Method and apparatus for detecting anomaly based on behavior-analysis

US 10,657,250 B2
Filed: 10/24/2017
Issued: 05/19/2020
Est. Priority Date: 10/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an anomaly based on behavior-analysis, the method comprising:

creating, by an apparatus for detecting an anomalous behavior of a user, K clusters, each cluster of the K clusters being created based on past behavior counters associated with one or more users;

designating, by the apparatus, a cluster pattern of the each cluster of the K clusters, the cluster pattern indicating a representative behavior of the past behavior counters belonging to the each cluster;

determining, by the apparatus, a past behavior pattern of a first user based on first past behavior counters associated with the first user and the each cluster of the K clusters;

obtaining, by the apparatus, first current behavior counters associated with the first user based on monitoring information from an agent software program, the agent software program being installed on a computing device of the first user and monitoring behaviors associated with the first user;

determining, by the apparatus, a current behavior pattern of the first user based on the first current behavior counters and the each cluster of the K clusters; and

detecting, by the apparatus, the anomalous behavior of the first user by comparing the past behavior pattern and the current behavior pattern of the first user,wherein the designating the cluster pattern comprises;

extracting a center vector of the each cluster of the K clusters by using values of the past behavior counters belonging to respective clusters;

calculating a mean value and a standard deviation of coordinates of the center vector for the each cluster of the K clusters;

setting a threshold value for the each cluster of the K clusters by using the mean value and the standard deviation; and

selecting a behavior corresponding to coordinates exceeding the threshold value among the coordinates of the center vector as the cluster pattern of the each cluster of the K clusters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a method for detecting an anomaly based on behavior-analysis. The method comprises creating, by an apparatus for detecting an anomalous behavior of a user, K clusters, each cluster of the K clusters being created based on past behavior counters associated with one or more users, designating, by the apparatus, a cluster pattern of the each cluster of the K clusters, the cluster pattern indicating a representative behavior of the past behavior counters belonging to the each cluster, determining, by the apparatus, a past behavior pattern of a first user based on a first past behavior counters associated with the first user and the each cluster of the K clusters, obtaining, by the apparatus, a first current behavior counters associated with the first user based on monitoring information from an agent software program, the agent software program being installed on a computing device of the first user and monitoring behaviors associated with the first user, determining, by the apparatus, a current behavior pattern of the first user based on the first current behavior counters and the each cluster of the K clusters and detecting, by the apparatus, the anomalous behavior of the first user by comparing the past behavior pattern and the current behavior pattern of the first user.

6 Citations

View as Search Results

17 Claims

1. A method for detecting an anomaly based on behavior-analysis, the method comprising:
- creating, by an apparatus for detecting an anomalous behavior of a user, K clusters, each cluster of the K clusters being created based on past behavior counters associated with one or more users;
  
  designating, by the apparatus, a cluster pattern of the each cluster of the K clusters, the cluster pattern indicating a representative behavior of the past behavior counters belonging to the each cluster;
  
  determining, by the apparatus, a past behavior pattern of a first user based on first past behavior counters associated with the first user and the each cluster of the K clusters;
  
  obtaining, by the apparatus, first current behavior counters associated with the first user based on monitoring information from an agent software program, the agent software program being installed on a computing device of the first user and monitoring behaviors associated with the first user;
  
  determining, by the apparatus, a current behavior pattern of the first user based on the first current behavior counters and the each cluster of the K clusters; and
  
  detecting, by the apparatus, the anomalous behavior of the first user by comparing the past behavior pattern and the current behavior pattern of the first user,wherein the designating the cluster pattern comprises;
  
  extracting a center vector of the each cluster of the K clusters by using values of the past behavior counters belonging to respective clusters;
  
  calculating a mean value and a standard deviation of coordinates of the center vector for the each cluster of the K clusters;
  
  setting a threshold value for the each cluster of the K clusters by using the mean value and the standard deviation; and
  
  selecting a behavior corresponding to coordinates exceeding the threshold value among the coordinates of the center vector as the cluster pattern of the each cluster of the K clusters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the first past behavior counters are obtained by counting a number of times that the first user has performed each of behaviors within a certain period of time in a past.
  - 3. The method of claim 1, wherein the first current behavior counters are obtained by counting a number of times that the first user has performed each of behaviors within a certain period of time in an immediate past.
  - 4. The method of claim 1, wherein the past behavior pattern is determined based on a first similarity between the first past behavior counter and the each cluster of the K clusters, andwherein the current behavior pattern is determined based on a second similarity between the first current behavior counters and the each cluster of the K clusters.
  - 5. The method of claim 1, wherein the creating the K clusters comprises:
    - collecting the past behavior counters and current behavior counters associated with the one or more users; and
      
      preprocessing the past behavior counters and the current behavior counters associated with the one or more users so that values obtained by counting each behavior of behaviors corresponding to the past behavior counters and the current behavior counters associated with the one or more users have a same range.
  - 6. The method of claim 5, wherein the preprocessing comprises removing noise from the past behavior counters and the current behavior counters associated with the one or more users by rounding the past behavior counters and the current behavior counters associated with the one or more users to a predetermined number of digits.
  - 7. The method of claim 1 further comprises adding a new cluster pattern indicating a new representative behavior aside from representative behaviors belonging to the designated cluster pattern.
  - 8. The method of claim 1, wherein the extracting the center vector of the each cluster comprises creating the center vector by averaging the values of the past behavior counters belonging to the respective clusters for each behavior of behaviors and transforming the values into the coordinates of the center vector.
  - 9. The method of claim 1, wherein the threshold value is calculated by using a formula:
    - the mean value+the standard deviation×
      
      n,wherein n is a natural number.
  - 10. The method of claim 1, wherein the selecting the behavior comprises:
    - classifying ordinary clusters, which have no coordinates exceeding the threshold value among the coordinates of the center vector; and
      
      calculating a ratio of a number of the ordinary clusters to a number of the K clusters.
  - 11. The method of claim 10 further comprises:
    - repeating calculating the ratio by varying a K value of the K clusters from 1 to a number of the one or more users; and
      
      determining the K value between 1 and the number of the one or more users based on an Elbow method.
  - 12. The method of claim 1, wherein the anomalous behavior of the first user is detected by using a degree of risk of the past behavior pattern and a degree of risk of the current behavior pattern when the past behavior pattern of the first user is different from the current behavior pattern of the first user.
  - 13. The method of claim 12, wherein the detecting the anomalous behavior of the first user comprises calculating a degree of risk of the cluster pattern by applying a predetermined weight to a degree of risk for the behaviors.
  - 14. The method of claim 12, wherein the anomalous behavior of the first user is detected further by using a change in patterns of members of a group to which the first user belongs.
  - 15. The method of claim 1, wherein the past behavior counters correspond to behaviors comprising at least two of opening, creating, attaching, editing, deleting, moving, copying, printing, saving, and changing permission, andwherein the anomalous behavior of the first user is leaking information.

16. An apparatus for detecting an anomalous behavior of a user based on behavior-analysis, the apparatus comprising:
- at least one processor;
  
  a network interface;
  
  a memory configured to load a computer program; and
  
  storage configured to store the computer program which, when executed by the at least one processor, causes the at least one processor to perform operations comprising;
  
  creating K clusters, each cluster of the K clusters being created based on past behavior counters associated with one or more users;
  
  designating a cluster pattern of the each cluster of the K clusters, the cluster pattern indicating a representative behavior of the past behavior counters belonging to the each cluster;
  
  determining a past behavior pattern of a first user based on a first past behavior counter associated with the first user and the each cluster of the K clusters;
  
  obtaining first current behavior counters associated with the first user based on monitoring information from an agent software program installed on a computing device of the first user;
  
  determining a current behavior pattern of the first user based on the first current behavior counters and the each cluster of the K clusters; and
  
  detecting the anomalous behavior of the first user by comparing the past behavior pattern and the current behavior pattern of the first user,wherein the designating the cluster pattern comprises;
  
  extracting a center vector of the each cluster of the K clusters by using values of the past behavior counters belonging to respective clusters;
  
  calculating a mean value and a standard deviation of coordinates of the center vector for the each cluster of the K clusters;
  
  setting a threshold value for the each cluster of the K clusters by using the mean value and the standard deviation; and
  
  selecting a behavior corresponding to coordinates exceeding the threshold value among the coordinates of the center vector as the cluster pattern of the each cluster of the K clusters.

17. A non-transitory computer-readable storage medium storing instructions which, when executed by a processor, cause the processor to perform operations comprising:
- creating K clusters, each cluster of the K clusters being created based on past behavior counters associated with one or more users;
  
  designating a cluster pattern of the each cluster of the K clusters, the cluster pattern indicating a representative behavior of the past behavior counters belonging to the each cluster;
  
  determining a past behavior pattern of a first user based on a first past behavior counter associated with the first user and the each cluster of the K clusters;
  
  obtaining first current behavior counters associated with the first user based on monitoring information from an agent software program installed on a computing device of the first user;
  
  determining a current behavior pattern of the first user based on the first current behavior counters associated with the first user and the each cluster of the K clusters; and
  
  detecting an anomalous behavior of the first user by comparing the past behavior pattern and the current behavior pattern of the first user,wherein the designating the cluster pattern comprises;
  
  extracting a center vector of the each cluster of the K clusters by using values of the past behavior counters belonging to respective clusters;
  
  calculating a mean value and a standard deviation of coordinates of the center vector for the each cluster of the K clusters;
  
  setting a threshold value for the each cluster of the K clusters by using the mean value and the standard deviation; and
  
  selecting a behavior corresponding to coordinates exceeding the threshold value among the coordinates of the center vector as the cluster pattern of the each cluster of the K clusters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Original Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Inventors
Lee, Eun Hye, Oh, Kyu Sam, Kim, Min Jae, Park, Kwang Hun
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Choy, Ka Shan

Application Number

US15/791,852
Publication Number

US 20180114016A1
Time in Patent Office

938 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552 involving long-term monitor...

Method and apparatus for detecting anomaly based on behavior-analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting anomaly based on behavior-analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links