MODELING USER ACCESS TO COMPUTER RESOURCES
First Claim
1. A method for modeling user access to computer resources, the method comprising:
- collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;
aggregating the first set of log records at one or more chronological levels;
selecting one or more model types, wherein each model type is used to evaluate the first set of log records;
selecting one or more attributes from the first set of log records;
aggregating data associated with the one or more selected attributes into one or more mining tables according to the one or more levels;
selecting algorithm parameters for the selected one or more model types; and
creating the one or more models of user behavior by running the selected one or more model types using the aggregated data in the one or more mining tables and the selected algorithm parameters, wherein each model of user behavior characterizes an expected pattern for accessing the computer resources.
5 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes.
-
Citations
25 Claims
-
1. A method for modeling user access to computer resources, the method comprising:
-
collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval; aggregating the first set of log records at one or more chronological levels; selecting one or more model types, wherein each model type is used to evaluate the first set of log records; selecting one or more attributes from the first set of log records; aggregating data associated with the one or more selected attributes into one or more mining tables according to the one or more levels; selecting algorithm parameters for the selected one or more model types; and creating the one or more models of user behavior by running the selected one or more model types using the aggregated data in the one or more mining tables and the selected algorithm parameters, wherein each model of user behavior characterizes an expected pattern for accessing the computer resources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable storage medium storing a computer program which, when executed by a processor, performs operations, the operations comprising:
-
collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval; aggregating the first set of log records at one or more chronological levels; selecting one or more model types, wherein each model type is used to evaluate the first set of log records; selecting one or more attributes from the first set of log records; aggregating data associated with the one or more selected attributes into one or more mining tables according to the one or more levels; selecting algorithm parameters for the selected one or more model types; and creating the one or more models of user behavior by running the selected one or more model types using the aggregated data in the one or more mining tables and the selected algorithm parameters, wherein each model of user behavior characterizes an expected pattern for accessing the computer resources. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A system, comprising:
-
a processor; and a memory containing a program, which when executed by the processor is configured to monitor the activity of users in accessing computer resources by performing the steps of; collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval; aggregating the first set of log records at one or more chronological levels; selecting one or more model types, wherein each model type is used to evaluate the first set of log records; selecting one or more attributes from the first set of log records; aggregating data associated with the one or more selected attributes into one or more mining tables according to the one or more levels; selecting algorithm parameters for the selected one or more model types; and creating the one or more models of user behavior by running the selected one or more model types using the aggregated data in the one or more mining tables and the selected algorithm parameters, wherein each model of user behavior characterizes an expected pattern for accessing the computer resources. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification