Risk assessment for network access control through data analytics
Abstract
Methods and systems of risk assessment for network access control through data analytics. An embodiment of the invention employs well-known machine-learning clustering methods to learn normal entity behavior by looking for patterns in the events that stream in continuously. In an embodiment of the invention, normal entity behaviors are represented as clusters of event vectors. An embodiment of the invention evaluates the risk level for a new event of an entity by comparing the event with the entity's profile represented as clusters of event vectors. In an embodiment of the invention, the risk level is associated with a confidence level. Confidence level indicates how well the system knows about the entity. Embodiments of the invention do not need human administration in the process of building entity profile and assessing risk level of events associated with an entity.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for assessing risk levels of network access events, the method comprising:
receiving event reports which record network access events of an entity, wherein said event reports contain said network access events in form of event vectors; building an entity profile for said entity with said event reports, wherein said entity profile in form of event vector clusters represents normal network access behavior of said entity; and in order to determine a risk level of an event in form of an event vector associated with said entity, calculating a risk score by comparing said event vector of said event with said event vector clusters of said entity profile and a confidence score associated with said risk score based on number of said network access events contained in said event reports.
2 . The method of claim 1 , wherein said event vectors representing network access events associated with long-term network access behavior of said entity are kept for a long period in said event vector clusters.
3 . The method of claim 1 , wherein said event vectors representing network access events associated with short-term network access behavior of said entity are kept for a short period in said event vector clusters.
4 . The method of claim 1 , wherein said event vectors are converted from strings to numeric values before events represented by said event vectors are assessed with risk levels.
5 . The method of claim 1 , wherein said risk score of said network access event is calculated based on vector distance between said event vector and the center vector of said event vector cluster.
6 . The method of claim 1 , wherein said risk score of said network access event is calculated based on configurable risk assessment rules.
7 . The method of claim 1 , wherein said entity profile for said entity is built based on configurable machine learning rules.
8 . A system for assessing risk levels of network access events comprising:
one or more computers; and a computer-readable medium coupled to said one or more computers having instructions stored thereon which, when executed by said one or more computers, cause said one or more computers to perform operations comprising:
receiving event reports which record network access events of an entity, wherein said event reports contain said network access events of said in form of event vectors;
building an entity profile for said entity with said event reports, wherein said entity profile in form of event vector clusters represents normal network access behavior of said entity; and
in order to determine a risk level of an event in form of an event vector associated with said entity, calculating a risk score by comparing said event vector of said event with said event vector clusters of said entity profile and a confidence score associated with said risk score based on number of said network access events contained in said event reports.
9 . The system of claim 8 , wherein said event vectors representing network access events associated with long-term network access behavior of said entity are kept for a long period in said event vector clusters.
10 . The system of claim 8 , wherein said event vectors representing network access events associated with short-term network access behavior of said entity are kept for a short period in said event vector clusters.
11 . The system of claim 8 , wherein said event vectors are converted from strings to numeric values before events represented by said event vectors are assessed with risk levels.
12 . The system of claim 8 , wherein said risk score of said network access event is calculated based on vector distance between said event vector and the center vector of said event vector cluster.
13 . The method of claim 8 , wherein said risk score of said network access event is calculated based on configurable risk assessment rules.
14 . The method of claim 8 , wherein said entity profile for said entity is built based on configurable machine learning rules.
15 . A method for assessing risk levels of network access events, the method comprising:
receiving an event report which records a network access event of an entity, wherein said event report contains said network access event; receiving a risk assessment associated with said network access event, wherein said risk assessment includes a risk score and a confidence score; determining a risk level of said network access event by comparing said risk score and said confidence score with risk thresholds and confidence thresholds; providing an instruction on how to handle said network access event based on said risk level; and adjusting said risk thresholds and confidence thresholds based on feedback events associated with said entity which are resulted from said instruction.
16 . The method of claim 15 , wherein said instruction may request said entity for additional authentication using alternative authentication method based on said risk level of said network access event.
17 . The method of claim 15 , wherein said feedback events are one or more than one events of:
requesting said entity for additional authentication using an alternative authentication method based on said risk level of said network access event; authenticating said entity using an alternative authentication method.
18 . The method of claim 15 , wherein said risk level of said network access event is calculated based on configurable risk assessment rules.
19 . A system for assessing risk levels of network access events comprising:
one or more computers; and a computer-readable medium coupled to said one or more computers having instructions stored thereon which, when executed by said one or more computers, cause said one or more computers to perform operations comprising:
receiving an event report which records a network access event of an entity, wherein said event report contains said network access event;
receiving a risk assessment associated with said network access event, wherein said risk assessment includes a risk score and a confidence score;
determining a risk level of said network access event by comparing said risk score and said confidence score with risk thresholds and confidence thresholds;
providing an instruction on how to handle said network access event based on said risk level; and
adjusting said risk thresholds and confidence thresholds based on feedback events associated with said entity which are resulted from said instruction.
20 . The system of claim 19 , wherein said instruction may request said entity for additional authentication using alternative authentication method based on said risk level of said network access event.
21 . The system of claim 19 , wherein said feedback events are one or more than one events of:
requesting said entity for additional authentication using an alternative authentication method based on said risk level of said network access event; authenticating said entity using an alternative authentication method.
22 . The method of claim 19 , wherein said risk level of said network access event is calculated based on configurable risk assessment rules.Join the waitlist — get patent alerts
Track US2019116193A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.