| 发明名称 | Systems and methods for anomaly-based detection of compromised IT administration accounts | ||
| 摘要 | A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts may (1) include establishing a set of permissible IT administration tasks for an IT administration account, (2) monitoring the IT administration account for activities outside the set of permissible IT administration tasks, (3) detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised, and (4) in response to detecting the suspicious activity, performing a security action with respect to the potentially compromised IT administration account. Various other methods, systems, and computer-readable media are also disclosed. | ||
| 申请公布号 | US9485271(B1) | 申请公布日期 | 2016.11.01 |
| 申请号 | US201414205335 | 申请日期 | 2014.03.11 |
| 申请人 | Symantec Corporation | 发明人 | Roundy Kevin;Bhatkar Sandeep;Guo Fanglu |
| 分类号 | H04L29/06 | 主分类号 | H04L29/06 |
| 代理机构 | ALG Intellectual Property, LLC | 代理人 | ALG Intellectual Property, LLC |
| 主权项 | 1. A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: establishing a set of permissible IT administration tasks for an IT administration account by statically establishing a predefined white list of tasks that are not indicative of suspicious activities on an IT administration account, wherein establishing the predefined white list of tasks comprises defining, for one or more permissible IT administration tasks in the set of permissible IT administration tasks, at least one of: a time of day the task is permissible;a location where the task is permissible; anda first type of computing device permitted to perform the task; monitoring the IT administration account for activities outside the set of permissible IT administration tasks; detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised; and in response to detecting the suspicious activity, performing, by a security action module on the computing device that is programmed to respond to the suspicious activity, a security action that comprises locking out the IT administration account at a second type of computing device while still granting access to the IT administration account on the first type of computing device. | ||
| 地址 | Mountain View CA US | ||