Using hypergraphs to determine suspicious user activities

US 10,135,788 B1
Filed: 10/05/2017
Issued: 11/20/2018
Est. Priority Date: 02/11/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from an obtained set of correlated events or a set of correlated user accounts;

generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison; and

analyzing the generated hypergraphs to detect abnormal graph nodes based on a comparison of the feature profiles of each node and a global feature profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.

Citations

18 Claims

1. A method comprising:
- generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from an obtained set of correlated events or a set of correlated user accounts;
  
  generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison; and
  
  analyzing the generated hypergraphs to detect abnormal graph nodes based on a comparison of the feature profiles of each node and a global feature profile.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the abnormal graph nodes are used to identify one or more malicious accounts or malicious events.
  - 3. The method of claim 2, wherein identifying a malicious account includes comparing a feature profile of an individual account to a profile of a suspicious community of user accounts and determining a likelihood that the individual account is suspicious based on a measure of feature by feature similarity between the profiles.
  - 4. The method of claim 1, comprising determining whether nodes of the hypergraphs connected to an abnormal node are also abnormal, wherein the determining includes propagating a suspiciousness score of the abnormal node to connected nodes based on respective weights of edges connecting the abnormal node to the connected nodes, wherein the weight of a given edge is based on a feature similarity between the nodes of the hypergraph connected by the given edge.
  - 5. The method of claim 1, wherein analysis of a detected abnormal graph node includes determining whether a particular user account associated with the detected abnormal graph node has historically been identified in one or more stable graph communities.

6. A method comprising:
- processing input data to derive a set of features for each user account or event for a plurality of user accounts;
  
  generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts, wherein the set of feature profiles are used to generate hypergraphs where each node of a hypergraph corresponds to a feature profile;
  
  generating a global feature profile, the global feature profile includes features from a profile constructed from all obtained events and user accounts;
  
  performing a feature by feature comparison including, for each feature profile of the set of feature profiles;
  
  for each feature of the feature profile, comparing the feature in the feature profile to a corresponding feature of the global feature profile, anddetermining, based on the comparison, whether the feature profile is suspicious; and
  
  analyzing suspicious feature profiles from the set of feature profiles to determine whether a particular user account or event is likely to correspond to a malicious user.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the global profile is used to identify one or more common features and to reduce a weight associated with the identified common features when comparing the feature to the corresponding feature in the feature profiles.
  - 8. The method of claim 6, wherein each edge of a hypergraph connects nodes having one or more similar features, and wherein each edge has an associated weight based on the number of similar features between the connected nodes.
  - 9. The method of claim 8, wherein the global profile is used to prune edges or reduce edge weight based on a determination for common feature values.

10. A system comprising:
- one or more computers having one or more processors and one or more memories, the one or more computers configured to perform operations comprising;
  
  generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from an obtained set of correlated events or a set of correlated user accounts;
  
  generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison; and
  
  analyzing the generated hypergraphs to detect abnormal graph nodes based on a comparison of the feature profiles of each node and a global feature profile.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the abnormal graph nodes are used to identify one or more malicious accounts or malicious events.
  - 12. The system of claim 11, wherein identifying a malicious account includes comparing a feature profile of an individual account to a profile of a suspicious community of user accounts and determining a likelihood that the individual account is suspicious based on a measure of feature by feature similarity between the profiles.
  - 13. The system of claim 10, wherein the one or more computers are further configured to perform operations comprising determining whether nodes of the hypergraphs connected to an abnormal node are also abnormal, wherein the determining includes propagating a suspiciousness score of the abnormal node to connected nodes based on respective weights of edges connecting the abnormal node to the connected nodes, wherein the weight of a given edge is based on a feature similarity between the nodes of the hypergraph connected by the given edge.
  - 14. The system of claim 10, wherein analysis of a detected abnormal graph node includes determining whether a particular user account associated with the detected abnormal graph node has historically been identified in one or more stable graph communities.

15. A system comprising:
- one or more computers having one or more processors and one or more memories, the one or more computers configured to perform operations comprising;
  
  processing input data to derive a set of features for each user account or event for a plurality of user accounts;
  
  generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts, wherein the set of feature profiles are used to generate hypergraphs where each node of a hypergraph corresponds to a feature profile;
  
  generating a global feature profile, the global feature profile includes features from a profile constructed from all obtained events and user accounts;
  
  performing a feature by feature comparison including, for each feature profile of the set of feature profiles;
  
  for each feature of the feature profile, comparing the feature in the feature profile to a corresponding feature of the global feature profile, anddetermining, based on the comparison, whether the feature profile is suspicious; and
  
  analyzing suspicious feature profiles from the set of feature profiles to determine whether a particular user account or event is likely to correspond to a malicious user.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein the global profile is used to identify one or more common features and to reduce a weight associated with the identified common features when comparing the feature to the corresponding feature in the feature profiles.
  - 17. The system of claim 15, wherein each edge of a hypergraph connects nodes having one or more similar features, and wherein each edge has an associated weight based on the number of similar features between the connected nodes.
  - 18. The system of claim 17, wherein the global profile is used to prune edges or reduce edge weight based on a determination for common feature values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DataVisor, Inc.
Original Assignee
Data Vision Company Limited
Inventors
Xie, Yinglian, Yu, Fang
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin E

Application Number

US15/725,846
Time in Patent Office

411 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

Using hypergraphs to determine suspicious user activities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Using hypergraphs to determine suspicious user activities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links