Intelligent security management
First Claim
1. A computer-implemented method, comprising:
- training a topic model using a set of training documents, each training document of the set having at least one identified topic and an assigned risk score;
training a random forest regressor using the set of training documents;
crawling a plurality of documents, stored for an entity across an electronic resource environment, to index the plurality of documents;
determining, using at least the topic model, one or more topics for each document of the plurality of documents;
determining, using at least the random forest regressor, a risk score for each document of the plurality of documents;
training a recurrent neural network using historical activity with respect to the plurality of documents in the electronic resource environment;
determining, using the recurrent neural network, an expected activity of a specified user with respect to the plurality of documents over at least one determined period time;
detecting user activity with respect to at least a specified document of the plurality of documents, the user activity associated with the specified user;
processing the activity using the recurrent neural network to determine whether the user activity deviates from the expected type of activity, the determination further based at least in part upon at least one topic determined for the specified document; and
generating a security alert if the user activity is determined to deviate unacceptably from the expected activity and a risk score for at least one of the user activity or the specified document at least meets an alert threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
A corpus of documents (and other data objects) stored for an entity can be analyzed to determine one or more topics for each document. Elements of the documents can be analyzed to also assign a risk score. The types of topics and security elements, and the associated risk scores, can be learned and adapted over time using, for example, a topic model and random forest regressor. Activity with respect to the documents is monitored, and expected behavior for a user determined using a trained recurrent neural network. Ongoing user activity is processed to determine whether the activity excessively deviates from the expected user activity. The activity can also be compared against the activity of user peers to determine whether the activity is also anomalous among the user peer group. For anomalous activity, risk scores of the accessed documents can be analyzed to determine whether to generate an alert.
-
Citations
19 Claims
-
1. A computer-implemented method, comprising:
-
training a topic model using a set of training documents, each training document of the set having at least one identified topic and an assigned risk score; training a random forest regressor using the set of training documents; crawling a plurality of documents, stored for an entity across an electronic resource environment, to index the plurality of documents; determining, using at least the topic model, one or more topics for each document of the plurality of documents; determining, using at least the random forest regressor, a risk score for each document of the plurality of documents; training a recurrent neural network using historical activity with respect to the plurality of documents in the electronic resource environment; determining, using the recurrent neural network, an expected activity of a specified user with respect to the plurality of documents over at least one determined period time; detecting user activity with respect to at least a specified document of the plurality of documents, the user activity associated with the specified user; processing the activity using the recurrent neural network to determine whether the user activity deviates from the expected type of activity, the determination further based at least in part upon at least one topic determined for the specified document; and generating a security alert if the user activity is determined to deviate unacceptably from the expected activity and a risk score for at least one of the user activity or the specified document at least meets an alert threshold. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
training a neural network using historical activity with respect to a plurality of documents stored, on behalf of an entity, in an electronic resource environment; determining, using the neural network, an expected activity of a specified user with respect to the plurality of documents over at least one determined period time; detecting user activity, over at least a determined period of time, with respect to at least a specified document of the plurality of documents, the user activity associated with the specified user; determining at least one topic associated with the specified document; comparing the at least one topic against topics associated with the expected activity; processing the user activity using the neural network to determine whether the user activity deviates from the expected type of activity, the determination based at least in part upon a topic distance, in a topic vector space, between the at least one topic and the topics associated with the expected activity; and performing a determined action if the user activity is determined to deviate unacceptably from the expected type of activity. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; train a topic model using a set of training documents, each training document of the set having at least one identified topic and an assigned risk score; crawl a plurality of documents, stored for an entity across an electronic resource environment, to locate and index the plurality of documents; determine, using at least the topic model, one or more topics for each document of the plurality of documents; determine a risk score for each document of the plurality of documents using a trained random forest regressor; and provide security information for access by an authorized user associated with the entity, the security information including information for the identified topics and risk scores for the plurality of documents stored for the entity. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification