| 摘要 |
Activity data is analyzed or evaluated to detect behavioral patterns and anomalies. When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task. This activity data may be collected in an information management system, which may be policy based. Notification may be by way e-mail, report, pop-up message, or system message. Some tasks to perform upon detection may include implementing a policy in the information management system, disallowing a user from connecting to the system, and restricting a user from being allowed to perform certain actions. To detect a pattern, activity data may be compared to a previously defined or generated activity profile. |
| 主权项 |
1. A method of managing information of a system comprising:
providing a plurality of information management rules; providing an activity database wherein the activity database comprises activity data including a plurality of results and each result comprises an allow or a deny to information of the system based on the plurality of information management rules; gathering first activity data from a first target in the activity database; gathering second activity data from a second target in the activity database; associating at least a first rule of the information management rules to the first target; evaluating the activity data stored in the activity database in view of the gathered first and second activity data and according to a detection algorithm, executing separately from the first and second targets, wherein the detection algorithm detects:
a first condition comprising the first target has attempted to access a unit of information more than X1 times in a Y1 time period;a second condition comprising the first target has attempted to access more than X2 units of information in a Y2 time period; anda third condition comprising the first target has an aggregated usage time in a program above a time value X3 in a Y3 time period; based on the detection algorithm, determining at least one of the first, second, or third conditions occurring, associating an additional second rule to the first target; and for the first target, controlling usage of information based on the at least first rule of information management rules and the additional second rule further comprising:
for a first activity at the first target, evaluating whether the at least first rule of information management rules applies based on the first activity; andfor the first activity at the first target, evaluating whether the additional second rule applies based on the first activity, wherein the additional second rule comprises a first abstraction, the first abstraction is defined in a first definition statement stored separately from the additional second rule and the first abstraction, and the evaluating whether the additional second rule applies comprises:
retrieving the first definition statement;when evaluating the second rule, replacing the first abstraction of the additional second rule by the first definition statement; andevaluating the additional second rule with the replaced first definition statement. |
