×

Using group analysis to determine suspicious accounts or activities

  • US 10,110,616 B1
  • Filed: 02/11/2015
  • Issued: 10/23/2018
  • Est. Priority Date: 02/11/2014
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • obtaining a collection of events, each event being associated with a user account activity and including a set of event attributes;

    deriving a set of event features for each event using the event attributes;

    for each user account, obtaining a set of user features associated with historical events of the user account;

    creating one or more groups including event groups and user groups including using the user features to assign each user account to one or more user groups, wherein the user accounts associated with each user group share a measure of similarity for one or more features, wherein each group has a group profile derived from the respective user and event features of the group;

    for each group, generating a feature histogram for each feature of the group;

    determining, using one or more computing devices, whether one or more groups are suspicious groups based on a comparison of each group of the plurality of groups to a global profile associated with the plurality of users, wherein the global profile is a group in which all user accounts are a member to form a baseline, and wherein the comparison of each group profile to the global profile includes;

    performing a feature by feature comparison of feature histograms values computed for features of the group with a global feature histogram for each corresponding feature of the global profile,calculating a probability that a particular feature is suspicious for each of the features of the group based on the comparison of the feature histograms, andexamining the features having a threshold probability of being suspicious and their respective feature strengths to determine whether the group is suspicious; and

    in response to a determination that one or more groups are suspicious, determining whether there are malicious accounts or events associated with each suspicious group.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×