×

Automated extraction of behavioral profile features

  • US 10,542,021 B1
  • Filed: 06/20/2016
  • Issued: 01/21/2020
  • Est. Priority Date: 06/20/2016
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method, comprising:

  • analyzing a plurality of actions detected in an electronic environment over an initial learning period, the plurality of actions being of at least one specified type;

    generating a behavior profile using values determined for features representative of the plurality of actions;

    determining, for at least a subset of the features, a respective mismatch value indicating a ratio of unexpected values to expected values for at least one feature of the subset of the features detected over a second learning period;

    determining a first feature and a second feature where the respective mismatch value falls outside a range of acceptable mismatch values;

    applying at least one first normalization method to the first feature, the at least one first normalization method causing additional information for one or more related types of data to be included in determining a new first mismatch value;

    determining that the new first mismatch value falls within the range of acceptable mismatch values;

    causing the first feature to remain included in the behavior profile;

    applying at least one second normalization method to the second feature, the at least one second normalization method causing additional information for one or more related types of data to be included in determining a new second mismatch value;

    determining that new second mismatch value for the second feature falls outside the range of acceptable mismatch values over a predetermined period of time, the second mismatch value monitored for convergence toward the range of acceptable mismatch values;

    removing the second feature from the behavior profile, based at least in part on the new second mismatch value falling outside of the range of acceptable mismatch values;

    detecting a subsequent action, corresponding to the at least one specified type, in the electronic environment, the subsequent action indicative of potentially anomalous behavior;

    comparing values for the features of the subsequent action against the features of the behavior profile;

    determining that a detected value for at least one feature for the subsequent action deviates from an expected value of a corresponding feature in the behavior profile by more than an acceptable amount; and

    generating an alarm indicating potentially anomalous behavior in the electronic environment.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×