Cyber security event detection
First Claim
1. A system for detecting cyber security events comprising:
- a memory device; and
a hardware processor to;
generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users;
separate the set of users into a plurality of clusters based on the first set of the plurality of time series or the aggregate statistics for each user;
assign an identifier to each of the plurality of clusters;
generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid, the centroid to be calculated for each of the plurality of clusters based on the first set of plurality of time series and the aggregate statistics for each user of each cluster;
detect an anomaly based on a new value stored in the second set of plurality of time series; and
execute a prevention instruction in response to detecting the anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for detecting cyber security events can include a processor to generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users. The processor can also separate the set of users into a plurality of clusters based on the first set of the plurality of time series or aggregate statistics for each user and assign an identifier to each of the plurality of clusters. Additionally, the processor can generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid and detect an anomaly based on a new value stored in the second set of the time series. Furthermore, the processor can execute a prevention instruction.
-
Citations
17 Claims
-
1. A system for detecting cyber security events comprising:
-
a memory device; and a hardware processor to; generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users; separate the set of users into a plurality of clusters based on the first set of the plurality of time series or the aggregate statistics for each user; assign an identifier to each of the plurality of clusters; generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid, the centroid to be calculated for each of the plurality of clusters based on the first set of plurality of time series and the aggregate statistics for each user of each cluster;
detect an anomaly based on a new value stored in the second set of plurality of time series; andexecute a prevention instruction in response to detecting the anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for detecting cyber security events comprising:
-
generating, via a hardware processor, a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users; separating, via the hardware processor, the set of users into a plurality of clusters based on the first set of the plurality of time series for each user; assigning, via the hardware processor, an identifier to each of the plurality of clusters; generating, via the hardware processor, a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid, the centroid to be calculated for each of the plurality of clusters based on the first set of plurality of time series and the aggregate statistics for each user of each cluster; detecting, via the hardware processor, an anomaly based on a new value stored in the second time series; and executing, via the hardware processor, a prevention instruction in response to detecting the anomaly. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer program product for detecting cyber security events, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a processor to cause the processor to:
-
generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users; separate the set of users into a plurality of clusters based on the first set of the plurality of time series or the aggregate statistics for each user; assign an identifier to each of the plurality of clusters; generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid, the centroid to be calculated for each of the plurality of clusters based on the first set of plurality of time series and the aggregate statistics for each user of each cluster; detect an anomaly based on a new value stored in the second time series; and execute a prevention instruction in response to detecting the anomaly. - View Dependent Claims (16, 17)
-
Specification