MODELING USER ACCESS TO COMPUTER RESOURCES

US 20090292743A1
Filed: 05/21/2008
Published: 11/26/2009
Est. Priority Date: 05/21/2008
Status: Active Grant

First Claim

Patent Images

1. A method for modeling user access to computer resources, the method comprising:

collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;

aggregating the first set of log records at one or more chronological levels;

selecting one or more model types, wherein each model type is used to evaluate the first set of log records;

selecting one or more attributes from the first set of log records;

aggregating data associated with the one or more selected attributes into one or more mining tables according to the one or more levels;

selecting algorithm parameters for the selected one or more model types; and

creating the one or more models of user behavior by running the selected one or more model types using the aggregated data in the one or more mining tables and the selected algorithm parameters, wherein each model of user behavior characterizes an expected pattern for accessing the computer resources.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes.

Citations

25 Claims

1. A method for modeling user access to computer resources, the method comprising:
- collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;
  
  aggregating the first set of log records at one or more chronological levels;
  
  selecting one or more model types, wherein each model type is used to evaluate the first set of log records;
  
  selecting one or more attributes from the first set of log records;
  
  aggregating data associated with the one or more selected attributes into one or more mining tables according to the one or more levels;
  
  selecting algorithm parameters for the selected one or more model types; and
  
  creating the one or more models of user behavior by running the selected one or more model types using the aggregated data in the one or more mining tables and the selected algorithm parameters, wherein each model of user behavior characterizes an expected pattern for accessing the computer resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein each record in the first set of log records includes a user identification (ID) indicating that the record is associated with actions of the user.
  - 3. The method of claim 2, wherein evaluation of the first set of log records results in generation of clusters of similar activity that are labeled according to perceived user roles.
  - 4. The method of claim 3, wherein each record in the first set of log records is assigned to one of the clusters.
  - 5. The method of claim 1, wherein the one or more model types comprise a distribution-based clustering model, a center-based clustering model, and/or an association rule model.
  - 6. The method of claim 1, wherein the algorithm parameters comprise learning rate, numbers of clusters, and/or similarity measures.
  - 7. The method of claim 1, wherein the step of creating one or more models of user behavior further comprises performing a test procedure to validate the one or more models of user behavior.
  - 8. The method of claim 7, wherein the test procedure comprises performing statistical analysis of predictive and generalization capabilities of the one or more models of user behavior.
  - 9. The method of claim 1, wherein the computer resources comprise computer source code.

10. A computer-readable storage medium storing a computer program which, when executed by a processor, performs operations, the operations comprising:
- collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;
  
  aggregating the first set of log records at one or more chronological levels;
  
  selecting one or more model types, wherein each model type is used to evaluate the first set of log records;
  
  selecting one or more attributes from the first set of log records;
  
  aggregating data associated with the one or more selected attributes into one or more mining tables according to the one or more levels;
  
  selecting algorithm parameters for the selected one or more model types; and
  
  creating the one or more models of user behavior by running the selected one or more model types using the aggregated data in the one or more mining tables and the selected algorithm parameters, wherein each model of user behavior characterizes an expected pattern for accessing the computer resources.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer-readable storage medium of claim 10, wherein each record in the first set of log records includes a user identification (ID) indicating that the record is associated with actions of the user.
  - 12. The computer-readable storage medium of claim 11, wherein evaluation of the first set of log records results in generation of clusters of similar activity that are labeled according to perceived user roles, and each record in the first set of log records is assigned to one of the clusters.
  - 13. The computer-readable storage medium of claim 10, wherein the one or more model types comprise a distribution-based clustering model, a center-based clustering model, and/or an association rule model.
  - 14. The computer-readable storage medium of claim 10, wherein the algorithm parameters comprise learning rate, numbers of clusters, and/or similarity measures.
  - 15. The computer-readable storage medium of claim 10, wherein creating one or more models of user behavior further comprises performing a test procedure to validate the one or more models of user behavior.
  - 16. The computer-readable storage medium of claim 15, wherein the test procedure comprises performing statistical analysis of predictive and generalization capabilities of the one or more models of user behavior.
  - 17. The computer-readable storage medium of claim 10, wherein the computer resources comprise computer source code.

18. A system, comprising:
- a processor; and
  
  a memory containing a program, which when executed by the processor is configured to monitor the activity of users in accessing computer resources by performing the steps of;
  
  collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;
  
  aggregating the first set of log records at one or more chronological levels;
  
  selecting one or more model types, wherein each model type is used to evaluate the first set of log records;
  
  selecting one or more attributes from the first set of log records;
  
  aggregating data associated with the one or more selected attributes into one or more mining tables according to the one or more levels;
  
  selecting algorithm parameters for the selected one or more model types; and
  
  creating the one or more models of user behavior by running the selected one or more model types using the aggregated data in the one or more mining tables and the selected algorithm parameters, wherein each model of user behavior characterizes an expected pattern for accessing the computer resources.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The system of claim 18, wherein each record in the first set of log records includes a user identification (ID) indicating that the record is associated with actions of the user.
  - 20. The system of claim 19, wherein evaluation of the first set of log records results in generation of clusters of similar activity that are labeled according to perceived user roles, and each record in the first set of log records is assigned to one of the clusters.
  - 21. The system of claim 18, wherein the one or more model types comprise a distribution-based clustering model, a center-based clustering model, and/or an association rule model.
  - 22. The system of claim 18, wherein the algorithm parameters comprise learning rate, numbers of clusters, and/or similarity measures.
  - 23. The system of claim 18, wherein the step of creating one or more models of user behavior further comprises performing a test procedure to validate the one or more models of user behavior.
  - 24. The system of claim 23, wherein the test procedure comprises performing statistical analysis of predictive and generalization capabilities of the one or more models of user behavior.
  - 25. The system of claim 18, wherein the computer resources comprise computer source code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Taiwan Semiconductor Manufacturing Company Limited
Original Assignee
International Business Machines Corporation
Inventors
Lingenfelder, Christoph, Bigus, Joseph P., Gong, Leon

Granted Patent

US 8,214,364 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/316 by observing the pattern of...

G06F 21/552 involving long-term monitor...

MODELING USER ACCESS TO COMPUTER RESOURCES

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

MODELING USER ACCESS TO COMPUTER RESOURCES

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links