Using hypergraphs to determine suspicious user activities
First Claim
Patent Images
1. A method comprising:
- generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from an obtained set of correlated events or a set of correlated user accounts;
generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison; and
analyzing the generated hypergraphs to detect abnormal graph nodes based on a comparison of the feature profiles of each node and a global feature profile.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.
-
Citations
18 Claims
-
1. A method comprising:
-
generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from an obtained set of correlated events or a set of correlated user accounts; generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison; and analyzing the generated hypergraphs to detect abnormal graph nodes based on a comparison of the feature profiles of each node and a global feature profile. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
processing input data to derive a set of features for each user account or event for a plurality of user accounts; generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts, wherein the set of feature profiles are used to generate hypergraphs where each node of a hypergraph corresponds to a feature profile; generating a global feature profile, the global feature profile includes features from a profile constructed from all obtained events and user accounts; performing a feature by feature comparison including, for each feature profile of the set of feature profiles; for each feature of the feature profile, comparing the feature in the feature profile to a corresponding feature of the global feature profile, and determining, based on the comparison, whether the feature profile is suspicious; and analyzing suspicious feature profiles from the set of feature profiles to determine whether a particular user account or event is likely to correspond to a malicious user. - View Dependent Claims (7, 8, 9)
-
-
10. A system comprising:
one or more computers having one or more processors and one or more memories, the one or more computers configured to perform operations comprising; generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from an obtained set of correlated events or a set of correlated user accounts; generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison; and analyzing the generated hypergraphs to detect abnormal graph nodes based on a comparison of the feature profiles of each node and a global feature profile. - View Dependent Claims (11, 12, 13, 14)
-
15. A system comprising:
one or more computers having one or more processors and one or more memories, the one or more computers configured to perform operations comprising; processing input data to derive a set of features for each user account or event for a plurality of user accounts; generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts, wherein the set of feature profiles are used to generate hypergraphs where each node of a hypergraph corresponds to a feature profile; generating a global feature profile, the global feature profile includes features from a profile constructed from all obtained events and user accounts; performing a feature by feature comparison including, for each feature profile of the set of feature profiles; for each feature of the feature profile, comparing the feature in the feature profile to a corresponding feature of the global feature profile, and determining, based on the comparison, whether the feature profile is suspicious; and analyzing suspicious feature profiles from the set of feature profiles to determine whether a particular user account or event is likely to correspond to a malicious user. - View Dependent Claims (16, 17, 18)
Specification