Patent Issued for Method And System For Identifying Security Risks Using Graph Analysis (USPTO 10,320,802)

2019 JUN 20 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- State Farm Mutual Automobile Insurance Company (Bloomington, Illinois, United States) has been issued patent number 10,320,802, according to news reporting originating out of Alexandria, Virginia, by NewsRx editors.

The patent’s inventors are Scott, Abigail A. (Bloomington, IL); Duehr, Ronald R. (Normal, IL).

This patent was filed on December 7, 2017 and was published online on June 24, 2019.

From the background information supplied by the inventors, news correspondents obtained the following quote: “Today, organizational entities such as companies, universities, non-profit organizations, etc., share secure data files amongst members of the organization through communication networks. A person within the organization (a user) may be given a user account through which she is provided access to the communication network. However, the user may not be given permission to access the secure data files directly through her user account, and instead the user account may be assigned to one or several security group(s) based upon her job function. Members of the security groups may have permission to access certain secure data files, and the user account receives permission to access the secure data files based upon being a member of the particular security groups.

“When the user changes job roles within the organization, leaves the organization, or no longer has permission to access certain information, the user’s corresponding user account may need to be removed from certain security groups. However, this may be a time-consuming, mistake-prone, and difficult process--all of which may lead to many errors and/or oversights allowing the user to have permission to access data that she is no longer authorized to access.”

Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “The present embodiments may relate to identifying users having unauthorized access to secure data assets within an organization. Each user within the organization may belong to one or several security groups, where members of a security group have permission to access certain secure data files. The users, as well as the respective security groups to which the users belong, may be displayed in a graph data structure, where users are represented as nodes and two users who belong to the same security group are connected via an edge or line of the graph. In this manner, a system administrator and/or security analyst may see or visualize the users’ ‘connections.’ The system administrator and/or security analyst may recognize that a particular user is connected to two or more users from disparate security groups.

“Based upon the user’s connections, the system administrator and/or security analyst may determine that the user may be likely to have unauthorized access to secure data assets, and may further investigate and/or resolve this issue. Moreover, the present embodiments may determine certain attributes of each node in the graph data structure, and/or may automatically recognize which users are likely to have unauthorized access to secure data assets. These users may be highlighted in the display by increasing the size of the nodes corresponding to users who are likely to have unauthorized access relative to the other nodes, and/or by providing a ranking of the users most likely to have unauthorized access on the display.

“In one aspect, a computer-implemented method for identifying users of an information security system for determining risk of unauthorized access to secure data assets may be provided. The method may include: (1) identifying (via one or more processors) a plurality of users, wherein each user has a job function related to a role of the user within an organization and/or is associated with an organizational network which contains a plurality of secure data assets and a plurality of security groups, each security group may have permission to access at least one secure data asset. For each of the plurality of users, the method may include: (2) causing (via the one or more processors, and/or wired or wireless communication and/or data transmission) a node of a graph data structure representing the user to be displayed on a user interface of a computing device; (3) identifying (via the one or more processors) a connection between the node of the user and a node of another user of the plurality of users when the user and the other user both correspond to a same security group of the plurality of security groups; and/or (4) causing (via the one or more processors, and/or wired or wireless communication and/or data transmission) the connection between the corresponding node for the user and the other user to be displayed as an edge of the graph data structure on the user interface. For each of a plurality of subsets of the plurality of nodes, the method may include (5) clustering (via the one or more processors and/or wired or wireless communication and/or data transmission) the subset on the user interface to indicate that users in the subset belong to a same security group; and/or (6) determining (via the one or more processors) that a node corresponding to a user which is connected to at least two other nodes in two different clusters has a potential security risk. The method may include additional, fewer, or alternative actions, including those discussed elsewhere herein.

“In another aspect, a system for identifying users of an information security system for determining risk of unauthorized access to secure data assets may be provided. The system may include one or more processors, and/or a non-transitory computer-readable memory coupled to the one or more processors and storing machine readable instructions, that when executed by the one or more processors, may cause the system to perform various tasks. For example, the instructions may cause the system to: (1) identify a plurality of users, wherein each user may have a job function related to a role of the user within an organization and/or may be associated with an organizational network which contains a plurality of secure data assets and a plurality of security groups. Each security group may have permission to access at least one secure data asset. For each of the plurality of users, the instructions may cause the system to: (2) cause a node of a graph data structure representing the user to be displayed on a user interface of a computing device; (3) identify a connection between the node of the user and a node of another user of the plurality of users when the user and the other user both correspond to a same security group of the plurality of security groups; and/or (4) cause the connection between the corresponding node for the user and the other user to be displayed as an edge of the graph data structure on the user interface. For each of a plurality of subsets of the plurality of nodes, the instructions may cause the system to: (5) cluster the subset on the user interface to indicate that users in the subset belong to a same security group; and/or (6) determine that a node corresponding to a user which is connected to at least two other nodes in two different clusters has a potential security risk. The system may include additional, fewer, or alternate components and/or functionality, including that discussed elsewhere herein.

“Advantages will become more apparent to those skilled in the art from the following description of the preferred embodiments which have been shown and described by way of illustration. As will be realized, the present embodiments may be capable of other and different embodiments, and their details are capable of modification in various respects. Accordingly, the drawings and description are to be regarded as illustrative in nature and not as restrictive.”

The claims supplied by the inventors are:

“We claim:

“1. A computer-implemented method for identifying users of an information security system for determining risk of unauthorized access to secure data assets, the method executed by one or more processors programmed to perform the method, the method comprising: identifying, by one or more processors, a plurality of users, wherein each user has a job function related to a role of the user within an organization and is associated with an organizational network which contains a plurality of secure data assets and a plurality of security groups, each security group having permission to access at least one secure data asset; for each of the plurality of users: causing, by the one or more processors, a node of a graph data structure representing the user to be displayed on a user interface of a computing device, identifying, by the one or more processors, a connection between the node of the user and a node of another user of the plurality of users when the user and the other user both correspond to a same security group of the plurality of security groups; and causing, by the one or more processors, the connection between the corresponding node for the user and the other user to be displayed as an edge of the graph data structure on the user interface; and determining, by the one or more processors, a shortest path between each pair of nodes of the plurality of nodes based upon the connections between the nodes, wherein the shortest path between a pair of nodes is a least number of interconnected nodes in which a first node must pass through to reach a second node; ranking, by the one or more processors, each of the plurality of users based upon a number of shortest paths which include the corresponding node for the respective user; providing, by the one or more processors, the ranking of the plurality of users to the computing device; and determining, by the one or more processors, that at least one of the plurality of users ranked above a threshold ranking belongs to at least two different security groups to determine users having a potential security risk.

“2. The method of claim 1, further comprising: for each of a plurality of subsets of the plurality of nodes, clustering, by the one or more processors, the subset on the user interface to indicate that users in the subset belong to a same security group; determining, by the one or more processors, that a node corresponding to a user which is connected to at least two other nodes in two different clusters has a potential security risk; and identifying, by the one or more processors, the node corresponding to the user which is connected to at least two other nodes corresponding to at least two of the plurality of clustered subsets.

“3. The method of claim 2, further comprising: highlighting, by the one or more processors, the identified node and respective connections to the at least two other nodes corresponding to the unique combination of different security groups to identify the user that presents a risk of having unauthorized access to secure data assets.

“4. The method of claim 2, wherein clustering the subset on the user interface to indicate that users in the subset belong to the same security group includes: identifying, by the one or more processors, a clustering coefficient for the subset indicating that users in the subset belong to the same security group; and clustering, by the one or more processors, the subset on the user interface in accordance with the clustering coefficient.

“5. The method of claim 4, wherein clustering the subset in accordance with the clustering coefficient includes clustering the subset in proportion to the clustering coefficient so that a proximity of each node in the subset to each of the other nodes in the subset is in proportion to the clustering coefficient.

“6. The method of claim 1, further comprising: for each of the plurality of nodes: determining, by the one or more processors, a betweenness centrality for the particular node, wherein the betweenness centrality is based upon a number of shortest paths which include the particular node wherein the particular node is not the first node or the second node.

“7. The method of claim 6, further comprising increasing, by the one or more processors, a size of each node in the plurality of nodes based upon the determined betweenness centrality for each node.

“8. The method of claim 6, further comprising removing, by the one or more processors, a user from one or more of the corresponding security groups for the user, when the betweenness centrality for the user is greater than a predetermined threshold.

“9. The method of claim 1, further comprising: generating, by the one or more processors, a set of indicators, each indicator identifying a different job function corresponding to the plurality of users; and for each of the plurality of nodes, causing, by the one or more processors, the indicator identifying the job function of the corresponding user to be displayed with the node on the user interface.

“10. A system for identifying users of an information security system for determining risk of unauthorized access to secure data assets, the system comprising: one or more processors; and a non-transitory computer-readable memory coupled to the one or more processors and storing thereon instructions that, when executed by the one or more processors, cause the system to: identify a plurality of users, wherein each user has a job function related to a role of the user within an organization and is associated with an organizational network which contains a plurality of secure data assets and a plurality of security groups, each security group having permission to access at least one secure data asset, for each of the plurality of users: cause a node of a graph data structure representing the user to be displayed on a user interface of a computing device, identify a connection between the node of the user and a node of another user of the plurality of users when the user and the other user both correspond to a same security group of the plurality of security groups, cause the connection between the corresponding node for the user and the other user to be displayed as an edge of the graph data structure on the user interface, and determine a shortest path between each pair of nodes of the plurality of nodes based upon the connections between the nodes, wherein the shortest path between a pair of nodes is a least number of interconnected nodes in which a first node must pass through to reach a second node; rank each of the plurality of users based upon a number of shortest paths which include the corresponding node for the respective user; provide the ranking of the plurality of users to the computing; and determine that at least one of the plurality of users ranked above a threshold ranking belongs to at least two different security groups to determine users having a potential security risk.

“11. The system of claim 10, wherein the instructions further cause the system to: for each of a plurality of subsets of the plurality of nodes, cluster the subset on the user interface to indicate that users in the subset belong to a same security group; determine that a node corresponding to a user which is connected to at least two other nodes in two different clusters has a potential security risk; and identify the node corresponding to the user which is connected to at least two other nodes corresponding to at least two of the plurality of clustered subsets.

“12. The system of claim 11, wherein the instructions further cause the system to: highlight the identified node and respective connections to the at least two other nodes corresponding to the unique combination of different security groups to identify the user that presents a risk of having unauthorized access to secure data assets.

“13. The system of claim 11, wherein to cluster the subset on the user interface to indicate that users in the subset belong to the same security group, the instructions cause the system to: identify a clustering coefficient for the subset indicating that users in the subset belong to the same security group; and cluster the subset on the user interface in accordance with the clustering coefficient.

“14. The system of claim 13, wherein to cluster the subset in accordance with the clustering coefficient, the instructions cause the system to cluster the subset in proportion to the clustering coefficient so that a proximity of each node in the subset to each of the other nodes in the subset is in proportion to the clustering coefficient.

“15. The system of claim 10, wherein the instructions further cause the system to: for each of the plurality of nodes: determine a betweenness centrality for the particular node, wherein the betweenness centrality is based upon a number of shortest paths which include the particular node wherein the particular node is not the first node or the second node.

“16. The system of claim 15, wherein the instructions further cause the system to increase a size of each node in the plurality of nodes based upon the determined betweenness centrality for each node.

“17. The system of claim 15, wherein the instructions further cause the system to remove a user from one or more of the corresponding security groups for the user, when the betweenness centrality for the user is greater than a predetermined threshold.

“18. The system of claim 10, wherein the instructions further cause the system to: generate a set of indicators, each indicator identifying a different job function corresponding to the plurality of users, and for each of the plurality of nodes, cause the indicator identifying the job function of the corresponding user to be displayed with the node on the user interface.”

For the URL and additional information on this patent, see: Scott, Abigail A.; Duehr, Ronald R. Method And System For Identifying Security Risks Using Graph Analysis. U.S. Patent Number 10,320,802, filed December 7, 2017, and published online on June 24, 2019. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=10,320,802.PN.&OS=PN/10,320,802RS=PN/10,320,802

(Our reports deliver fact-based news of research and discoveries from around the world.)