Despite the massive amount of investment in computer security, conventional computer security systems regularly fail to prevent the capture of sensitive data. This failure can be attributed to software flaws in conventional security system designs and the evolving techniques used by unauthorized users, also known as malicious hackers. Recent techniques used by malicious hackers to gain access to computer systems include social engineering scams and “spear phishing” techniques, as well as technical means. Both social engineering and spear phishing attempt to bypass even the most secure security software by manipulating authorized users to unintentionally divulge their access credentials to secure computer networks.
After a hacker has successfully gained access credentials, the hackers can enter the previously-secure computer network using the stolen access credentials. Once inside the network, hackers can seek out and steal sensitive data by transferring the data out over the network to a private computer system. Storing the stolen data on a computer system separate from the compromised network allows unauthorized users time to sift through the data without worrying about being detected on the compromised computer network that held the stolen data.
Before a hacker can digest stolen data on a separate system, the hacker must go through the process of transferring the data out of the compromised network. In many networks, a network file server is used as a central repository for important files. In exfiltrating data, a hacker may attempt to access as many files on the network's file server as possible—potentially all of them. These access attempts will be made rapidly so that the data contained in the files can be exfiltrated by the hacker before the hacker's breach is discovered and administrators on the compromised network can terminate the hacker's access to the system. Thus, a hacker that enters a compromised network to steal data might access many files in a short period of time.
The rapid access patterns of such a hacker can be readily distinguished from the access patterns of a normal user on a network. A normal user will usually only access a few files a day to work with. Additionally, a normal user will typically wait a longer time between accessing new files than a hacker will to work with the files on the system. It may be possible to limit the activities hackers by monitoring a network for rapid access patterns from users and reacting to them when found.
However, the rapid access patterns of a hacker are not easily distinguished from the access patterns of system administrators. System administrators that oversee computer systems ensure their continued operation by backing up the data contained in the system. To do so, system administrators need to access all the files on a system quickly to continuously back up the files in case of technical failure. Because of this, computer security systems cannot be configured to target users based on rapid access patterns. There is a need in the art for a mechanism to distinguish between authorized administrator actions that are comprised of rapid access pattern and the rapid access patterns of hackers.