System, method, and computer program for detection of anomalous user network activity based on multiple data sources
First Claim
1. A method, performed by a computer system, for detecting anomalous IT pattern and volume event behavior for a user during a period of time based on multiple data sources, the method comprising:
- creating a baseline behavior model P that captures a user'"'"'s daily pattern and volume of IT meta events over n days based on multiple data sources, wherein creating the baseline behavior model comprises;
receiving raw event logs from multiple data sources for a period of n days from days 0 to n−
1;
categorizing raw event logs into meta events using an event taxonomy;
for each of the days 0 to n−
1, creating a vector with a weighted count of each unique meta event observed that day;
creating a matrix, M, with the vectors for days 0 to n−
1; and
modeling the data in the matrix (M) from day 0 to day n−
1 using a dimension reduction technique to create the resulting baseline behavior model P;
determining whether there are anomalous pattern and volume changes in a user'"'"'s IT behavior on day n using the baseline behavior model P, wherein the determining step comprises;
creating a vector, fn, with a weighted count of each unique meta event observed on day n;
scoring the activity vector fn by measuring the magnitude of its reconstruction error as the difference between fn and fnPPT;
normalizing the reconstruction error; and
comparing the normalized reconstruction error to an anomaly threshold;
in response to the normalized reconstruction error satisfying the anomaly threshold, concluding that the user'"'"'s meta event behavior on day n is anomalous and elevating a risk assessment associated with the user'"'"'s IT activities on day n; and
in response to the normalized reconstruction error not satisfying the anomaly threshold, updating the baseline behavior model with the user'"'"'s meta event activity from day n.
4 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user'"'"'s daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user'"'"'s daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user'"'"'s IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.
-
Citations
28 Claims
-
1. A method, performed by a computer system, for detecting anomalous IT pattern and volume event behavior for a user during a period of time based on multiple data sources, the method comprising:
-
creating a baseline behavior model P that captures a user'"'"'s daily pattern and volume of IT meta events over n days based on multiple data sources, wherein creating the baseline behavior model comprises; receiving raw event logs from multiple data sources for a period of n days from days 0 to n−
1;categorizing raw event logs into meta events using an event taxonomy; for each of the days 0 to n−
1, creating a vector with a weighted count of each unique meta event observed that day;creating a matrix, M, with the vectors for days 0 to n−
1; andmodeling the data in the matrix (M) from day 0 to day n−
1 using a dimension reduction technique to create the resulting baseline behavior model P;determining whether there are anomalous pattern and volume changes in a user'"'"'s IT behavior on day n using the baseline behavior model P, wherein the determining step comprises; creating a vector, fn, with a weighted count of each unique meta event observed on day n; scoring the activity vector fn by measuring the magnitude of its reconstruction error as the difference between fn and fnPPT; normalizing the reconstruction error; and comparing the normalized reconstruction error to an anomaly threshold; in response to the normalized reconstruction error satisfying the anomaly threshold, concluding that the user'"'"'s meta event behavior on day n is anomalous and elevating a risk assessment associated with the user'"'"'s IT activities on day n; and in response to the normalized reconstruction error not satisfying the anomaly threshold, updating the baseline behavior model with the user'"'"'s meta event activity from day n. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium comprising a computer program, that, when executed by a computer system, enables the computer system to perform the following method for detecting anomalous IT pattern and volume event behavior for a user during a period of time based on multiple data sources, the method comprising:
-
creating a baseline behavior model P that captures a user'"'"'s daily pattern and volume of IT meta events over n days based on multiple data sources, wherein creating the baseline behavior model comprises; receiving raw event logs from multiple data sources for a period of n days from days 0 to n−
1;categorizing raw event logs into meta events using an event taxonomy; for each of the days 0 to n−
1, creating a vector with a weighted count of each unique meta event observed that day;creating a matrix, M, with the vectors for days 0 to n−
1; andmodeling the data in the matrix (M) from day 0 to day n−
1 using a dimension reduction technique to create the resulting baseline behavior model P;determining whether there are anomalous pattern and volume changes in a user'"'"'s IT behavior on day n using the baseline behavior model P, wherein the determining step comprises; creating a vector, fn, with a weighted count of each unique meta event observed on day n; scoring the activity vector fn by measuring the magnitude of its reconstruction error as the difference between fn and fnPPT; normalizing the reconstruction error; and comparing the normalized reconstruction error to an anomaly threshold; in response to the normalized reconstruction error satisfying the anomaly threshold, concluding that the user'"'"'s meta event behavior on day n is anomalous and elevating a risk assessment associated with the user'"'"'s IT activities on day n; and in response to the normalized reconstruction error not satisfying the anomaly threshold, updating the baseline behavior model with the user'"'"'s meta event activity from day n. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for detecting anomalous IT pattern and volume event behavior for a user during a period of time based on multiple data sources the system comprising:
-
one or more processors; one or more memory units coupled to the one or more processors, wherein the one or more memory units store instructions that, when executed by the one or more processors, cause the system to perform the operations of; creating a baseline behavior model P that captures a user'"'"'s daily pattern and volume of IT meta events over n days based on multiple data sources, wherein creating the baseline behavior model comprises; receiving raw event logs from multiple data sources for a period of n days from days 0 to n−
1;categorizing raw event logs into meta events using an event taxonomy; for each of the days 0 to n−
1, creating a vector with a weighted count of each unique meta event observed that day;creating a matrix, M, with the vectors for days 0 to n−
1; andmodeling the data in the matrix (M) from day 0 to day n−
1 using a dimension reduction technique to create the resulting baseline behavior model P;determining whether there are anomalous pattern and volume changes in a user'"'"'s IT behavior on day n using the baseline behavior model P, wherein the determining step comprises; creating a vector, fn, with a weighted count of each unique meta event observed on day n; scoring the activity vector fn by measuring the magnitude of its reconstruction error as the difference between fn and fnPPT; normalizing the reconstruction error; and comparing the normalized reconstruction error to an anomaly threshold; in response to the normalized reconstruction error satisfying the anomaly threshold, concluding that the user'"'"'s meta event behavior on day n is anomalous and elevating a risk assessment associated with the user'"'"'s IT activities on day n; and in response to the normalized reconstruction error not satisfying the anomaly threshold, updating the baseline behavior model with the user'"'"'s meta event activity from day n. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory computer-readable medium comprising a computer program, that, when executed by a computer system, enables the computer system to perform the following method for detecting anomalous IT pattern and volume event behavior for a user during a period of time based on multiple data sources, the method comprising:
-
creating a baseline behavior model P that captures a user'"'"'s periodic pattern and volume of IT meta events over n periods based on multiple data sources, wherein creating the baseline behavior model comprises; receiving raw event logs from multiple data sources for n periods from periods 0 to n−
1;categorizing raw event logs into meta events using an event taxonomy; for each of the periods 0 to n−
1, creating a vector with a weighted count of each unique meta event observed during that period;creating a matrix, M, with the vectors for periods 0 to n−
1; andmodeling the data in the matrix (M) from day 0 to day n−
1 using a dimension reduction technique to create the resulting baseline behavior model P;determining whether there are anomalous pattern and volume changes in a user'"'"'s IT behavior during period n using the baseline behavior model P, wherein the determining step comprises; creating a vector, fn, with a weighted count of each unique meta event observed during period n; scoring the activity vector fn by measuring the magnitude of its reconstruction error as the difference between fn and fnPPT; normalizing the reconstruction error; and comparing the normalized reconstruction error to an anomaly threshold; in response to the normalized reconstruction error satisfying the anomaly threshold, concluding that the user'"'"'s meta event behavior during period n is anomalous and elevating a risk assessment associated with the user'"'"'s IT activities during period n; and in response to the normalized reconstruction error not satisfying the anomaly threshold, updating the baseline behavior model with the user'"'"'s meta event activity from period n. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
Specification