US 10,891,371 B2
Detecting malicious user activity
Suresh N. Chari, Westchester, NY (US); Ted A. Habeck, Hopewell Junction, NY (US); Ian M. Molloy, Westchester, NY (US); Youngja Park, Princeton, NJ (US); Josyula R. Rao, Briarcliff Manor, NY (US); and Wilfried Teiken, Ossining, NY (US)
Assigned to International Business Machines Corporation, Armonk, NY (US)
Filed by International Business Machines Corporation, Armonk, NY (US)
Filed on Oct. 10, 2019, as Appl. No. 16/597,953.
Application 16/597,953 is a continuation of application No. 15/086,690, filed on Mar. 31, 2016, granted, now 10,599,837.
Prior Publication US 2020/0042699 A1, Feb. 6, 2020
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/55 (2013.01)
CPC G06F 21/552 (2013.01) [G06F 2221/034 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A computer-implemented method for detecting malicious user activity, the computer-implemented method comprising:
generating, by a computer, a profile for a user that accesses a set of protected assets, the profile generated based on static information representing an organizational view and associated attributes corresponding to the user and based on dynamic information representing observable actions made by the user;
applying, by the computer, a plurality of analytics on the profile corresponding to the user to generate an aggregate risk score for the user accessing the set of protected assets based on the applying of the plurality of analytics on the profile of the user;
generating, by the computer, a malicious user activity alert in response to the aggregate risk score for the user accessing the set of protected assets being greater than an alert threshold value;
sending, by the computer, the malicious user activity alert to an analyst for feedback;
receiving, by the computer, the feedback corresponding to the malicious user activity alert; and
applying, by the computer, the feedback to the malicious user activity alert, wherein the static information representing the organizational view and associated attributes corresponding to the user includes: information in human resource records of the user; information regarding the user in a directory of employees of an enterprise that employs the user; identity management information of the user including asset access account and privilege information, roles, and work-related groups of the user; and configuration management database information including information regarding information technology assets owned or administered by the user.