Method, apparatus, and computer-readable medium for detecting anomalous user behavior

US 10,257,211 B2
Filed: 05/20/2016
Issued: 04/09/2019
Est. Priority Date: 05/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method executed by one or more computing devices for efficient detection of anomalous user behavior on a computer network, the method comprising:

storing, by at least one of the one or more computing devices, user activity data corresponding to activity on the computer network that is collected over an observation interval, wherein the user activity data comprises a plurality of data objects corresponding to a plurality of users and wherein each data object in the plurality of data objects comprises a plurality of activity parameters;

grouping, by at least one of the one or more computing devices, the plurality of data objects into a plurality of clusters based at least in part on the plurality of activity parameters for each data object;

calculating, by at least one of the one or more computing devices, one or more outlier metrics corresponding to each cluster in the plurality of clusters, wherein each outlier metric in the one or more outlier metrics indicates a degree to which a corresponding cluster is an outlier relative to other clusters in the plurality of clusters;

calculating, by at least one of the one or more computing devices, an irregularity score for each data object in the plurality of data objects based at least in part on a size of a cluster which contains the data object and the one or more outlier metrics corresponding to the cluster which contains the data object;

generating, by at least one of the one or more computing devices, a plurality of object postures by encoding the irregularity score and the plurality of activity parameters for each data object in the plurality of data objects as an object posture, each object posture comprising a string data structure comprised of a plurality of substrings, each substring indicating a state of either the irregularity score or an activity parameter in the plurality of activity parameters for a corresponding data object over the observation interval; and

identifying by at least one of the one or more computing devices, anomalous activity of at least one user in the plurality of users based at least in part on a string metric measuring a distance between at least one object posture in the plurality of object postures and at least one previous object posture corresponding to a same user as the at least one object posture during a different observation interval prior to the observation interval.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus, computer-readable medium, and computer-implemented method for detecting anomalous user behavior, including storing user activity data collected over an observation interval, the user activity data comprising a plurality of data objects and corresponding to a plurality of users, grouping a plurality of data objects into a plurality of clusters, calculating one or more outlier metrics corresponding to each cluster, calculating an irregularity score for each of one or more data objects in the plurality of data objects, generating one or more object postures for the one or more data objects, comparing each of at least one object posture in the one or more object postures with one or more previous object postures corresponding to a same user as the object posture to identify anomalous activity of one or more users in the plurality of users.

15 Citations

View as Search Results

51 Claims

1. A method executed by one or more computing devices for efficient detection of anomalous user behavior on a computer network, the method comprising:
- storing, by at least one of the one or more computing devices, user activity data corresponding to activity on the computer network that is collected over an observation interval, wherein the user activity data comprises a plurality of data objects corresponding to a plurality of users and wherein each data object in the plurality of data objects comprises a plurality of activity parameters;
  
  grouping, by at least one of the one or more computing devices, the plurality of data objects into a plurality of clusters based at least in part on the plurality of activity parameters for each data object;
  
  calculating, by at least one of the one or more computing devices, one or more outlier metrics corresponding to each cluster in the plurality of clusters, wherein each outlier metric in the one or more outlier metrics indicates a degree to which a corresponding cluster is an outlier relative to other clusters in the plurality of clusters;
  
  calculating, by at least one of the one or more computing devices, an irregularity score for each data object in the plurality of data objects based at least in part on a size of a cluster which contains the data object and the one or more outlier metrics corresponding to the cluster which contains the data object;
  
  generating, by at least one of the one or more computing devices, a plurality of object postures by encoding the irregularity score and the plurality of activity parameters for each data object in the plurality of data objects as an object posture, each object posture comprising a string data structure comprised of a plurality of substrings, each substring indicating a state of either the irregularity score or an activity parameter in the plurality of activity parameters for a corresponding data object over the observation interval; and
  
  identifying by at least one of the one or more computing devices, anomalous activity of at least one user in the plurality of users based at least in part on a string metric measuring a distance between at least one object posture in the plurality of object postures and at least one previous object posture corresponding to a same user as the at least one object posture during a different observation interval prior to the observation interval.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the plurality of activity parameters include one or more of:
    - a number of data stores accessed by a user, a number of sensitive data stores accessed by a user, a number of records affected by a user, a number of requests by a user, a time of access by a user, a number of sensitive requests by a user, a number of sensitive records affected by a user, a user location, a user host relocation anomaly metric, a user activity timing anomaly metric, or a forwarding network path of a user.
  - 3. The method of claim 1, further comprising, prior to grouping the plurality of data objects into a plurality of clusters:
    - determining, by at least one of the one or more computing devices, whether the user activity data corresponding to one or more activity parameters in the plurality of activity parameters conforms to a normal distribution; and
      
      transforming, by at least one of the one or more computing devices, the user activity data corresponding to the one or more activity parameters to conform to a normal distribution based at least in part on a determination that user activity data corresponding to the one or more activity parameters does not conform to a normal distribution.
  - 4. The method of claim 1, further comprising, prior to grouping the plurality of data objects into a plurality of clusters:
    - normalizing, by at least one of the one or more computing devices, the user activity data corresponding to one or more activity parameters in the plurality of activity parameters.
  - 5. The method of claim 1, further comprising, prior to grouping the plurality of data objects into a plurality of clusters:
    - reducing, by at least one of the one or more computing devices, a number of dimensions in the user activity data by removing data corresponding to one or more activity parameters in the plurality of activity parameters.
  - 6. The method of claim 1, wherein the one or more outlier metrics comprise one or more of a distance-based outlier metric and a density-based cluster outlier metric.
  - 7. The method of claim 6, wherein calculating an irregularity score for each data object in the plurality of data objects based at least in part on a size of a cluster which contains the data object and the one or more outlier metrics corresponding to the cluster which contains the data object comprises:
    - calculating a singularity metric for the cluster which contains the data object based at least in part on the size of the cluster;
      
      calculating the distance-based outlier metric for the cluster which contains the data object;
      
      calculating the density-based outlier metric for the cluster which contains the data object; and
      
      determining the irregularity score for the data object based at least in part on the singularity metric, the distance-based outlier metric, and the density-based outlier metric.
  - 8. The method of claim 7, wherein determining the irregularity score for the data object based at least in part on the singularity metric, the distance-based outlier detection confidence metric, and the density-based outlier detection confidence metric comprises:
    - mapping the singularity metric to one or more singularity levels in a plurality of singularity levels based at least in part on a first fuzzy membership function mapping a range of values of the singularity metric to the plurality singularity levels;
      
      mapping the distance-based outlier metric to one or more distance-based outlier levels in a plurality of distance-based outlier levels based at least in part on a second fuzzy membership function mapping a range of values of the distance-based outlier metric to the plurality distance-based outlier levels;
      
      mapping the density-based outlier metric to one or more density-based outlier levels in a plurality of density-based outlier levels based at least in part on a third fuzzy membership function mapping a range of values of the density-based outlier metric to the plurality density-based outlier levels;
      
      mapping one or more combinations of the one or more singularity levels, the one or more distance-based outlier levels, and the one or more density-based outlier levels to one or more irregularity levels in a plurality of irregularity levels based at least in part on a set of fuzzy rules mapping combinations of the plurality of singularity levels, the plurality of distance-based outlier levels, and the plurality of density-based outlier levels to the plurality of irregularity levels; and
      
      applying an irregularity decision function to the one or more irregularity levels to generate the irregularity score.
  - 9. The method of claim 1, wherein generating a plurality of object postures by encoding the irregularity score and the plurality of activity parameters for each data object in the plurality of data objects as an object posture comprises, for each data object in the plurality of data objects:
    - mapping each activity parameter in the plurality of activity parameters to a segment value in a set of segment values and assigning a corresponding variation value to each activity parameter based at least in part on a fuzzy membership function corresponding to that activity parameter, wherein the fuzzy membership function corresponding to that activity parameter is configured to map possible values of that activity parameter to the set of segment values;
      
      mapping the irregularity score of the data object to an irregularity value in a set of irregularity values and assigning a corresponding irregularity variation value to the irregularity score based at least in part on an irregularity fuzzy membership function, wherein the irregularity fuzzy membership function is configured to map possible values of that irregularity score to the set of irregularity values; and
      
      generating the object posture of the data object based at least in part on a plurality of segment values mapped to the plurality of activity parameters and the irregularity value mapped to the irregularity score.
  - 10. The method of claim 9, wherein mapping each activity parameter in the plurality of activity parameters to a segment value in a set of segment values and assigning a corresponding variation value to each activity parameter based at least in part on a fuzzy membership function corresponding to that activity parameter comprises:
    - determining one or more segment values in the set of segment values which correspond to the activity parameter based at least in part on the fuzzy membership function;
      
      mapping a lowest segment value in the one or more segment values to the activity parameter;
      
      determining a variation value based at least in part on a quantity of the one or more segment values which correspond to the activity parameter; and
      
      assigning the variation value to the activity parameter.
  - 11. The method of claim 9, wherein mapping the irregularity score of the data object to an irregularity value in a set of irregularity values and assigning a corresponding irregularity variation value to the irregularity score based at least in part on an irregularity fuzzy membership function comprises:
    - determining one or more irregularity values in the set of irregularity values which correspond to the irregularity score based at least in part on the irregularity fuzzy membership function;
      
      mapping a lowest irregularity value in the one or more irregularity values to the irregularity score;
      
      determining an irregularity variation value based at least in part on a quantity of the one or more irregularity values which correspond to the irregularity score; and
      
      assigning the irregularity variation value to the irregularity score.
  - 12. The method of claim 9, further comprising, prior to generating the object posture of the data object:
    - mapping, by at least one of the one or more computing devices, one or more activity parameters in the plurality of activity parameters to one or more additional segment values in the set of segment values based at least in part on one or more variation values corresponding to the one or more activity parameters and one or more fuzzy membership functions corresponding to the one or more activity parameters; and
      
      mapping, by at least one of the one or more computing devices, the irregularity score of the data object to one or more additional irregularity values in the set of irregularity values based at least in part on the irregularity variation value corresponding to the irregularity score and the irregularity fuzzy membership function.
  - 13. The method of claim 12, wherein mapping one or more activity parameters in the plurality of activity parameters to one or more additional segment values in the set of segment values based at least in part on one or more variation values corresponding to the one or more activity parameters and one or more fuzzy membership functions corresponding to the one or more activity parameters comprises:
    - identifying one or more activity parameters in the plurality of activity parameters which have a corresponding variation value which is greater than zero;
      
      determining, for each activity parameter in the identified one or more activity parameters, one or more possible segment values corresponding to that activity parameter, wherein the one or more possible segment values are based at least in part on the variation value assigned to that activity parameter, the segment value mapped to that activity parameter, and the fuzzy membership function corresponding to that activity parameter;
      
      concatenating, for each activity parameter in the identified one or more activity parameters, the one or more possible segment values corresponding to that activity parameter to generate a concatenated list of possible segment values; and
      
      mapping, for each activity parameter in the identified one or more activity parameters, the concatenated list of possible segment values to the corresponding activity parameter.
  - 14. The method of claim 12, wherein mapping the irregularity score of the data object to one or more additional irregularity values in the set of irregularity values based at least in part on the irregularity variation value corresponding to the irregularity score and the irregularity fuzzy membership function comprises:
    - determining one or more possible irregularity values corresponding to the irregularity score, wherein the one or more possible irregularity values are based at least in part on the irregularity variation value assigned to the irregularity score, the irregularity value mapped to the irregularity score, and the irregularity fuzzy membership function; and
      
      concatenating the one or more possible irregularity values corresponding to the irregularity score to generate a concatenated list of possible irregularity values; and
      
      mapping the concatenated list of possible irregularity values to the irregularity score.
  - 15. The method of claim 9, wherein generating the object posture of the data object based at least in part on a plurality of segment values corresponding to the plurality of activity parameters and the irregularity value corresponding to the irregularity score comprises:
    - concatenating all segment values mapped to the plurality of activity parameters and all irregularity values mapped to the irregularity score.
  - 16. The method of claim 1, wherein identifying anomalous activity of at least one user in the plurality of users based at least in part on a string metric measuring a distance between at least one object posture in the plurality of object postures and at least one previous object posture corresponding to a same user as the at least one object posture during a different observation interval prior to the observation interval comprises:
    - calculating the string metric between the at least one object posture and the at least one previous object posture corresponding to the same user; and
      
      identifying activity of the at least one user as anomalous based at least in part on a determination that the string metric is greater than a threshold string metric.
  - 17. The method of claim 16, wherein the string metric comprises a Levenshtein distance metric between the at least one object posture and the at least previous object posture corresponding to the same user.

18. An apparatus for efficient detection of anomalous user behavior on a computer network, the apparatus comprising:
- one or more processors; and
  
  one or more memories operatively coupled to at least one of the one or more processors and having instructions stored thereon that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to;
  
  store user activity data corresponding to activity on the computer network that is collected over an observation interval, wherein the user activity data comprises a plurality of data objects corresponding to a plurality of users and wherein each data object in the plurality of data objects comprises a plurality of activity parameters;
  
  group the plurality of data objects into a plurality of clusters based at least in part on the plurality of activity parameters for each data object;
  
  calculate one or more outlier metrics corresponding to each cluster in the plurality of clusters, wherein each outlier metric in the one or more outlier metrics indicates measures a degree to which a corresponding cluster lies outside of is an outlier relative to other clusters in the plurality of clusters;
  
  calculate an irregularity score for each of one or more data objects in the plurality of data objects based at least in part on a size of a cluster which contains the data object and the one or more outlier metrics corresponding to the cluster which contains the data object;
  
  generate a plurality of object postures by encoding the irregularity score and the plurality of activity parameters for each data object in the plurality of data objects as an object posture, each object posture comprising a string data structure comprised of a plurality of sub strings, each sub string indicating a state of either the irregularity score or an activity parameter in the plurality of activity parameters for a corresponding data object over the observation interval; and
  
  identify anomalous activity of at least one user in the plurality of users based at least in part on a string metric measuring a distance between at least one object posture in the plurality of object postures and at least one previous object posture corresponding to a same user as the at least one object posture during a different observation interval prior to the observation interval.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The apparatus of claim 18, wherein the plurality of activity parameters include one or more of:
    - a number of data stores accessed by a user, a number of sensitive data stores accessed by a user, a number of records affected by a user, a number of requests by a user, a time of access by a user, a number of sensitive requests by a user, a number of sensitive records affected by a user, a user location, a user host relocation anomaly metric, a user activity timing anomaly metric, or a forwarding network path of a user.
  - 20. The apparatus of claim 18, wherein at least one of the one or more memories has further instructions stored thereon that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to, prior to grouping the plurality of data objects into a plurality of clusters:
    - determine whether the user activity data corresponding to one or more activity parameters in the plurality of activity parameters conforms to a normal distribution; and
      
      transform the user activity data corresponding to the one or more activity parameters to conform to a normal distribution based at least in part on a determination that user activity data corresponding to the one or more activity parameters does not conform to a normal distribution.
  - 21. The apparatus of claim 18, wherein at least one of the one or more memories has further instructions stored thereon that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to, prior to grouping the plurality of data objects into a plurality of clusters:
    - normalize the user activity data corresponding to one or more activity parameters in the plurality of activity parameters.
  - 22. The apparatus of claim 18, wherein at least one of the one or more memories has further instructions stored thereon that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to, prior to grouping the plurality of data objects into a plurality of clusters:
    - reduce a number of dimensions in the user activity data by removing data corresponding to one or more activity parameters in the plurality of activity parameters.
  - 23. The apparatus of claim 18, wherein the one or more outlier metrics comprise one or more of a distance-based outlier metric and a density-based cluster outlier metric.
  - 24. The apparatus of claim 23, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to calculate an irregularity score for each data object in the plurality of data objects based at least in part on a size of a cluster which contains the data object and the one or more outlier metrics corresponding to the cluster which contains the data object further cause at least one of the one or more processors to:
    - calculate a singularity metric for the cluster which contains the data object based at least in part on the size of the cluster;
      
      calculate the distance-based outlier metric for the cluster which contains the data object;
      
      calculate the density-based outlier metric for the cluster which contains the data object; and
      
      determine the irregularity score for the data object based at least in part on the singularity metric, the distance-based outlier metric, and the density-based outlier metric.
  - 25. The apparatus of claim 24, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to determine the irregularity score for the data object based at least in part on the singularity metric, the distance-based outlier detection confidence metric, and the density-based outlier detection confidence metric further cause at least one of the one or more processors to:
    - map the singularity metric to one or more singularity levels in a plurality of singularity levels based at least in part on a first fuzzy membership function mapping a range of values of the singularity metric to the plurality singularity levels;
      
      map the distance-based outlier metric to one or more distance-based outlier levels in a plurality of distance-based outlier levels based at least in part on a second fuzzy membership function mapping a range of values of the distance-based outlier metric to the plurality distance-based outlier levels;
      
      map the density-based outlier metric to one or more density-based outlier levels in a plurality of density-based outlier levels based at least in part on a third fuzzy membership function mapping a range of values of the density-based outlier metric to the plurality density-based outlier levels;
      
      map one or more combinations of the one or more singularity levels, the one or more distance-based outlier levels, and the one or more density-based outlier levels to one or more irregularity levels in a plurality of irregularity levels based at least in part on a set of fuzzy rules mapping combinations of the plurality of singularity levels, the plurality of distance-based outlier levels, and the plurality of density-based outlier levels to the plurality of irregularity levels; and
      
      apply an irregularity decision function to the one or more irregularity levels to generate the irregularity score.
  - 26. The apparatus of claim 18, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to generate a plurality of object postures by encoding the irregularity score and the plurality of activity parameters for each data object in the plurality of data objects as an object posture further cause at least one of the one or more processors to, for each data object in the plurality of data objects:
    - map each activity parameter in the plurality of activity parameters to a segment value in a set of segment values and assigning a corresponding variation value to each activity parameter based at least in part on a fuzzy membership function corresponding to that activity parameter, wherein the fuzzy membership function corresponding to that activity parameter is configured to map possible values of that activity parameter to the set of segment values;
      
      map the irregularity score of the data object to an irregularity value in a set of irregularity values and assigning a corresponding irregularity variation value to the irregularity score based at least in part on an irregularity fuzzy membership function, wherein the irregularity fuzzy membership function is configured to map possible values of that irregularity score to the set of irregularity values; and
      
      generate the object posture of the data object based at least in part on a plurality of segment values mapped to the plurality of activity parameters and the irregularity value mapped to the irregularity score.
  - 27. The apparatus of claim 26, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to map each activity parameter in the plurality of activity parameters to a segment value in a set of segment values and assign a corresponding variation value to each activity parameter based at least in part on a fuzzy membership function corresponding to that activity parameter further cause at least one of the one or more processors to:
    - determine one or more segment values in the set of segment values which correspond to the activity parameter based at least in part on the fuzzy membership function;
      
      map a lowest segment value in the one or more segment values to the activity parameter;
      
      determine a variation value based at least in part on a quantity of the one or more segment values which correspond to the activity parameter; and
      
      assign the variation value to the activity parameter.
  - 28. The apparatus of claim 26, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to map the irregularity score of the data object to an irregularity value in a set of irregularity values and assign a corresponding irregularity variation value to the irregularity score based at least in part on an irregularity fuzzy membership function further cause at least one of the one or more processors to:
    - determine one or more irregularity values in the set of irregularity values which correspond to the irregularity score based at least in part on the irregularity fuzzy membership function;
      
      map a lowest irregularity value in the one or more irregularity values to the irregularity score;
      
      determine an irregularity variation value based at least in part on a quantity of the one or more irregularity values which correspond to the irregularity score; and
      
      assign the irregularity variation value to the irregularity score.
  - 29. The apparatus of claim 26, wherein at least one of the one or more memories has further instructions stored thereon that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to, prior to generating the object posture of the data object:
    - map one or more activity parameters in the plurality of activity parameters to one or more additional segment values in the set of segment values based at least in part on one or more variation values corresponding to the one or more activity parameters and one or more fuzzy membership functions corresponding to the one or more activity parameters; and
      
      map the irregularity score of the data object to one or more additional irregularity values in the set of irregularity values based at least in part on the irregularity variation value corresponding to the irregularity score and the irregularity fuzzy membership function.
  - 30. The apparatus of claim 29, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to map one or more activity parameters in the plurality of activity parameters to one or more additional segment values in the set of segment values based at least in part on one or more variation values corresponding to the one or more activity parameters and one or more fuzzy membership functions corresponding to the one or more activity parameters further cause at least one of the one or more processors to:
    - identify one or more activity parameters in the plurality of activity parameters which have a corresponding variation value which is greater than zero;
      
      determine, for each activity parameter in the identified one or more activity parameters, one or more possible segment values corresponding to that activity parameter, wherein the one or more possible segment values are based at least in part on the variation value assigned to that activity parameter, the segment value mapped to that activity parameter, and the fuzzy membership function corresponding to that activity parameter;
      
      concatenate, for each activity parameter in the identified one or more activity parameters, the one or more possible segment values corresponding to that activity parameter to generate a concatenated list of possible segment values; and
      
      map, for each activity parameter in the identified one or more activity parameters, the concatenated list of possible segment values to the corresponding activity parameter.
  - 31. The apparatus of claim 29, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to map the irregularity score of the data object to one or more additional irregularity values in the set of irregularity values based at least in part on the irregularity variation value corresponding to the irregularity score and the irregularity fuzzy membership function further cause at least one of the one or more processors to:
    - determine one or more possible irregularity values corresponding to the irregularity score, wherein the one or more possible irregularity values are based at least in part on the irregularity variation value assigned to the irregularity score, the irregularity value mapped to the irregularity score, and the irregularity fuzzy membership function; and
      
      concatenate the one or more possible irregularity values corresponding to the irregularity score to generate a concatenated list of possible irregularity values; and
      
      map the concatenated list of possible irregularity values to the irregularity score.
  - 32. The apparatus of claim 26, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to generate the object posture of the data object based at least in part on a plurality of segment values corresponding to the plurality of activity parameters and the irregularity value corresponding to the irregularity score further cause at least one of the one or more processors to:
    - concatenate all segment values mapped to the plurality of activity parameters and all irregularity values mapped to the irregularity score.
  - 33. The apparatus of claim 18, wherein the instructions that, when executed by at least one of the one or more processors, cause at least one of the one or more processors to identify anomalous activity of at least one user in the plurality of users based at least in part on a string metric measuring a distance between at least one object posture in the plurality of object postures and at least one previous object posture corresponding to a same user as the at least one object posture during a different observation interval prior to the observation interval further cause at least one of the one or more processors to:
    - calculate the string metric between the at least one object posture and the at least one previous object posture corresponding to the same user; and
      
      identify activity of the at least one user as anomalous based at least in part on a determination that the string metric is greater than a threshold string metric.
  - 34. The apparatus of claim 33, wherein the string metric comprises a Levenshtein distance metric between the at least one object posture and the at least previous object posture corresponding to the same user.

35. At least one non-transitory computer-readable medium storing computer-readable instructions that, when executed by one or more computing devices, cause at least one of the one or more computing devices to:
- store user activity data corresponding to activity on the computer network that is collected over an observation interval, wherein the user activity data comprises a plurality of data objects corresponding to a plurality of users and wherein each data object in the plurality of data objects comprises a plurality of activity parameters;
  
  group the plurality of data objects into a plurality of clusters based at least in part on the plurality of activity parameters for each data object;
  
  calculate one or more outlier metrics corresponding to each cluster in the plurality of clusters, wherein each outlier metric in the one or more outlier metrics indicates measures a degree to which a corresponding cluster lies outside of is an outlier relative to other clusters in the plurality of clusters;
  
  calculate an irregularity score for each of one or more data objects in the plurality of data objects based at least in part on a size of a cluster which contains the data object and the one or more outlier metrics corresponding to the cluster which contains the data object;
  
  generate a plurality of object postures by encoding the irregularity score and the plurality of activity parameters for each data object in the plurality of data objects as an object posture, each object posture comprising a string data structure comprised of a plurality of sub strings, each sub string indicating a state of either the irregularity score or an activity parameter in the plurality of activity parameters for a corresponding data object over the observation interval; and
  
  identify anomalous activity of at least one user in the plurality of users based at least in part on a string metric measuring a distance between at least one object posture in the plurality of object postures and at least one previous object posture corresponding to a same user as the at least one object posture during a different observation interval prior to the observation interval.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 36. The at least one non-transitory computer-readable medium of claim 35, wherein the plurality of activity parameters include one or more of:
    - a number of data stores accessed by a user, a number of sensitive data stores accessed by a user, a number of records affected by a user, a number of requests by a user, a time of access by a user, a number of sensitive requests by a user, a number of sensitive records affected by a user, a user location, a user host relocation anomaly metric, a user activity timing anomaly metric, or a forwarding network path of a user.
  - 37. The at least one non-transitory computer-readable medium of claim 35, further storing computer-readable instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to, prior to grouping the plurality of data objects into a plurality of clusters:
    - determine whether the user activity data corresponding to one or more activity parameters in the plurality of activity parameters conforms to a normal distribution; and
      
      transform the user activity data corresponding to the one or more activity parameters to conform to a normal distribution based at least in part on a determination that user activity data corresponding to the one or more activity parameters does not conform to a normal distribution.
  - 38. The at least one non-transitory computer-readable medium of claim 35, further storing computer-readable instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to, prior to grouping the plurality of data objects into a plurality of clusters:
    - normalize the user activity data corresponding to one or more activity parameters in the plurality of activity parameters.
  - 39. The at least one non-transitory computer-readable medium of claim 35, further storing computer-readable instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to, prior to grouping the plurality of data objects into a plurality of clusters:
    - reduce a number of dimensions in the user activity data by removing data corresponding to one or more activity parameters in the plurality of activity parameters.
  - 40. The at least one non-transitory computer-readable medium of claim 35, wherein the one or more outlier metrics comprise one or more of a distance-based outlier metric and a density-based cluster outlier metric.
  - 41. The at least one non-transitory computer-readable medium of claim 40, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to calculate an irregularity score for each data object in the plurality of data objects based at least in part on a size of a cluster which contains the data object and the one or more outlier metrics corresponding to the cluster which contains the data object further cause at least one of the one or more computing devices to:
    - calculate a singularity metric for the cluster which contains the data object based at least in part on the size of the cluster;
      
      calculate the distance-based outlier metric for the cluster which contains the data object;
      
      calculate the density-based outlier metric for the cluster which contains the data object; and
      
      determine the irregularity score for the data object based at least in part on the singularity metric, the distance-based outlier metric, and the density-based outlier metric.
  - 42. The at least one non-transitory computer-readable medium of claim 41, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to determine the irregularity score for the data object based at least in part on the singularity metric, the distance-based outlier detection confidence metric, and the density-based outlier detection confidence metric further cause at least one of the one or more computing devices to:
    - map the singularity metric to one or more singularity levels in a plurality of singularity levels based at least in part on a first fuzzy membership function mapping a range of values of the singularity metric to the plurality singularity levels;
      
      map the distance-based outlier metric to one or more distance-based outlier levels in a plurality of distance-based outlier levels based at least in part on a second fuzzy membership function mapping a range of values of the distance-based outlier metric to the plurality distance-based outlier levels;
      
      map the density-based outlier metric to one or more density-based outlier levels in a plurality of density-based outlier levels based at least in part on a third fuzzy membership function mapping a range of values of the density-based outlier metric to the plurality density-based outlier levels;
      
      map one or more combinations of the one or more singularity levels, the one or more distance-based outlier levels, and the one or more density-based outlier levels to one or more irregularity levels in a plurality of irregularity levels based at least in part on a set of fuzzy rules mapping combinations of the plurality of singularity levels, the plurality of distance-based outlier levels, and the plurality of density-based outlier levels to the plurality of irregularity levels; and
      
      apply an irregularity decision function to the one or more irregularity levels to generate the irregularity score.
  - 43. The at least one non-transitory computer-readable medium of claim 35, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to generate a plurality of object postures by encoding the irregularity score and the plurality of activity parameters for each data object in the plurality of data objects as an object posture further cause at least one of the one or more computing devices to, for each data object in the plurality of data objects:
    - map each activity parameter in the plurality of activity parameters to a segment value in a set of segment values and assigning a corresponding variation value to each activity parameter based at least in part on a fuzzy membership function corresponding to that activity parameter, wherein the fuzzy membership function corresponding to that activity parameter is configured to map possible values of that activity parameter to the set of segment values;
      
      map the irregularity score of the data object to an irregularity value in a set of irregularity values and assigning a corresponding irregularity variation value to the irregularity score based at least in part on an irregularity fuzzy membership function, wherein the irregularity fuzzy membership function is configured to map possible values of that irregularity score to the set of irregularity values; and
      
      generate the object posture of the data object based at least in part on a plurality of segment values mapped to the plurality of activity parameters and the irregularity value mapped to the irregularity score.
  - 44. The at least one non-transitory computer-readable medium of claim 43, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to map each activity parameter in the plurality of activity parameters to a segment value in a set of segment values and assign a corresponding variation value to each activity parameter based at least in part on a fuzzy membership function corresponding to that activity parameter further cause at least one of the one or more computing devices to:
    - determine one or more segment values in the set of segment values which correspond to the activity parameter based at least in part on the fuzzy membership function;
      
      map a lowest segment value in the one or more segment values to the activity parameter;
      
      determine a variation value based at least in part on a quantity of the one or more segment values which correspond to the activity parameter; and
      
      assign the variation value to the activity parameter.
  - 45. The at least one non-transitory computer-readable medium of claim 43, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to map the irregularity score of the data object to an irregularity value in a set of irregularity values and assign a corresponding irregularity variation value to the irregularity score based at least in part on an irregularity fuzzy membership function further cause at least one of the one or more computing devices to:
    - determine one or more irregularity values in the set of irregularity values which correspond to the irregularity score based at least in part on the irregularity fuzzy membership function;
      
      map a lowest irregularity value in the one or more irregularity values to the irregularity score;
      
      determine an irregularity variation value based at least in part on a quantity of the one or more irregularity values which correspond to the irregularity score; and
      
      assign the irregularity variation value to the irregularity score.
  - 46. The at least one non-transitory computer-readable medium of claim 43, further storing computer-readable instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to, prior to generating the object posture of the data object:
    - map one or more activity parameters in the plurality of activity parameters to one or more additional segment values in the set of segment values based at least in part on one or more variation values corresponding to the one or more activity parameters and one or more fuzzy membership functions corresponding to the one or more activity parameters; and
      
      map the irregularity score of the data object to one or more additional irregularity values in the set of irregularity values based at least in part on the irregularity variation value corresponding to the irregularity score and the irregularity fuzzy membership function.
  - 47. The at least one non-transitory computer-readable medium of claim 46, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to map one or more activity parameters in the plurality of activity parameters to one or more additional segment values in the set of segment values based at least in part on one or more variation values corresponding to the one or more activity parameters and one or more fuzzy membership functions corresponding to the one or more activity parameters further cause at least one of the one or more computing devices to:
    - identify one or more activity parameters in the plurality of activity parameters which have a corresponding variation value which is greater than zero;
      
      determine, for each activity parameter in the identified one or more activity parameters, one or more possible segment values corresponding to that activity parameter, wherein the one or more possible segment values are based at least in part on the variation value assigned to that activity parameter, the segment value mapped to that activity parameter, and the fuzzy membership function corresponding to that activity parameter;
      
      concatenate, for each activity parameter in the identified one or more activity parameters, the one or more possible segment values corresponding to that activity parameter to generate a concatenated list of possible segment values; and
      
      map, for each activity parameter in the identified one or more activity parameters, the concatenated list of possible segment values to the corresponding activity parameter.
  - 48. The at least one non-transitory computer-readable medium of claim 46, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to map the irregularity score of the data object to one or more additional irregularity values in the set of irregularity values based at least in part on the irregularity variation value corresponding to the irregularity score and the irregularity fuzzy membership function further cause at least one of the one or more computing devices to:
    - determine one or more possible irregularity values corresponding to the irregularity score, wherein the one or more possible irregularity values are based at least in part on the irregularity variation value assigned to the irregularity score, the irregularity value mapped to the irregularity score, and the irregularity fuzzy membership function; and
      
      concatenate the one or more possible irregularity values corresponding to the irregularity score to generate a concatenated list of possible irregularity values; and
      
      map the concatenated list of possible irregularity values to the irregularity score.
  - 49. The at least one non-transitory computer-readable medium of claim 43, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to generate the object posture of the data object based at least in part on a plurality of segment values corresponding to the plurality of activity parameters and the irregularity value corresponding to the irregularity score further cause at least one of the one or more computing devices to:
    - concatenate all segment values mapped to the plurality of activity parameters and all irregularity values mapped to the irregularity score.
  - 50. The at least one non-transitory computer-readable medium of claim 35, wherein the instructions that, when executed by at least one of the one or more computing devices, cause at least one of the one or more computing devices to identify anomalous activity of at least one user in the plurality of users based at least in part on a string metric measuring a distance between at least one object posture in the plurality of object postures and at least one previous object posture corresponding to a same user as the at least one object posture during a different observation interval prior to the observation interval further cause at least one of the one or more computing devices to:
    - calculate the string metric between the at least one object posture and the at least one previous object posture corresponding to the same user; and
      
      identify activity of the at least one user as anomalous based at least in part on a determination that the string metric is greater than a threshold string metric.
  - 51. The at least one non-transitory computer-readable medium of claim 50, wherein the string metric comprises a Levenshtein distance metric between the at least one object posture and the at least previous object posture corresponding to the same user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Informatica LLC (Informatica, Inc. (California))
Original Assignee
Informatica LLC (Informatica, Inc. (California))
Inventors
Balabine, Igor
Primary Examiner(s)
Zhao, Don G

Application Number

US15/160,783
Publication Number

US 20170339168A1
Time in Patent Office

1,054 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951 Indexing; Web crawling tech...

H04L 63/1416 Event detection, e.g. attac...

Method, apparatus, and computer-readable medium for detecting anomalous user behavior

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

51 Claims

Specification

Use Cases

Quick Links

Others

Method, apparatus, and computer-readable medium for detecting anomalous user behavior

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

51 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others