a risk assessment associated with said network access event, wherein said risk assessment includes a risk score and a confidence score;   determining a risk level of said network access event by comparing said risk score and said confidence score with risk thresholds and confidence thresholds;   providing an instruction on how to handle said network access event based on said risk level; and   adjusting said risk thresholds and confidence thresholds based on feedback events associated with said entity which are resulted from said instruction.   
     
     
         16 . The method of  claim 15 , wherein said instruction may request said entity for additional authentication using alternative authentication method based on said risk level of said network access event. 
     
     
         17 . The method of  claim 15 , wherein said feedback events are one or more than one events of:
 requesting said entity for additional authentication using an alternative authentication method based on said risk level of said network access event;   authenticating said entity using an alternative authentication method.   
     
     
         18 . The method of  claim 15 , wherein said risk level of said network access event is calculated based on configurable risk assessment rules. 
     
     
         19 . A system for assessing risk levels of network access events comprising:
 one or more computers; and   a computer-readable medium coupled to said one or more computers having instructions stored thereon which, when executed by said one or more computers, cause said one or more computers to perform operations comprising:
 receiving an event report which records a network access event of an entity, wherein said event report contains said network access event; 
 receiving a risk assessment associated with said network access event, wherein said risk assessment includes a risk score and a confidence score; 
 determining a risk level of said network access event by comparing said risk score and said confidence score with risk thresholds and confidence thresholds; 
 providing an instruction on how to handle said network access event based on said risk level; and 
 adjusting said risk thresholds and confidence thresholds based on feedback events associated with said entity which are resulted from said instruction. 
   
     
     
         20 . The system of  claim 19 , wherein said instruction may request said entity for additional authentication using alternative authentication method based on said risk level of said network access event. 
     
     
         21 . The system of  claim 19 , wherein said feedback events are one or more than one events of:
 requesting said entity for additional authentication using an alternative authentication method based on said risk level of said network access event;   authenticating said entity using an alternative authentication method.   
     
     
         22 . The method of  claim 19 , wherein said risk level of said network access event is calculated based on configurable risk assessment rules.

Join the waitlist — get patent alerts

Track US2019116193A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.