	US 12,137,110 B2
	User behavior analytics for insider threat detection
Ajaykumar Rajasekharan, Longmont, CO (US); Matthew Mills Parker, Denver, CO (US); and Daniel Louis Sullivan, Denver, CO (US)
Assigned to Code42 Software, Inc., Minneapolis, MN (US)
Filed by Code42 Software, Inc., Minneapolis, MN (US)
Filed on Mar. 8, 2023, as Appl. No. 18/118,914.
Application 18/118,914 is a continuation of application No. 15/666,771, filed on Aug. 2, 2017, granted, now 11,611,574.
Prior Publication US 2023/0224316 A1, Jul. 13, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); G06N 20/00 (2019.01); H04L 9/40 (2022.01); H04W 12/122 (2021.01); H04W 12/67 (2021.01); G06F 17/18 (2006.01)

CPC H04L 63/1425 (2013.01) [G06N 20/00 (2019.01); H04L 63/1416 (2013.01); H04L 63/1433 (2013.01); H04W 12/122 (2021.01); H04W 12/67 (2021.01); G06F 17/18 (2013.01)]

20 Claims

1. A method for detecting inappropriate access of files by a first user of a client computing device, the method comprising:

receiving, over a packet-based network, a first file system element event indicator from an application executing on the client computing device of the first user, the first file system element event indicator corresponding to a first file system element event of a first file system element and describing a number of bytes corresponding to the first file system element event and a first functional classification indicating a particular function of the first file system element, the first file system element event a deletion event, copy event, move event, or modification event;

summing the number of bytes with a second number of bytes of a second file system element event previously received from the application within a first predetermined period of time and involving a second file system element of the first functional classification to create a summed value;

determining a threshold specific to the first user and to file system elements of the first functional classification, the threshold determined based upon past byte values of previous file system element events of the first user corresponding to the first functional classification, and a role of the first user in an organization, the threshold for the first user a different value than both: a second threshold for a second user for the first functional classification and a third threshold for the first user and a second functional classification;

determining that the summed value exceeds the threshold, and in response, incrementing a first anomaly counter of a first type;

calculating a risk score based upon a first value of the first anomaly counter and a second value of a second anomaly counter tracking a number of generated anomaly indicators corresponding to second anomalies of a second type, anomalies tracked by the first and second anomaly counters occurring within a second predetermined period of time, the risk score quantifying a calculated risk that the first user of the client computing device has engaged in inappropriate access of file system elements; and

sending the risk score to a second computing device for display on a graphical user interface (GUI).