Detecting anomalous behavior via user authentication graphs

Title: Detecting anomalous behavior via user authentication graphs

Abstract

Significant and aggregate user authentication activity may be analyzed across a population of users and computers in one or more networks to differentiate between authorized users and intruders in a network, and/or to detect inappropriate behavior by otherwise authorized users. Dynamic graphs and graph models over user and computer authentication activity, including time-constrained models, may be used for the purposes of profiling and analyzing user behavior in computer networks. More specifically, an edge-based breadth first search of graphs may be used that enforces time-constraints while maintaining traditional breadth first search computational complexity equivalence.

Inventors:: Kent, Alexander; Neil, Joshua; Liebrock, Lorie

Issue Date:: 2018-07-03

Research Org.:: Los Alamos National Lab. (LANL), Los Alamos, NM (United States)

Sponsoring Org.:: USDOE

OSTI Identifier:: 1459424

Patent Number(s):: 10015175

Application Number:: 15/099,898

Assignee:: Los Alamos National Security, LLC (Los Alamos, NM); New Mexico Tech Research Foundation (Socorro, NM)

Patent Classifications (CPCs):: H - ELECTRICITY H04 - ELECTRIC COMMUNICATION TECHNIQUE H04L - TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION

G - PHYSICS G06 - COMPUTING G06F - ELECTRIC DIGITAL DATA PROCESSING

Show more

H - ELECTRICITY H04 - ELECTRIC COMMUNICATION TECHNIQUE H04L - TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
H04L67/22 - {Tracking the activity of the user
H04L63/08 - {for supporting authentication of entities communicating through a packet data network
H04L63/1408 - {by monitoring network traffic
H04L63/083 - {using passwords

G - PHYSICS G06 - COMPUTING G06F - ELECTRIC DIGITAL DATA PROCESSING
G06F21/316 - {by observing the pattern of computer usage, e.g. typical user behaviour}
G06F21/554 - {involving event detection and direct action}

G - PHYSICS G06 - COMPUTING G06K - RECOGNITION OF DATA
G06K9/6277 - {based on a parametric

G - PHYSICS G06 - COMPUTING G06F - ELECTRIC DIGITAL DATA PROCESSING
G06F21/552 - {involving long-term monitoring or reporting}

Show less

DOE Contract Number:: AC52-06NA25396

Resource Type:: Patent

Resource Relation:: Patent File Date: 2016 Apr 15

Country of Publication:: United States

Language:: English

Subject:: 97 MATHEMATICS AND COMPUTING

Citation Formats


                    Kent, Alexander, Neil, Joshua, and Liebrock, Lorie. Detecting anomalous behavior via user authentication graphs.  United States: N. p., 2018. 
        Web.

Copy to clipboard


                    Kent, Alexander, Neil, Joshua, & Liebrock, Lorie. Detecting anomalous behavior via user authentication graphs.  United States.

Copy to clipboard


                    Kent, Alexander, Neil, Joshua, and Liebrock, Lorie. Tue .  
        "Detecting anomalous behavior via user authentication graphs".  United States.  https://www.osti.gov/servlets/purl/1459424.

Copy to clipboard


                    
@article{osti_1459424,

  title        = {Detecting anomalous behavior via user authentication graphs},

  author       = {Kent, Alexander and Neil, Joshua and Liebrock, Lorie},

  abstractNote = {Significant and aggregate user authentication activity may be analyzed across a population of users and computers in one or more networks to differentiate between authorized users and intruders in a network, and/or to detect inappropriate behavior by otherwise authorized users. Dynamic graphs and graph models over user and computer authentication activity, including time-constrained models, may be used for the purposes of profiling and analyzing user behavior in computer networks. More specifically, an edge-based breadth first search of graphs may be used that enforces time-constraints while maintaining traditional breadth first search computational complexity equivalence.},

  doi          = {},

  journal      = {},
number       = ,

  volume       = ,

  place        = {United States},

  year         = {2018},

  month        = {7}

}

Copy to clipboard

Patent:

View Patent

Save / Share:

Export Metadata

Save to My Library

Works referenced in this record:

Use of interactive messaging channels to verify endpoints
patent, July 2013

Hernacki, Brian; Satish, Sourabh
US Patent Document 8,490,190
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN%2F8490190

Specializing network analysis to detect anomalous insider actions
journal, January 2012

Chen, You; Nyemba, Steve; Zhang, Wen
Security Informatics, Vol. 1, Article No. 5
https://doi.org/10.1186/2190-8532-1-5

Graph coarsening for path finding in cybersecurity graphs
conference, January 2013

Hogan, Emilie; Johnson, John R.; Halappanavar, Mahantesh
Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop on - CSIIRW '13
https://doi.org/10.1145/2459976.2459984

Scan Statistics for the Online Detection of Locally Anomalous Subgraphs
journal, August 2013

Neil, Joshua; Hash, Curtis; Brugh, Alexander
Technometrics, Vol. 55, Issue 4, p. 403-414
https://doi.org/10.1080/00401706.2013.822830

System and method for dynamically limiting robot access to server data
patent, December 2003

Eichstaedt, Matthias; Emens, Michael; Kraft, Reiner
US Patent Document 6,662,230
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN%2F6662230

Random Forests
journal, January 2001

Breiman, Leo
Machine Learning, Vol. 45, Issue 1, p. 5-32
https://doi.org/10.1023/A:1010933404324

Differentiating User Authentication Graphs
conference, May 2013

Kent, Alexander D.; Liebrock, Lorie M.
2013 IEEE CS Security and Privacy Workshops (SPW2013), 2013 IEEE Security and Privacy Workshops
https://doi.org/10.1109/SPW.2013.38

Insider Threat Detection Using a Graph-Based Approach
journal, December 2010

Eberle, William; Graves, Jeffrey; Holder, Lawrence
Journal of Applied Security Research, Vol. 6, Issue 1, p. 32-81
https://doi.org/10.1080/19361610.2011.529413

Adaptive Thresholds: Monitoring Streams of Network Counts
journal, March 2006

Lambert, Diane; Liu, Chuanhai
Journal of the American Statistical Association, Vol. 101, Issue 473, p. 78-88
https://doi.org/10.1198/016214505000000943

Control Charts and Stochastic Processes
journal, July 1959

Barnard, G. A.
Journal of the Royal Statistical Society: Series B (Methodological), Vol. 21, Issue 2
https://doi.org/10.1111/j.2517-6161.1959.tb00336.x

The use of the area under the ROC curve in the evaluation of machine learning algorithms
journal, July 1997

Bradley, Andrew P.
Pattern Recognition, Vol. 30, Issue 7, p. 1145-1159
https://doi.org/10.1016/S0031-3203(96)00142-2

System for slowing password attacks
patent, November 2012

Kahn, Clifford; Venable, Jeffrey; Chickering, Roger
US Patent Document 8,312,540
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN%2F8312540

User login monitoring device and method
patent, March 2017

Liu, Fei; He, Wei
US Patent Document 9,602,526
URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN%2F9602526

Similar Records in DOE Patents and OSTI.GOV collections:

Detecting anomalous behavior via user authentication graphs

Patent Kent, Alexander D.; Neil, Joshua Charles; Liebrock, Lorie

Significant and aggregate user authentication activity may be analyzed across a population of users and computers in one or more networks to differentiate between authorized users and intruders in a network, and/or to detect inappropriate behavior by otherwise authorized users. Dynamic graphs and graph models over user and computer authentication activity, including time-constrained models, may be used for the purposes of profiling and analyzing user behavior in computer networks. More specifically, an edge-based breadth first search of graphs may be used that enforces time-constraints while maintaining traditional breadth first search computational complexity equivalence.
Full Text Available
Gamma radiation stand-off detection, tamper detection, and authentication via resonant meta-material structures

Patent Alvine, Kyle J.; Bernacki, Bruce E.

Resonant meta-material structures are defined by metallic, dielectric or other materials that form nanoshells or nanomeshes that can be situated proximate to ionizing-radiation-sensitive layers so as to provide ionizing-radiation-dose-dependent optical properties. Such meta-material structures can also define aligned or periodic, semi-random, or other arrangements of nanostructures that are coupled to or include stressed layers. Detection of optical radiation from such structures is used to determine gamma radiation dose or to detect a disturbance of the nanostructure indicating tampering.
Full Text Available
Method and system for normalizing biometric variations to authenticate users from a public database and that ensures individual biometric data privacy

Patent Strait, Robert S [Oakland, CA]; Pearson, Peter K [Livermore, CA]; Sengupta, Sailes K [Livermore, CA]

A password system comprises a set of codewords spaced apart from one another by a Hamming distance (HD) that exceeds twice the variability that can be projected for a series of biometric measurements for a particular individual and that is less than the HD that can be encountered between two individuals. To enroll an individual, a biometric measurement is taken and exclusive-ORed with a random codeword to produce a "reference value." To verify the individual later, a biometric measurement is taken and exclusive-ORed with the reference value to reproduce the original random codeword or its approximation. If the reproduced valuemore »« less
Full Text Available
Behavior specification, finding main, and call graph visualizations

Patent Sayre, Kirk D.; Willems, Richard A.; Lindberg, Stephen Lanse

A process transforms compiled software into a semantic form. The process transforms the code into a semantic form. The process analyzes behavior functionality by processing precise programming behavior abstractions stored in a memory and classifies the code as malware based on the code behavior. Another method identifies the starting point of execution of a compiled program. The method calculates a complexity measure by calculating the number of potential execution paths of local functions; identifies the number of arguments passed to local functions; and identifies the starting point of execution of the compiled program. Another method provides interactive, dynamic visualization ofmore »« less
Full Text Available
Graph-theoretic analysis of discrete-phase-space states for condition change detection and quantification of information

Patent Hively, Lee M.

Data collected from devices and human condition may be used to forewarn of critical events such as machine/structural failure or events from brain/heart wave data stroke. By monitoring the data, and determining what values are indicative of a failure forewarning, one can provide adequate notice of the impending failure in order to take preventive measures. This disclosure teaches a computer-based method to convert dynamical numeric data representing physical objects (unstructured data) into discrete-phase-space states, and hence into a graph (structured data) for extraction of condition change.
Full Text Available

Similar Records

Title: Detecting anomalous behavior via user authentication graphs

Abstract

Citation Formats

Use of interactive messaging channels to verify endpoints patent, July 2013

Specializing network analysis to detect anomalous insider actions journal, January 2012

Graph coarsening for path finding in cybersecurity graphs conference, January 2013

Scan Statistics for the Online Detection of Locally Anomalous Subgraphs journal, August 2013

System and method for dynamically limiting robot access to server data patent, December 2003

Random Forests journal, January 2001

Differentiating User Authentication Graphs conference, May 2013

Insider Threat Detection Using a Graph-Based Approach journal, December 2010

Adaptive Thresholds: Monitoring Streams of Network Counts journal, March 2006

Control Charts and Stochastic Processes journal, July 1959

The use of the area under the ROC curve in the evaluation of machine learning algorithms journal, July 1997

System for slowing password attacks patent, November 2012

User login monitoring device and method patent, March 2017

Use of interactive messaging channels to verify endpoints
patent, July 2013

Specializing network analysis to detect anomalous insider actions
journal, January 2012

Graph coarsening for path finding in cybersecurity graphs
conference, January 2013

Scan Statistics for the Online Detection of Locally Anomalous Subgraphs
journal, August 2013

System and method for dynamically limiting robot access to server data
patent, December 2003

Random Forests
journal, January 2001

Differentiating User Authentication Graphs
conference, May 2013

Insider Threat Detection Using a Graph-Based Approach
journal, December 2010

Adaptive Thresholds: Monitoring Streams of Network Counts
journal, March 2006

Control Charts and Stochastic Processes
journal, July 1959

The use of the area under the ROC curve in the evaluation of machine learning algorithms
journal, July 1997

System for slowing password attacks
patent, November 2012

User login monitoring device and method
patent, March 2017