US20190116193A1 - Risk assessment for network access control through data analytics - Google Patents

Risk assessment for network access control through data analytics Download PDF

Info

Publication number
US20190116193A1
US20190116193A1 US15/785,430 US201715785430A US2019116193A1 US 20190116193 A1 US20190116193 A1 US 20190116193A1 US 201715785430 A US201715785430 A US 201715785430A US 2019116193 A1 US2019116193 A1 US 2019116193A1
Authority
US
United States
Prior art keywords
event
network access
entity
risk
events
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US15/785,430
Inventor
Yanlin Wang
Weizhi Li
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cyberark Software Ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US15/785,430 priority Critical patent/US20190116193A1/en
Application filed by Individual filed Critical Individual
Assigned to GOLUB CAPITAL LLC, AS AGENT reassignment GOLUB CAPITAL LLC, AS AGENT INTELLECTUAL PROPERTY SECURITY AGREEMENT Assignors: CENTRIFY CORPORATION
Assigned to CENTRIFY CORPORATION reassignment CENTRIFY CORPORATION RELEASE OF SECURITY INTEREST UNDER REEL/FRAME 46081/0609 Assignors: GOLUB CAPITAL LLC
Assigned to IDAPTIVE, LLC reassignment IDAPTIVE, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CENTRIFY CORPORATION
Assigned to APPS & ENDPOINT COMPANY, LLC reassignment APPS & ENDPOINT COMPANY, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CENTRIFY CORPORATION
Assigned to IDAPTIVE, LLC reassignment IDAPTIVE, LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: APPS & ENDPOINT COMPANY, LLC
Publication of US20190116193A1 publication Critical patent/US20190116193A1/en
Assigned to CENTRIFY CORPORATION reassignment CENTRIFY CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LI, WEIZHI, WANG, YANLIN
Assigned to CYBERARK SOFTWARE LTD. reassignment CYBERARK SOFTWARE LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CYBERARK SOFTWARE, INC.
Assigned to CYBERARK SOFTWARE, INC. reassignment CYBERARK SOFTWARE, INC. MERGER (SEE DOCUMENT FOR DETAILS). Assignors: IDAPTIVE, LLC
Priority to US17/242,707 priority patent/US20210273951A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N99/005
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Definitions

  • This disclosure relates generally to Internet security and, more particularly, to methods and systems of risk assessment for network access control through data analytics.
  • Authentication and authorization are security means to protect a computer network from unauthorized access to its resources such as computer servers, software applications and services, and so on. Authentication verifies the identity of an entity (person, user, process, or device) that wants to access a computer network resources.
  • entity person, user, process, or device
  • terms of an entity, a person, a process, a user and a device will be used interchangeably. Common ways for authentication are username/password combination, fingerprint readers, retinal scans, etc.
  • authorization determines what privileges that an authenticated entity has during the entity's session from log-on until log-off.
  • the privileges assigned to an entity define the entity's access right to the network resources. For example, an entity may only be able to read documents but not allowed to edit documents.
  • Multifactor authentication as an enhancement of identity authentication increases security by requiring two or more different authentication methods such as a user/password combination followed by an SMS request to the user's cell phone to confirm the user's identity.
  • MFA increases the authentication security at the cost of increased complexity of the network login process for a user. A user has to perform multiple authentications, sometimes on different devices, to get authenticated.
  • adaptive MFA has been developed to ease the use of MFA.
  • a network with adaptive MFA can change its authentication requirements depending on detected conditions at log-in.
  • Adaptive MFA is rule-based, though, which limits its effectiveness because those rules are static.
  • adaptive MFA only act on the conditions at the time of a user's login without considering the user's past network access and usage history. Therefore, adaptive MFA cannot determine if the user's current login activity is normal or abnormal.
  • Embodiments of the invention build an entity profile by collecting and analyzing the entity's events in real time using well-known machine-learning methods.
  • Each event of an entity that is collected and analyzed by an embodiment of the invention includes event attributes such as entity ID, login location, login date, login time, device used at login, IP address used at login, application launched after login, and so on.
  • An embodiment of the invention employs well-known machine-learning clustering methods to learn normal entity behavior by looking for patterns in the events that stream in continuously.
  • normal entity behaviors are represented as clusters of event vectors.
  • An embodiment of the invention evaluates the risk level for a new event of an entity by comparing the event with the entity's profile represented as clusters of event vectors.
  • the risk level is associated with a confidence level. Confidence level indicates how well the system knows about the entity. This confidence level is initially low and increases over time when more events of the entity are collected and analyzed.
  • Embodiments of the invention do not need human administration in the process of building entity profile and assessing risk level of events associated with an entity.
  • An entity's profile in the form of clusters of event vectors evolves autonomously while events are continuously received and clustered by an embodiment of the invention.
  • rules for triggering risk assessment of an event associated with an entity is automatically updated. The update is based on the events that are resulted from the risk assessment on prior events associated the entity. Therefore, embodiments of the invention are much easier to operate than prior arts, which require human administration.
  • FIG. 1 is a block diagram that shows the components of an embodiment of the invention as they exist in a web portal within a computer network, or other computing environment that requires authentication and authorization to use the environment's resources.
  • the diagram shows possible event flows through the invention with thick arrows, and shows possible communication among components via API calls with thin arrows.
  • FIG. 2 shows an event in form of a three-tuple vector in a three dimensional entity profile vector space, where X axis is event's login time of day, Y axis is event's login city, and Z axis is event's login device type.
  • FIG. 3 is a diagram of an entity profile in form of an event cluster, an anomaly event in form of an event vector, and a normal event in form of an event vector, which is the first event vector of a new event cluster.
  • FIG. 4 is a diagram of an entity profile in form of two event clusters, and an anomaly event in form of an event vector.
  • FIG. 5 is a diagram of an entity profile in form of two event clusters; one is a cluster with long-term memory while the other is a cluster with short-term memory. Clusters with short-term memory decay more quickly than clusters with long-term memory.
  • FIG. 1 shows the components of an embodiment of the invention as they exist in a web portal within a computer network, or other computing environment that requires authentication and authorization to use the environment's resources.
  • An event reporting agent 1 - 2 within the environment detects entity behavior and reports it to an embodiment of the invention as events, each event with a set of attributes and can include:
  • Login events which can include parameters such as the IP address of the device used, the type of device used, physical location, number of login attempts, date and time, and more.
  • Application access events which can specify what application is used, application type, date and time of use, and more.
  • Privileged resource events such as launching a Secure Shell (SSH) session or a Remote Desktop Protocol (RDP) session as an administrator.
  • SSH Secure Shell
  • RDP Remote Desktop Protocol
  • Mobile device management events such as enrolling or un-enrolling a mobile device with an identity management service.
  • CLI command-use events such as UNIX commands or MS-DOS commands, which can specify the commands used, date and time of use, and more.
  • Authorization escalation events such as logging in as a super-user in a UNIX environment, which can specify login parameters listed above.
  • Risk feedback events which report an embodiment of the invention's evaluations of the entity. For example, when the access control service 1 - 3 requests a risk evaluation from an embodiment of the invention at entity login, the action generates an event that contains the resulting evaluation and any resulting action based on the evaluation.
  • An access control service 1 - 3 authenticates entities and can change authentication factor requirements at login and at other authentication events.
  • a directory service 1 - 4 such as Active Directory defines authentication requirements and authorization for each entity.
  • An admin web browser 1 - 5 that an administrator can use to control an embodiment of the invention.
  • An event ingestion service 1 - 10 accepts event data from the event reporting agent, filters out events that are malformed or irrelevant, extracts necessary attributes from event data, and converts event data into values that a risk assessment engine 1 - 11 can use.
  • the risk assessment engine 1 - 11 accepts entity events from the event ingestion service 1 - 10 and uses them to build an entity profile for each entity. Whenever requested, the risk assessment engine 1 - 11 can compare an event or attempted event to the entity's profile to determine a threat level for the event.
  • a streaming threat remediation engine 1 - 9 accepts a steady stream of events from the risk assessment engine 1 - 11 .
  • the streaming threat remediation engine 1 - 9 stores a rule queue. Each rule in the queue tests an incoming event and may take action if the rule detects certain conditions in the event.
  • a rule may, for example, check the event type, and contact the risk assessment engine to determine risk for the event.
  • a risk assessment service 1 - 8 is a front end for the risk assessment engine 1 - 11 .
  • the service 1 - 8 allows components outside the invention's core to make authenticated connections and then request service from the risk assessment engine 1 - 11 .
  • Service is typically something such as assessing risk for a provided event or for an attempted event such as login.
  • An on-demand threat remediation engine 1 - 7 is very similar to the streaming threat remediation engine 1 - 9 . It contains a rule queue. The rules here, though, test attempted events such as log-in requests or authorization changes that may require threat assessment before the requests are granted and the event takes place. An outside component such as the access control service 1 - 3 may contact the on-demand threat remediation engine 1 - 7 with an attempted event.
  • the on-demand threat remediation engine 1 - 7 can request risk assessment from an embodiment of the invention through the risk assessment service 1 - 8 .
  • a user attempts to log into an application at a web portal.
  • the Event Reporting Agent 1 - 2 captures the user activity, records it as an event, which consists of event attributes such as user log in time, location latitude, location longitude, etc.
  • the Event Report Agent 1 - 2 forwards the event to the Event Ingestion Service 1 - 10 .
  • the Event Ingestion Service 1 - 10 filters out some of the event attributes before converting the rest of the event attributes to numeric values, and each event is now represented as an n-tuple vector, where n is the number of event attributes. In other words, each event attribute is encoded as a single value. In an embodiment, an event attribute may be encoded as a multi-dimension vector.
  • the Event Ingestion Service 1 - 10 then forwards the formatted event vector to the Risk Assessment Engine.
  • the Risk Assessment Engine 1 - 11 uses well-known machine learning clustering algorithms, e.g., K-Means, to determine if the event is part of any existing event cluster or user profile cluster in real time.
  • the user profile cluster is updated by adding the event vector into the cluster determined by the well-known clustering algorithm.
  • the Risk Assessment Engine 1 - 11 then forwards the event to the Streaming Threat Remediation Engine 1 - 9 .
  • the Risk Assessment Engine 1 - 11 applies configurable machine learning rules to run the well-known machine learning clustering algorithms, e.g., K-Means, to determine if the event is part of any existing event cluster or user profile cluster.
  • machine learning rules guide the machine learning process within the Risk Assessment Engine 1 - 11 , e.g., how to select dimensions in an event vector to be fed into the well-known machine learning algorithm, whether and how to transform the selected dimensions based event type, how to set the weight of each selected dimension in an event vector, and which machine learning algorithm to run, etc.
  • machine learning rules can be inherited and overwritten.
  • the Risk Assessment Engine 1 - 11 has default system-level machine learning rules, which can be inherited by tenant companies and individual users.
  • different tenant companies can customize their own company-level machine learning rules, which overwrite the default system-level machine learning rules.
  • different users can have different individual machine learning rules, which override company-level machine learning rules.
  • the risk assessment engine 1 - 11 may use the risk and confidence scores to assign one of five fraud risk levels to the assessed event:
  • the Risk Assessment Engine 1 - 11 computes a risk score of the event based on the vector distance between the event vector and the cluster center vector in an n-dimension vector space, where n is the number of event attributes.
  • n is the number of event attributes.
  • each event attribute is encoded as a single value.
  • an event attribute may be encoded as a multi-dimension vector.
  • Risk Score indicates how distinct the requested identity activity in the form of an event is from the user's normal behavior in the form of the user profile cluster.
  • the range of Risk Score is (0, 100], where 100 denotes the highest risk score, and 0 denotes the lowest risk score.
  • the Risk Assessment Engine 1 - 11 applies configurable risk assessment rules to compute risk scores.
  • risk assessment rules can be inherited and overwritten.
  • the Risk Assessment Engine 1 - 11 has default system-level risk assessment rules, which can be inherited by tenant companies and individual users.
  • different tenant companies can configure their own company-level risk assessment rules, which overwrite the default system-level risk assessment rules.
  • different users can be configured with different individual risk assessment rules, which override company-level risk assessment rules.
  • the Risk Assessment Engine 1 - 11 Associated with a risk score, the Risk Assessment Engine 1 - 11 also computes a confidence score. Confidence Score indicates how well the system knows about the user. This score is initially low and increases over time as the Risk Assessment Engine 1 - 11 receives and learns more event data of the user.
  • the Confidence Score is calculated by a customized sigmoid function based on number of data points and period of time (e.g., in days) learned by the Risk Assessment Engine 1 - 11 .
  • the range of Confidence Score is (0, 100], where 100 denotes the highest confidence score, and 0 denotes the lowest confidence score.
  • a training period is needed, where the Risk Assessment Engine 1 - 11 collects and constructs the user profile, i.e., event cluster based on the received events during this period.
  • the Risk Assessment Engine 1 - 11 runs pre-configured rules against the event and determines if the event requires any risk assessment.
  • the rules are a set of conditions, e.g., condition 1: the user tries to log into a critical Human Resources application that can view all the employees' personal information; condition 2: the user's device type is changed since last successful log; etc.
  • the Streaming Threat Remediation Engine 1 - 9 determines the risk level of a network access event based on received risk score and confidence score as well as current risk thresholds and confidence thresholds.
  • the event vector and the determined risk level information together as a user profile record is stored into a model repository by the Streaming Threat Remediation Engine 1 - 9 .
  • the user profile record stored in the model repository is used by the system to trigger alerts based on event risk levels.
  • an alert email or SMS text message is automatically generated to notify the user.
  • the user can take actions such as contacting customer service to evict the unauthorized network access.
  • system administrators receive an alert message, and take actions such as contacting the user for network access verification.
  • the Streaming Threat Remediation Engine 1 - 9 applies configurable risk assessment rules to compute risk level.
  • risk assessment rules can be inherited and overwritten.
  • the Streaming Threat Remediation Engine 1 - 9 has default system-level risk assessment rules, which can be inherited by tenant companies and individual users.
  • different tenant companies can configure their own company-level risk assessment rules, which overwrite the default system-level risk assessment rules.
  • different users can configure different individual risk assessment rules, which override company-level risk assessment rules.
  • the on-demand threat remediation engine 1 - 7 adjusts risk thresholds and confidence thresholds based on risk feedback events, which are resulted from the risk level assessment of prior events.
  • the on-demand threat remediation engine 1 - 7 determines the risk level of a network access event or attempt based on the received risk score and confidence score as well as current risk thresholds and confidence thresholds. If the access event or attempt is assessed with high fraud risk, the on-demand threat remediation engine 1 - 7 sends an instruction to the Access Control Service 1 - 3 to request user for additional authentication with alternative authentication method. Alternatively, block the access depending on the policy set by a security admin on the Access Control Service 1 - 3 .
  • the instruction from the on-demand threat remediation engine 1 - 7 to the Access Control Service 1 - 3 generates a risk feedback event that contains the risk level evaluation by the on-demand threat remediation engine 1 - 7 , and any resulting action triggered by the risk level evaluation such as the authentication of user's additional login attempt using alternative authentication method.
  • the authentication results contained in such risk feedback events are fed back from the Event Report Agent 1 - 2 to the on-demand threat remediation engine 1 - 7 via Event Ingestion Service 1 - 10 , Risk Assessment Engine 1 - 11 and Risk Assessment Service 1 - 8 .
  • the on-demand threat remediation engine 1 - 7 analyzes the received authentication results contained in risk feedback events, and determines if the risk thresholds and confidence thresholds need to be adjusted. For example, if all of the authentication results are positive, i.e., all users are authenticated successfully using alternative authentication method, the risk thresholds and/or confidence thresholds may need to be set higher to prevent unnecessary additional authentication requests.
  • the on-demand threat remediation engine 1 - 7 applies configurable risk assessment rules to compute risk level.
  • risk assessment rules can be inherited and overwritten.
  • the on-demand threat remediation engine 1 - 7 has default system-level risk assessment rules, which can be inherited by tenant companies and individual users.
  • different tenant companies can customize their own company-level risk assessment rules, which overwrite the default system-level risk assessment rules.
  • different users can be configured with different individual risk assessment rules, which override company-level risk assessment rules.
  • FIG. 2 shows an event represented as 3-tuple vector 2 - 3 in a three dimensional entity profile vector space 2 - 8 , where X axis 2 - 6 is event's login time of day 2 - 4 , Y axis 2 - 1 is event's login city 2 - 2 , and Z axis 2 - 7 is event's login device type 2 - 5 .
  • FIG. 3 is a diagram of an entity profile in form of an event cluster 4 - 3 , an anomaly event in form of an event vector 4 - 9 .
  • the well-know machine learning clustering algorithm keeps updating the cluster while new event vectors are received and added into the entity profile vector space.
  • the risk score of a new event is also dynamically adjusted.
  • the previous cluster center is represented as (8 AM, city A, iPhone)
  • the new cluster center is represented as (8:30 AM, city A, iPhone).
  • the risk score is low with the new cluster center because it is within 30 minutes distance from the new cluster center.
  • the new event's risk score would be high with the previous cluster center as the distance between the new event and the previous cluster center is not within 30 minutes. Therefore, this is one of the advantages of the embodiment of the invention, where the risk score is adaptively updated as the user profile cluster is updated. In prior arts, this requires manual adjustment of the risk score calculation criteria. For example, the period of low risk log in time needs to be updated from (7:30 AM ⁇ 8:30 AM) to (8:00 AM ⁇ 9:00 AM). Without adjusting the risk score criteria, the new event may be treated as anomaly in prior arts.
  • FIG. 4 shows an entity profile evolves from a cluster 5 - 3 into two clusters.
  • a new cluster 5 - 11 starts as an event vector 5 - 10 , which is detected as anomaly and not part of the existing event cluster 5 - 3 by the well-known clustering algorithm. Therefore, additional factor for authentication is triggered for this entity.
  • using one factor for authentication is considered as a weak authentication method while using two or more factors for authentication is considered as a strong authentication method.
  • different types of factors used for authentication have different levels of authentication strength.
  • authentication using security questions is considered very weak; authentication using password is considered weak to medium depending on the password rules enforced; authentication using Email or SMS or phone call is considered as medium; and one-time password (OTP) or authenticator or 3rd party radius (RSA) is considered strong.
  • the additional factor for authentication is a strong factor for authentication than the default factor for authentication. Because the additional authentication is successful, which in turn is recorded as a new event and fed back into the Risk Assessment Engine 1 - 11 , the event vector 5 - 10 is marked as the first event vector of the new cluster 5 - 11 .
  • This type of event cluster evolution typically happens when a user maintains more than one sets of assess patterns. For example, a user may regularly travel to another city for a week once a quarter. From the event cluster perspective, the user at least has two clusters, one centered at the home location while the other centered at the visiting location. The event cluster centered at the visiting location grows during the week when the user is traveling.
  • the event cluster centered at the visiting location stops growing and eventually decays when the event data becomes outdated.
  • the event data that is stored longer than certain duration may get purged from the event cluster.
  • FIG. 5 shows a diagram of an entity profile in form of two event clusters 6 - 3 and 6 - 4 .
  • Cluster 6 - 3 is a cluster with long-term memory while cluster 6 - 8 is a cluster with short-term memory.
  • the event cluster with long-term memory represents the entity's normal or routine behavior, which does not change or only gradually changes over a long period. For example, a user usually check work emails from his/her smartphone around 7 AM every morning at home for years.
  • the event vectors of a long-term memory cluster are useful reference for the user's future routine behavior. Therefore, event vectors that belong to the event cluster with long-term memory are kept as part of the event cluster for a relatively long period, e.g., several months or years.
  • the event cluster with long-term memory is formed by well-known machine-learning clustering methods.
  • the event cluster with short-term memory represents the entity's temporary behavior, which tends to change and only last for a short period. For example, a user travels for business regularly out of his/her home for a week once a month. During the week of travelling, a user's network access behavior such as network login location and login time is likely different from the behavior in past or future months. And, the user maintains such network access behavior only during the week of travelling. The event vectors collected in current travelling week may not be the right reference for the user's future behavior.
  • the event vectors of a short-term memory cluster are only kept as part of the event cluster for a relatively short period, e.g., several days.
  • an event vector cluster with short-term memory decays more quickly than an event vector cluster with long-term memory.
  • the event cluster with short-term memory is formed by rules such as multifactor authentication with strong authentication factors.
  • the rules are configurable by users that will result customized event clusters with short-term memory.
  • FIG. 5 shows an example that the cluster 6 - 8 with short-term memory decays more quickly than the long-term memory cluster 6 - 3 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Artificial Intelligence (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Methods and systems of risk assessment for network access control through data analytics. An embodiment of the invention employs well-known machine-learning clustering methods to learn normal entity behavior by looking for patterns in the events that stream in continuously. In an embodiment of the invention, normal entity behaviors are represented as clusters of event vectors. An embodiment of the invention evaluates the risk level for a new event of an entity by comparing the event with the entity's profile represented as clusters of event vectors. In an embodiment of the invention, the risk level is associated with a confidence level. Confidence level indicates how well the system knows about the entity. Embodiments of the invention do not need human administration in the process of building entity profile and assessing risk level of events associated with an entity.

Description

    FIELD OF THE DISCLOSURE
  • This disclosure relates generally to Internet security and, more particularly, to methods and systems of risk assessment for network access control through data analytics.
    • BACKGROUND
  • Authentication and authorization are security means to protect a computer network from unauthorized access to its resources such as computer servers, software applications and services, and so on. Authentication verifies the identity of an entity (person, user, process, or device) that wants to access a computer network resources. In the rest of this disclosure, terms of an entity, a person, a process, a user and a device will be used interchangeably. Common ways for authentication are username/password combination, fingerprint readers, retinal scans, etc. On the other hand, authorization determines what privileges that an authenticated entity has during the entity's session from log-on until log-off. The privileges assigned to an entity define the entity's access right to the network resources. For example, an entity may only be able to read documents but not allowed to edit documents.
  • Multifactor authentication (MFA) as an enhancement of identity authentication increases security by requiring two or more different authentication methods such as a user/password combination followed by an SMS request to the user's cell phone to confirm the user's identity. However, MFA increases the authentication security at the cost of increased complexity of the network login process for a user. A user has to perform multiple authentications, sometimes on different devices, to get authenticated.
  • As a result, adaptive MFA has been developed to ease the use of MFA. A network with adaptive MFA can change its authentication requirements depending on detected conditions at log-in. Adaptive MFA is rule-based, though, which limits its effectiveness because those rules are static. In addition, adaptive MFA only act on the conditions at the time of a user's login without considering the user's past network access and usage history. Therefore, adaptive MFA cannot determine if the user's current login activity is normal or abnormal.
    • SUMMARY OF THE INVENTION
  • Embodiments of the invention build an entity profile by collecting and analyzing the entity's events in real time using well-known machine-learning methods. Each event of an entity that is collected and analyzed by an embodiment of the invention includes event attributes such as entity ID, login location, login date, login time, device used at login, IP address used at login, application launched after login, and so on.
  • An embodiment of the invention employs well-known machine-learning clustering methods to learn normal entity behavior by looking for patterns in the events that stream in continuously. In an embodiment of the invention, normal entity behaviors are represented as clusters of event vectors. An embodiment of the invention evaluates the risk level for a new event of an entity by comparing the event with the entity's profile represented as clusters of event vectors. In an embodiment of the invention, the risk level is associated with a confidence level. Confidence level indicates how well the system knows about the entity. This confidence level is initially low and increases over time when more events of the entity are collected and analyzed.
  • Embodiments of the invention do not need human administration in the process of building entity profile and assessing risk level of events associated with an entity. An entity's profile in the form of clusters of event vectors evolves autonomously while events are continuously received and clustered by an embodiment of the invention. In an embodiment of the invention, rules for triggering risk assessment of an event associated with an entity is automatically updated. The update is based on the events that are resulted from the risk assessment on prior events associated the entity. Therefore, embodiments of the invention are much easier to operate than prior arts, which require human administration.
    • BRIEF DESCRIPTION OF DRAWINGS
  • Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings in which like references indicate similar elements. Note that references to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and such references mean “at least one.”
  • FIG. 1 is a block diagram that shows the components of an embodiment of the invention as they exist in a web portal within a computer network, or other computing environment that requires authentication and authorization to use the environment's resources. The diagram shows possible event flows through the invention with thick arrows, and shows possible communication among components via API calls with thin arrows.
  • FIG. 2 shows an event in form of a three-tuple vector in a three dimensional entity profile vector space, where X axis is event's login time of day, Y axis is event's login city, and Z axis is event's login device type.
  • FIG. 3 is a diagram of an entity profile in form of an event cluster, an anomaly event in form of an event vector, and a normal event in form of an event vector, which is the first event vector of a new event cluster.
  • FIG. 4 is a diagram of an entity profile in form of two event clusters, and an anomaly event in form of an event vector.
  • FIG. 5 is a diagram of an entity profile in form of two event clusters; one is a cluster with long-term memory while the other is a cluster with short-term memory. Clusters with short-term memory decay more quickly than clusters with long-term memory.
    •  DETAILED DESCRIPTION OF THE INVENTION
  • FIG. 1 shows the components of an embodiment of the invention as they exist in a web portal within a computer network, or other computing environment that requires authentication and authorization to use the environment's resources.
  • An event reporting agent 1-2 within the environment detects entity behavior and reports it to an embodiment of the invention as events, each event with a set of attributes and can include:
  • Login events, which can include parameters such as the IP address of the device used, the type of device used, physical location, number of login attempts, date and time, and more.
  • Application access events, which can specify what application is used, application type, date and time of use, and more.
  • Privileged resource events such as launching a Secure Shell (SSH) session or a Remote Desktop Protocol (RDP) session as an administrator.
  • Mobile device management events such as enrolling or un-enrolling a mobile device with an identity management service.
  • CLI command-use events such as UNIX commands or MS-DOS commands, which can specify the commands used, date and time of use, and more.
  • Authorization escalation events, such as logging in as a super-user in a UNIX environment, which can specify login parameters listed above.
  • Risk feedback events, which report an embodiment of the invention's evaluations of the entity. For example, when the access control service 1-3 requests a risk evaluation from an embodiment of the invention at entity login, the action generates an event that contains the resulting evaluation and any resulting action based on the evaluation.
  • An access control service 1-3 authenticates entities and can change authentication factor requirements at login and at other authentication events.
  • A directory service 1-4 such as Active Directory defines authentication requirements and authorization for each entity.
  • An admin web browser 1-5 that an administrator can use to control an embodiment of the invention.
  • An event ingestion service 1-10 accepts event data from the event reporting agent, filters out events that are malformed or irrelevant, extracts necessary attributes from event data, and converts event data into values that a risk assessment engine 1-11 can use.
  • The risk assessment engine 1-11 accepts entity events from the event ingestion service 1-10 and uses them to build an entity profile for each entity. Whenever requested, the risk assessment engine 1-11 can compare an event or attempted event to the entity's profile to determine a threat level for the event.
  • A streaming threat remediation engine 1-9 accepts a steady stream of events from the risk assessment engine 1-11. The streaming threat remediation engine 1-9 stores a rule queue. Each rule in the queue tests an incoming event and may take action if the rule detects certain conditions in the event. A rule may, for example, check the event type, and contact the risk assessment engine to determine risk for the event.
  • A risk assessment service 1-8 is a front end for the risk assessment engine 1-11. The service 1-8 allows components outside the invention's core to make authenticated connections and then request service from the risk assessment engine 1-11. Service is typically something such as assessing risk for a provided event or for an attempted event such as login.
  • An on-demand threat remediation engine 1-7 is very similar to the streaming threat remediation engine 1-9. It contains a rule queue. The rules here, though, test attempted events such as log-in requests or authorization changes that may require threat assessment before the requests are granted and the event takes place. An outside component such as the access control service 1-3 may contact the on-demand threat remediation engine 1-7 with an attempted event. The on-demand threat remediation engine 1-7 can request risk assessment from an embodiment of the invention through the risk assessment service 1-8.
  • In an embodiment, a user attempts to log into an application at a web portal. The Event Reporting Agent 1-2 captures the user activity, records it as an event, which consists of event attributes such as user log in time, location latitude, location longitude, etc. The Event Report Agent 1-2 forwards the event to the Event Ingestion Service 1-10. The Event Ingestion Service 1-10 filters out some of the event attributes before converting the rest of the event attributes to numeric values, and each event is now represented as an n-tuple vector, where n is the number of event attributes. In other words, each event attribute is encoded as a single value. In an embodiment, an event attribute may be encoded as a multi-dimension vector. The Event Ingestion Service 1-10 then forwards the formatted event vector to the Risk Assessment Engine.
  • The Risk Assessment Engine 1-11 uses well-known machine learning clustering algorithms, e.g., K-Means, to determine if the event is part of any existing event cluster or user profile cluster in real time. The user profile cluster is updated by adding the event vector into the cluster determined by the well-known clustering algorithm. The Risk Assessment Engine 1-11 then forwards the event to the Streaming Threat Remediation Engine 1-9.
  • In an embodiment, the Risk Assessment Engine 1-11 applies configurable machine learning rules to run the well-known machine learning clustering algorithms, e.g., K-Means, to determine if the event is part of any existing event cluster or user profile cluster. In an embodiment, machine learning rules guide the machine learning process within the Risk Assessment Engine 1-11, e.g., how to select dimensions in an event vector to be fed into the well-known machine learning algorithm, whether and how to transform the selected dimensions based event type, how to set the weight of each selected dimension in an event vector, and which machine learning algorithm to run, etc.
  • In an embodiment, machine learning rules can be inherited and overwritten. The Risk Assessment Engine 1-11 has default system-level machine learning rules, which can be inherited by tenant companies and individual users. On the other hand, different tenant companies can customize their own company-level machine learning rules, which overwrite the default system-level machine learning rules. Similarly, different users can have different individual machine learning rules, which override company-level machine learning rules.
  • The risk assessment engine 1-11 may use the risk and confidence scores to assign one of five fraud risk levels to the assessed event:
  • Unknown: there are not enough events in the entity profile over a long enough period of time to successfully determine fraud risk.
  • Normal: the event looks legitimate.
  • Low Risk: some aspects of the event are abnormal, but not many.
  • Medium Risk: some important aspects of the event are abnormal while some are not.
  • High Risk: many key aspects of the event are abnormal.
  • In an embodiment, the Risk Assessment Engine 1-11 computes a risk score of the event based on the vector distance between the event vector and the cluster center vector in an n-dimension vector space, where n is the number of event attributes. In other words, each event attribute is encoded as a single value. In an embodiment, an event attribute may be encoded as a multi-dimension vector. Risk Score indicates how distinct the requested identity activity in the form of an event is from the user's normal behavior in the form of the user profile cluster. In an embodiment, the range of Risk Score is (0, 100], where 100 denotes the highest risk score, and 0 denotes the lowest risk score.
  • In an embodiment, the Risk Assessment Engine 1-11 applies configurable risk assessment rules to compute risk scores. In an embodiment, risk assessment rules can be inherited and overwritten. The Risk Assessment Engine 1-11 has default system-level risk assessment rules, which can be inherited by tenant companies and individual users. On the other hand, different tenant companies can configure their own company-level risk assessment rules, which overwrite the default system-level risk assessment rules. Similarly, different users can be configured with different individual risk assessment rules, which override company-level risk assessment rules.
  • Associated with a risk score, the Risk Assessment Engine 1-11 also computes a confidence score. Confidence Score indicates how well the system knows about the user. This score is initially low and increases over time as the Risk Assessment Engine 1-11 receives and learns more event data of the user.
  • In an embodiment, the Confidence Score is calculated by a customized sigmoid function based on number of data points and period of time (e.g., in days) learned by the Risk Assessment Engine 1-11. In an embodiment, the range of Confidence Score is (0, 100], where 100 denotes the highest confidence score, and 0 denotes the lowest confidence score.
  • Before the Risk Assessment Engine 1-11 is able to compute a risk score with certain confidence for an event related to a user, a training period is needed, where the Risk Assessment Engine 1-11 collects and constructs the user profile, i.e., event cluster based on the received events during this period.
  • The Risk Assessment Engine 1-11 runs pre-configured rules against the event and determines if the event requires any risk assessment. The rules are a set of conditions, e.g., condition 1: the user tries to log into a critical Human Resources application that can view all the employees' personal information; condition 2: the user's device type is changed since last successful log; etc.
  • In an embodiment, the Streaming Threat Remediation Engine 1-9 determines the risk level of a network access event based on received risk score and confidence score as well as current risk thresholds and confidence thresholds. The event vector and the determined risk level information together as a user profile record is stored into a model repository by the Streaming Threat Remediation Engine 1-9. In an embodiment, the user profile record stored in the model repository is used by the system to trigger alerts based on event risk levels. In an embodiment, if the event is assessed with high fraud risk level, an alert email or SMS text message is automatically generated to notify the user. In case of network fraud, the user can take actions such as contacting customer service to evict the unauthorized network access. In an embodiment, if the event is assessed with high fraud risk level, system administrators receive an alert message, and take actions such as contacting the user for network access verification.
  • In an embodiment, the Streaming Threat Remediation Engine 1-9 applies configurable risk assessment rules to compute risk level. In an embodiment, risk assessment rules can be inherited and overwritten. The Streaming Threat Remediation Engine 1-9 has default system-level risk assessment rules, which can be inherited by tenant companies and individual users. On the other hand, different tenant companies can configure their own company-level risk assessment rules, which overwrite the default system-level risk assessment rules. Similarly, different users can configure different individual risk assessment rules, which override company-level risk assessment rules.
  • In an embodiment, the on-demand threat remediation engine 1-7 adjusts risk thresholds and confidence thresholds based on risk feedback events, which are resulted from the risk level assessment of prior events. The on-demand threat remediation engine 1-7 determines the risk level of a network access event or attempt based on the received risk score and confidence score as well as current risk thresholds and confidence thresholds. If the access event or attempt is assessed with high fraud risk, the on-demand threat remediation engine 1-7 sends an instruction to the Access Control Service 1-3 to request user for additional authentication with alternative authentication method. Alternatively, block the access depending on the policy set by a security admin on the Access Control Service 1-3. The instruction from the on-demand threat remediation engine 1-7 to the Access Control Service 1-3 generates a risk feedback event that contains the risk level evaluation by the on-demand threat remediation engine 1-7, and any resulting action triggered by the risk level evaluation such as the authentication of user's additional login attempt using alternative authentication method. The authentication results contained in such risk feedback events are fed back from the Event Report Agent 1-2 to the on-demand threat remediation engine 1-7 via Event Ingestion Service 1-10, Risk Assessment Engine 1-11 and Risk Assessment Service 1-8. The on-demand threat remediation engine 1-7 analyzes the received authentication results contained in risk feedback events, and determines if the risk thresholds and confidence thresholds need to be adjusted. For example, if all of the authentication results are positive, i.e., all users are authenticated successfully using alternative authentication method, the risk thresholds and/or confidence thresholds may need to be set higher to prevent unnecessary additional authentication requests.
  • In an embodiment, the on-demand threat remediation engine 1-7 applies configurable risk assessment rules to compute risk level. In an embodiment, risk assessment rules can be inherited and overwritten. The on-demand threat remediation engine 1-7 has default system-level risk assessment rules, which can be inherited by tenant companies and individual users. On the other hand, different tenant companies can customize their own company-level risk assessment rules, which overwrite the default system-level risk assessment rules. Similarly, different users can be configured with different individual risk assessment rules, which override company-level risk assessment rules.
  • FIG. 2 shows an event represented as 3-tuple vector 2-3 in a three dimensional entity profile vector space 2-8, where X axis 2-6 is event's login time of day 2-4, Y axis 2-1 is event's login city 2-2, and Z axis 2-7 is event's login device type 2-5.
  • As more and more events are collected, the event cluster is growing and expanding. FIG. 3 is a diagram of an entity profile in form of an event cluster 4-3, an anomaly event in form of an event vector 4-9. The well-know machine learning clustering algorithm keeps updating the cluster while new event vectors are received and added into the entity profile vector space.
  • In an embodiment of the invention, as the center of a user's event cluster is dynamically updated, the risk score of a new event is also dynamically adjusted. For example, the previous cluster center is represented as (8 AM, city A, iPhone), and the new cluster center is represented as (8:30 AM, city A, iPhone). In terms of the login time of day, if the new event is not within 30 minutes distance from the cluster center, the event is considered with high risk, i.e., it will be assigned with a high risk score. For a new event (8:59 AM, city A, iPhone), the risk score is low with the new cluster center because it is within 30 minutes distance from the new cluster center. However, the new event's risk score would be high with the previous cluster center as the distance between the new event and the previous cluster center is not within 30 minutes. Therefore, this is one of the advantages of the embodiment of the invention, where the risk score is adaptively updated as the user profile cluster is updated. In prior arts, this requires manual adjustment of the risk score calculation criteria. For example, the period of low risk log in time needs to be updated from (7:30 AM˜8:30 AM) to (8:00 AM˜9:00 AM). Without adjusting the risk score criteria, the new event may be treated as anomaly in prior arts.
  • FIG. 4 shows an entity profile evolves from a cluster 5-3 into two clusters. A new cluster 5-11 starts as an event vector 5-10, which is detected as anomaly and not part of the existing event cluster 5-3 by the well-known clustering algorithm. Therefore, additional factor for authentication is triggered for this entity. In general, using one factor for authentication is considered as a weak authentication method while using two or more factors for authentication is considered as a strong authentication method. In addition, for a single factor authentication, different types of factors used for authentication have different levels of authentication strength. In an embodiment of the invention, authentication using security questions (SQ) is considered very weak; authentication using password is considered weak to medium depending on the password rules enforced; authentication using Email or SMS or phone call is considered as medium; and one-time password (OTP) or authenticator or 3rd party radius (RSA) is considered strong.
  • In an embodiment of the invention, the additional factor for authentication is a strong factor for authentication than the default factor for authentication. Because the additional authentication is successful, which in turn is recorded as a new event and fed back into the Risk Assessment Engine 1-11, the event vector 5-10 is marked as the first event vector of the new cluster 5-11. This type of event cluster evolution typically happens when a user maintains more than one sets of assess patterns. For example, a user may regularly travel to another city for a week once a quarter. From the event cluster perspective, the user at least has two clusters, one centered at the home location while the other centered at the visiting location. The event cluster centered at the visiting location grows during the week when the user is traveling. When the user returns to home, the event cluster centered at the visiting location stops growing and eventually decays when the event data becomes outdated. In an embodiment of the invention, the event data that is stored longer than certain duration may get purged from the event cluster. When the user travels again, as the event cluster at the visiting location is already established, the computing process for risk assessment with sufficient level of confidence is accelerated.
  • FIG. 5 shows a diagram of an entity profile in form of two event clusters 6-3 and 6-4. Cluster 6-3 is a cluster with long-term memory while cluster 6-8 is a cluster with short-term memory. The event cluster with long-term memory represents the entity's normal or routine behavior, which does not change or only gradually changes over a long period. For example, a user usually check work emails from his/her smartphone around 7 AM every morning at home for years. The event vectors of a long-term memory cluster are useful reference for the user's future routine behavior. Therefore, event vectors that belong to the event cluster with long-term memory are kept as part of the event cluster for a relatively long period, e.g., several months or years. In an embodiment of the invention, the event cluster with long-term memory is formed by well-known machine-learning clustering methods. On the other hand, the event cluster with short-term memory represents the entity's temporary behavior, which tends to change and only last for a short period. For example, a user travels for business regularly out of his/her home for a week once a month. During the week of travelling, a user's network access behavior such as network login location and login time is likely different from the behavior in past or future months. And, the user maintains such network access behavior only during the week of travelling. The event vectors collected in current travelling week may not be the right reference for the user's future behavior. Therefore, the event vectors of a short-term memory cluster are only kept as part of the event cluster for a relatively short period, e.g., several days. As a result, in an embodiment of the invention, an event vector cluster with short-term memory decays more quickly than an event vector cluster with long-term memory. In an embodiment of the invention, the event cluster with short-term memory is formed by rules such as multifactor authentication with strong authentication factors. In an embodiment of the invention, the rules are configurable by users that will result customized event clusters with short-term memory. FIG. 5 shows an example that the cluster 6-8 with short-term memory decays more quickly than the long-term memory cluster 6-3.

Claims (22)

What is claimed is:
1. A method for assessing risk levels of network access events, the method comprising:
receiving event reports which record network access events of an entity, wherein said event reports contain said network access events in form of event vectors;
building an entity profile for said entity with said event reports, wherein said entity profile in form of event vector clusters represents normal network access behavior of said entity; and
in order to determine a risk level of an event in form of an event vector associated with said entity, calculating a risk score by comparing said event vector of said event with said event vector clusters of said entity profile and a confidence score associated with said risk score based on number of said network access events contained in said event reports.
2. The method of claim 1, wherein said event vectors representing network access events associated with long-term network access behavior of said entity are kept for a long period in said event vector clusters.
3. The method of claim 1, wherein said event vectors representing network access events associated with short-term network access behavior of said entity are kept for a short period in said event vector clusters.
4. The method of claim 1, wherein said event vectors are converted from strings to numeric values before events represented by said event vectors are assessed with risk levels.
5. The method of claim 1, wherein said risk score of said network access event is calculated based on vector distance between said event vector and the center vector of said event vector cluster.
6. The method of claim 1, wherein said risk score of said network access event is calculated based on configurable risk assessment rules.
7. The method of claim 1, wherein said entity profile for said entity is built based on configurable machine learning rules.
8. A system for assessing risk levels of network access events comprising:
one or more computers; and
a computer-readable medium coupled to said one or more computers having instructions stored thereon which, when executed by said one or more computers, cause said one or more computers to perform operations comprising:
receiving event reports which record network access events of an entity, wherein said event reports contain said network access events of said in form of event vectors;
building an entity profile for said entity with said event reports, wherein said entity profile in form of event vector clusters represents normal network access behavior of said entity; and
in order to determine a risk level of an event in form of an event vector associated with said entity, calculating a risk score by comparing said event vector of said event with said event vector clusters of said entity profile and a confidence score associated with said risk score based on number of said network access events contained in said event reports.
9. The system of claim 8, wherein said event vectors representing network access events associated with long-term network access behavior of said entity are kept for a long period in said event vector clusters.
10. The system of claim 8, wherein said event vectors representing network access events associated with short-term network access behavior of said entity are kept for a short period in said event vector clusters.
11. The system of claim 8, wherein said event vectors are converted from strings to numeric values before events represented by said event vectors are assessed with risk levels.
12. The system of claim 8, wherein said risk score of said network access event is calculated based on vector distance between said event vector and the center vector of said event vector cluster.
13. The method of claim 8, wherein said risk score of said network access event is calculated based on configurable risk assessment rules.
14. The method of claim 8, wherein said entity profile for said entity is built based on configurable machine learning rules.
15. A method for assessing risk levels of network access events, the method comprising:
receiving an event report which records a network access event of an entity, wherein said event report contains said network access event;
receiving a risk assessment associated with said network access event, wherein said risk assessment includes a risk score and a confidence score;
determining a risk level of said network access event by comparing said risk score and said confidence score with risk thresholds and confidence thresholds;
providing an instruction on how to handle said network access event based on said risk level; and
adjusting said risk thresholds and confidence thresholds based on feedback events associated with said entity which are resulted from said instruction.
16. The method of claim 15, wherein said instruction may request said entity for additional authentication using alternative authentication method based on said risk level of said network access event.
17. The method of claim 15, wherein said feedback events are one or more than one events of:
requesting said entity for additional authentication using an alternative authentication method based on said risk level of said network access event;
authenticating said entity using an alternative authentication method.
18. The method of claim 15, wherein said risk level of said network access event is calculated based on configurable risk assessment rules.
19. A system for assessing risk levels of network access events comprising:
one or more computers; and
a computer-readable medium coupled to said one or more computers having instructions stored thereon which, when executed by said one or more computers, cause said one or more computers to perform operations comprising:
receiving an event report which records a network access event of an entity, wherein said event report contains said network access event;
receiving a risk assessment associated with said network access event, wherein said risk assessment includes a risk score and a confidence score;
determining a risk level of said network access event by comparing said risk score and said confidence score with risk thresholds and confidence thresholds;
providing an instruction on how to handle said network access event based on said risk level; and
adjusting said risk thresholds and confidence thresholds based on feedback events associated with said entity which are resulted from said instruction.
20. The system of claim 19, wherein said instruction may request said entity for additional authentication using alternative authentication method based on said risk level of said network access event.
21. The system of claim 19, wherein said feedback events are one or more than one events of:
requesting said entity for additional authentication using an alternative authentication method based on said risk level of said network access event;
authenticating said entity using an alternative authentication method.
22. The method of claim 19, wherein said risk level of said network access event is calculated based on configurable risk assessment rules.
US15/785,430 2017-10-17 2017-10-17 Risk assessment for network access control through data analytics Abandoned US20190116193A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US15/785,430 US20190116193A1 (en) 2017-10-17 2017-10-17 Risk assessment for network access control through data analytics
US17/242,707 US20210273951A1 (en) 2017-10-17 2021-04-28 Risk assessment for network access control through data analytics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/785,430 US20190116193A1 (en) 2017-10-17 2017-10-17 Risk assessment for network access control through data analytics

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/242,707 Continuation US20210273951A1 (en) 2017-10-17 2021-04-28 Risk assessment for network access control through data analytics

Publications (1)

Publication Number Publication Date
US20190116193A1 true US20190116193A1 (en) 2019-04-18

Family

ID=66096668

Family Applications (2)

Application Number Title Priority Date Filing Date
US15/785,430 Abandoned US20190116193A1 (en) 2017-10-17 2017-10-17 Risk assessment for network access control through data analytics
US17/242,707 Pending US20210273951A1 (en) 2017-10-17 2021-04-28 Risk assessment for network access control through data analytics

Family Applications After (1)

Application Number Title Priority Date Filing Date
US17/242,707 Pending US20210273951A1 (en) 2017-10-17 2021-04-28 Risk assessment for network access control through data analytics

Country Status (1)

Country Link
US (2) US20190116193A1 (en)

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200042723A1 (en) * 2018-08-03 2020-02-06 Verizon Patent And Licensing Inc. Identity fraud risk engine platform
US20200089887A1 (en) * 2018-09-17 2020-03-19 Microsoft Technology Licensing, Llc Crowdsourced, self-learning security system through smart feedback loops
US10621341B2 (en) 2017-10-30 2020-04-14 Bank Of America Corporation Cross platform user event record aggregation system
US10721246B2 (en) 2017-10-30 2020-07-21 Bank Of America Corporation System for across rail silo system integration and logic repository
US10728256B2 (en) * 2017-10-30 2020-07-28 Bank Of America Corporation Cross channel authentication elevation via logic repository
WO2020227335A1 (en) * 2019-05-08 2020-11-12 SAIX Inc. Identity risk and cyber access risk engine
CN112367340A (en) * 2020-11-30 2021-02-12 杭州安恒信息技术股份有限公司 Intranet asset risk assessment method, device, equipment and medium
CN112633763A (en) * 2020-12-31 2021-04-09 上海三零卫士信息安全有限公司 Artificial neural network ANNs-based grade protection risk study and judgment method
CN112685711A (en) * 2021-02-02 2021-04-20 杭州宁达科技有限公司 Novel information security access control system and method based on user risk assessment
US11012433B2 (en) * 2019-03-24 2021-05-18 Zero Networks Ltd. Method and system for modifying network connection access rules using multi-factor authentication (MFA)
US11023863B2 (en) * 2019-04-30 2021-06-01 EMC IP Holding Company LLC Machine learning risk assessment utilizing calendar data
US11087014B2 (en) 2018-04-13 2021-08-10 Sophos Limited Dynamic policy based on user experience
US20210273951A1 (en) * 2017-10-17 2021-09-02 Cyberark Software Ltd. Risk assessment for network access control through data analytics
US11169506B2 (en) 2019-06-26 2021-11-09 Cisco Technology, Inc. Predictive data capture with adaptive control
US11218494B2 (en) * 2019-07-26 2022-01-04 Raise Marketplace, Llc Predictive fraud analysis system for data transactions
US20220021709A1 (en) * 2020-07-17 2022-01-20 British Telecommunications, Public Limited Company Computer-implemented security methods and systems
US20220158889A1 (en) * 2020-11-18 2022-05-19 Vmware, Inc. Efficient event-type-based log/event-message processing in a distributed log-analytics system
US20220311789A1 (en) * 2021-03-29 2022-09-29 Armis Security Ltd. System and method for detection of abnormal device traffic behavior
CN115408673A (en) * 2022-11-02 2022-11-29 深圳市诚王创硕科技有限公司 Software validity period access control management system and method
US11593477B1 (en) * 2020-01-31 2023-02-28 Splunk Inc. Expediting processing of selected events on a time-limited basis
US20230062052A1 (en) * 2021-09-02 2023-03-02 Paypal, Inc. Session management system
US11632399B2 (en) * 2018-03-26 2023-04-18 Orange Secure administration of a local communication network comprising at least one communicating object
US11671434B2 (en) * 2018-05-14 2023-06-06 New H3C Security Technologies Co., Ltd. Abnormal user identification
US11695799B1 (en) 2021-06-24 2023-07-04 Airgap Networks Inc. System and method for secure user access and agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11711396B1 (en) 2021-06-24 2023-07-25 Airgap Networks Inc. Extended enterprise browser blocking spread of ransomware from alternate browsers in a system providing agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11722519B1 (en) 2021-06-24 2023-08-08 Airgap Networks Inc. System and method for dynamically avoiding double encryption of already encrypted traffic over point-to-point virtual private networks for lateral movement protection from ransomware
US11736520B1 (en) * 2021-06-24 2023-08-22 Airgap Networks Inc. Rapid incidence agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11743265B2 (en) 2019-03-24 2023-08-29 Zero Networks Ltd. Method and system for delegating control in network connection access rules using multi-factor authentication (MFA)
US11743280B1 (en) * 2022-07-29 2023-08-29 Intuit Inc. Identifying clusters with anomaly detection
US11757933B1 (en) 2021-06-24 2023-09-12 Airgap Networks Inc. System and method for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11757934B1 (en) 2021-06-24 2023-09-12 Airgap Networks Inc. Extended browser monitoring inbound connection requests for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11916957B1 (en) 2021-06-24 2024-02-27 Airgap Networks Inc. System and method for utilizing DHCP relay to police DHCP address assignment in ransomware protected network

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11606694B2 (en) * 2020-10-08 2023-03-14 Surendra Goel System that provides cybersecurity in a home or office by interacting with internet of things devices and other devices

Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5699403A (en) * 1995-04-12 1997-12-16 Lucent Technologies Inc. Network vulnerability management apparatus and method
WO1999056195A1 (en) * 1998-04-30 1999-11-04 Bindview Development Corporation Computer security
US6282546B1 (en) * 1998-06-30 2001-08-28 Cisco Technology, Inc. System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment
US20020147803A1 (en) * 2001-01-31 2002-10-10 Dodd Timothy David Method and system for calculating risk in association with a security audit of a computer network
US20030009696A1 (en) * 2001-05-18 2003-01-09 Bunker V. Nelson Waldo Network security testing
US20030037063A1 (en) * 2001-08-10 2003-02-20 Qlinx Method and system for dynamic risk assessment, risk monitoring, and caseload management
US20030050718A1 (en) * 2000-08-09 2003-03-13 Tracy Richard P. Enhanced system, method and medium for certifying and accrediting requirements compliance
US20030070003A1 (en) * 2001-10-04 2003-04-10 Chee-Yee Chong Method and system for assessing attacks on computer networks using bayesian networks
US20030233567A1 (en) * 2002-05-20 2003-12-18 Lynn Michael T. Method and system for actively defending a wireless LAN against attacks
US20040098610A1 (en) * 2002-06-03 2004-05-20 Hrastar Scott E. Systems and methods for automated network policy exception detection and correction
US20040143753A1 (en) * 2003-01-21 2004-07-22 Symantec Corporation Network risk analysis
US7480715B1 (en) * 2002-01-25 2009-01-20 Vig Acquisitions Ltd., L.L.C. System and method for performing a predictive threat assessment based on risk factors
US20120180124A1 (en) * 2011-01-07 2012-07-12 Verizon Patent And Licensing Inc. Authentication risk evaluation
US20130144888A1 (en) * 2011-12-05 2013-06-06 Patrick Faith Dynamic network analytics system
US20130167238A1 (en) * 2011-12-23 2013-06-27 Mcafee, Inc. System and method for scanning for computer vulnerabilities in a network environment
US20140068775A1 (en) * 2012-08-31 2014-03-06 Damballa, Inc. Historical analysis to identify malicious activity
US20150324559A1 (en) * 2014-05-06 2015-11-12 International Business Machines Corporation Dynamic adjustment of authentication policy
US20160140561A1 (en) * 2013-07-03 2016-05-19 Google Inc. Fraud prevention based on user activity data
US9501647B2 (en) * 2014-12-13 2016-11-22 Security Scorecard, Inc. Calculating and benchmarking an entity's cybersecurity risk score
US20180091540A1 (en) * 2016-09-27 2018-03-29 Cisco Technology, Inc. Security posture scoring
US20180219891A1 (en) * 2017-02-02 2018-08-02 Aetna Inc. Individualized cybersecurity risk detection using multiple attributes
US20180248863A1 (en) * 2017-02-24 2018-08-30 Fmr Llc Systems and methods for user authentication using pattern-based risk assessment and adjustment
US20190081968A1 (en) * 2017-09-13 2019-03-14 Centrify Corporation Method and Apparatus for Network Fraud Detection and Remediation Through Analytics

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8392552B2 (en) * 2000-09-28 2013-03-05 Vig Acquisitions Ltd., L.L.C. System and method for providing configurable security monitoring utilizing an integrated information system
US7287280B2 (en) * 2002-02-12 2007-10-23 Goldman Sachs & Co. Automated security management
US8108929B2 (en) * 2004-10-19 2012-01-31 Reflex Systems, LLC Method and system for detecting intrusive anomalous use of a software system using multiple detection algorithms
CN101375546B (en) * 2005-04-29 2012-09-26 甲骨文国际公司 System and method for fraud monitoring, detection, and tiered user authentication
US8739278B2 (en) * 2006-04-28 2014-05-27 Oracle International Corporation Techniques for fraud monitoring and detection using application fingerprinting
US20090265777A1 (en) * 2008-04-21 2009-10-22 Zytron Corp. Collaborative and proactive defense of networks and information systems
US11343265B2 (en) * 2010-07-21 2022-05-24 Seculert Ltd. System and methods for malware detection using log analytics for channels and super channels
US8621618B1 (en) * 2011-02-07 2013-12-31 Dell Products, Lp System and method for assessing whether a communication contains an attack
US8418249B1 (en) * 2011-11-10 2013-04-09 Narus, Inc. Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats
US8990948B2 (en) * 2012-05-01 2015-03-24 Taasera, Inc. Systems and methods for orchestrating runtime operational integrity
US10469514B2 (en) * 2014-06-23 2019-11-05 Hewlett Packard Enterprise Development Lp Collaborative and adaptive threat intelligence for computer security
US9848007B2 (en) * 2014-08-29 2017-12-19 Microsoft Technology Licensing, Llc Anomalous event detection based on metrics pertaining to a production system
US9544321B2 (en) * 2015-01-30 2017-01-10 Securonix, Inc. Anomaly detection using adaptive behavioral profiles
US9578043B2 (en) * 2015-03-20 2017-02-21 Ashif Mawji Calculating a trust score
US9754217B2 (en) * 2015-05-01 2017-09-05 Cirius Messaging Inc. Data leak protection system and processing methods thereof
US10320825B2 (en) * 2015-05-27 2019-06-11 Cisco Technology, Inc. Fingerprint merging and risk level evaluation for network anomaly detection
US10594710B2 (en) * 2015-11-20 2020-03-17 Webroot Inc. Statistical analysis of network behavior using event vectors to identify behavioral anomalies using a composite score
US10673880B1 (en) * 2016-09-26 2020-06-02 Splunk Inc. Anomaly detection to identify security threats
US20180198812A1 (en) * 2017-01-11 2018-07-12 Qualcomm Incorporated Context-Based Detection of Anomalous Behavior in Network Traffic Patterns
US20190116193A1 (en) * 2017-10-17 2019-04-18 Yanlin Wang Risk assessment for network access control through data analytics
US20190306170A1 (en) * 2018-03-30 2019-10-03 Yanlin Wang Systems and methods for adaptive data collection using analytics agents

Patent Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5699403A (en) * 1995-04-12 1997-12-16 Lucent Technologies Inc. Network vulnerability management apparatus and method
WO1999056195A1 (en) * 1998-04-30 1999-11-04 Bindview Development Corporation Computer security
US6282546B1 (en) * 1998-06-30 2001-08-28 Cisco Technology, Inc. System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment
US20030050718A1 (en) * 2000-08-09 2003-03-13 Tracy Richard P. Enhanced system, method and medium for certifying and accrediting requirements compliance
US20020147803A1 (en) * 2001-01-31 2002-10-10 Dodd Timothy David Method and system for calculating risk in association with a security audit of a computer network
US20030009696A1 (en) * 2001-05-18 2003-01-09 Bunker V. Nelson Waldo Network security testing
US20030037063A1 (en) * 2001-08-10 2003-02-20 Qlinx Method and system for dynamic risk assessment, risk monitoring, and caseload management
US20030070003A1 (en) * 2001-10-04 2003-04-10 Chee-Yee Chong Method and system for assessing attacks on computer networks using bayesian networks
US7480715B1 (en) * 2002-01-25 2009-01-20 Vig Acquisitions Ltd., L.L.C. System and method for performing a predictive threat assessment based on risk factors
US20030233567A1 (en) * 2002-05-20 2003-12-18 Lynn Michael T. Method and system for actively defending a wireless LAN against attacks
US20040098610A1 (en) * 2002-06-03 2004-05-20 Hrastar Scott E. Systems and methods for automated network policy exception detection and correction
US20040143753A1 (en) * 2003-01-21 2004-07-22 Symantec Corporation Network risk analysis
US20120180124A1 (en) * 2011-01-07 2012-07-12 Verizon Patent And Licensing Inc. Authentication risk evaluation
US20130144888A1 (en) * 2011-12-05 2013-06-06 Patrick Faith Dynamic network analytics system
US20130167238A1 (en) * 2011-12-23 2013-06-27 Mcafee, Inc. System and method for scanning for computer vulnerabilities in a network environment
US20140068775A1 (en) * 2012-08-31 2014-03-06 Damballa, Inc. Historical analysis to identify malicious activity
US20160140561A1 (en) * 2013-07-03 2016-05-19 Google Inc. Fraud prevention based on user activity data
US20150324559A1 (en) * 2014-05-06 2015-11-12 International Business Machines Corporation Dynamic adjustment of authentication policy
US9501647B2 (en) * 2014-12-13 2016-11-22 Security Scorecard, Inc. Calculating and benchmarking an entity's cybersecurity risk score
US20180091540A1 (en) * 2016-09-27 2018-03-29 Cisco Technology, Inc. Security posture scoring
US20180219891A1 (en) * 2017-02-02 2018-08-02 Aetna Inc. Individualized cybersecurity risk detection using multiple attributes
US20180248863A1 (en) * 2017-02-24 2018-08-30 Fmr Llc Systems and methods for user authentication using pattern-based risk assessment and adjustment
US20190081968A1 (en) * 2017-09-13 2019-03-14 Centrify Corporation Method and Apparatus for Network Fraud Detection and Remediation Through Analytics

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210273951A1 (en) * 2017-10-17 2021-09-02 Cyberark Software Ltd. Risk assessment for network access control through data analytics
US10733293B2 (en) 2017-10-30 2020-08-04 Bank Of America Corporation Cross platform user event record aggregation system
US10621341B2 (en) 2017-10-30 2020-04-14 Bank Of America Corporation Cross platform user event record aggregation system
US10721246B2 (en) 2017-10-30 2020-07-21 Bank Of America Corporation System for across rail silo system integration and logic repository
US10728256B2 (en) * 2017-10-30 2020-07-28 Bank Of America Corporation Cross channel authentication elevation via logic repository
US11632399B2 (en) * 2018-03-26 2023-04-18 Orange Secure administration of a local communication network comprising at least one communicating object
US11995205B2 (en) 2018-04-13 2024-05-28 Sophos Limited Centralized event detection
US11556664B2 (en) * 2018-04-13 2023-01-17 Sophos Limited Centralized event detection
US11599660B2 (en) 2018-04-13 2023-03-07 Sophos Limited Dynamic policy based on user experience
US11562088B2 (en) 2018-04-13 2023-01-24 Sophos Limited Threat response using event vectors
US11087014B2 (en) 2018-04-13 2021-08-10 Sophos Limited Dynamic policy based on user experience
US11671434B2 (en) * 2018-05-14 2023-06-06 New H3C Security Technologies Co., Ltd. Abnormal user identification
US20200042723A1 (en) * 2018-08-03 2020-02-06 Verizon Patent And Licensing Inc. Identity fraud risk engine platform
US11017100B2 (en) * 2018-08-03 2021-05-25 Verizon Patent And Licensing Inc. Identity fraud risk engine platform
US11017088B2 (en) * 2018-09-17 2021-05-25 Microsofttechnology Licensing, Llc Crowdsourced, self-learning security system through smart feedback loops
US20200089887A1 (en) * 2018-09-17 2020-03-19 Microsoft Technology Licensing, Llc Crowdsourced, self-learning security system through smart feedback loops
US11012433B2 (en) * 2019-03-24 2021-05-18 Zero Networks Ltd. Method and system for modifying network connection access rules using multi-factor authentication (MFA)
US11743265B2 (en) 2019-03-24 2023-08-29 Zero Networks Ltd. Method and system for delegating control in network connection access rules using multi-factor authentication (MFA)
US11023863B2 (en) * 2019-04-30 2021-06-01 EMC IP Holding Company LLC Machine learning risk assessment utilizing calendar data
US11157629B2 (en) 2019-05-08 2021-10-26 SAIX Inc. Identity risk and cyber access risk engine
WO2020227335A1 (en) * 2019-05-08 2020-11-12 SAIX Inc. Identity risk and cyber access risk engine
US11169506B2 (en) 2019-06-26 2021-11-09 Cisco Technology, Inc. Predictive data capture with adaptive control
US11218494B2 (en) * 2019-07-26 2022-01-04 Raise Marketplace, Llc Predictive fraud analysis system for data transactions
US11593477B1 (en) * 2020-01-31 2023-02-28 Splunk Inc. Expediting processing of selected events on a time-limited basis
US20220021709A1 (en) * 2020-07-17 2022-01-20 British Telecommunications, Public Limited Company Computer-implemented security methods and systems
US11856029B2 (en) * 2020-07-17 2023-12-26 British Telecommunications Public Limited Company Computer-implemented security methods and systems
US20220158889A1 (en) * 2020-11-18 2022-05-19 Vmware, Inc. Efficient event-type-based log/event-message processing in a distributed log-analytics system
US11665047B2 (en) * 2020-11-18 2023-05-30 Vmware, Inc. Efficient event-type-based log/event-message processing in a distributed log-analytics system
CN112367340A (en) * 2020-11-30 2021-02-12 杭州安恒信息技术股份有限公司 Intranet asset risk assessment method, device, equipment and medium
CN112633763A (en) * 2020-12-31 2021-04-09 上海三零卫士信息安全有限公司 Artificial neural network ANNs-based grade protection risk study and judgment method
CN112685711A (en) * 2021-02-02 2021-04-20 杭州宁达科技有限公司 Novel information security access control system and method based on user risk assessment
US20220311789A1 (en) * 2021-03-29 2022-09-29 Armis Security Ltd. System and method for detection of abnormal device traffic behavior
US11711396B1 (en) 2021-06-24 2023-07-25 Airgap Networks Inc. Extended enterprise browser blocking spread of ransomware from alternate browsers in a system providing agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11695799B1 (en) 2021-06-24 2023-07-04 Airgap Networks Inc. System and method for secure user access and agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11736520B1 (en) * 2021-06-24 2023-08-22 Airgap Networks Inc. Rapid incidence agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11722519B1 (en) 2021-06-24 2023-08-08 Airgap Networks Inc. System and method for dynamically avoiding double encryption of already encrypted traffic over point-to-point virtual private networks for lateral movement protection from ransomware
US11757933B1 (en) 2021-06-24 2023-09-12 Airgap Networks Inc. System and method for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11757934B1 (en) 2021-06-24 2023-09-12 Airgap Networks Inc. Extended browser monitoring inbound connection requests for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11916957B1 (en) 2021-06-24 2024-02-27 Airgap Networks Inc. System and method for utilizing DHCP relay to police DHCP address assignment in ransomware protected network
US11818219B2 (en) * 2021-09-02 2023-11-14 Paypal, Inc. Session management system
US20230062052A1 (en) * 2021-09-02 2023-03-02 Paypal, Inc. Session management system
US11743280B1 (en) * 2022-07-29 2023-08-29 Intuit Inc. Identifying clusters with anomaly detection
CN115408673A (en) * 2022-11-02 2022-11-29 深圳市诚王创硕科技有限公司 Software validity period access control management system and method

Also Published As

Publication number Publication date
US20210273951A1 (en) 2021-09-02

Similar Documents

Publication Publication Date Title
US20210273951A1 (en) Risk assessment for network access control through data analytics
US11947651B2 (en) Biometric identification platform
US10581919B2 (en) Access control monitoring through policy management
US10440028B1 (en) Distributed authorization of identities in a dynamic connected environment
US10044761B2 (en) User authentication based on user characteristic authentication rules
EP3090525B1 (en) System and method for biometric protocol standards
US8424072B2 (en) Behavior-based security system
KR101721032B1 (en) Security challenge assisted password proxy
US11290464B2 (en) Systems and methods for adaptive step-up authentication
US11494507B2 (en) Machine learning for identity access management
US11700247B2 (en) Securing a group-based communication system via identity verification
US10171495B1 (en) Detection of modified requests
US11895144B2 (en) Systems and methods for network security
US9092599B1 (en) Managing knowledge-based authentication systems
US11810130B2 (en) Security policy enforcement
US9754209B1 (en) Managing knowledge-based authentication systems
Bakar et al. Adaptive authentication: Issues and challenges
US11165804B2 (en) Distinguishing bot traffic from human traffic
Xiao et al. SoK: context and risk aware access control for zero trust systems
KR20210026710A (en) Trust-Aware Role-based System in Public Internet-of-Things
US20180183822A1 (en) Intelligent cyber-security help network for student community
US11855989B1 (en) System and method for graduated deny list
US10587597B1 (en) Data exfiltration control
US11729179B2 (en) Systems and methods for data driven infrastructure access control
US20230421562A1 (en) Method and system for protection of cloud-based infrastructure

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

AS Assignment

Owner name: GOLUB CAPITAL LLC, AS AGENT, ILLINOIS

Free format text: INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:CENTRIFY CORPORATION;REEL/FRAME:046081/0609

Effective date: 20180504

AS Assignment

Owner name: CENTRIFY CORPORATION, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST UNDER REEL/FRAME 46081/0609;ASSIGNOR:GOLUB CAPITAL LLC;REEL/FRAME:046854/0246

Effective date: 20180815

AS Assignment

Owner name: IDAPTIVE, LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CENTRIFY CORPORATION;REEL/FRAME:047559/0103

Effective date: 20180815

AS Assignment

Owner name: APPS & ENDPOINT COMPANY, LLC, DELAWARE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CENTRIFY CORPORATION;REEL/FRAME:047759/0071

Effective date: 20180815

Owner name: IDAPTIVE, LLC, DELAWARE

Free format text: CHANGE OF NAME;ASSIGNOR:APPS & ENDPOINT COMPANY, LLC;REEL/FRAME:049010/0738

Effective date: 20180913

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

AS Assignment

Owner name: CENTRIFY CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WANG, YANLIN;LI, WEIZHI;REEL/FRAME:050692/0578

Effective date: 20171019

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

AS Assignment

Owner name: CYBERARK SOFTWARE LTD., ISRAEL

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CYBERARK SOFTWARE, INC.;REEL/FRAME:054333/0933

Effective date: 20201109

AS Assignment

Owner name: CYBERARK SOFTWARE, INC., MASSACHUSETTS

Free format text: MERGER;ASSIGNOR:IDAPTIVE, LLC;REEL/FRAME:054507/0782

Effective date: 20200731

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION