ANOMALOUS ACTIVITY DETECTION
First Claim
Patent Images
15. A tangible computer-readable medium comprising computer-executable instructions that when executed by a processor cause a system to perform:
- receiving a plurality of data feeds comprising information regarding activity events associated with at least one of a plurality of user accounts during a first time period;
removing duplicate activity events that exist without technical or human error from the electronic information to create de-duplicated activity events, wherein the electronic information of at least one duplicate activity event generated by a first data feed and the electronic information of at least another activity event was generated by a second application;
enriching the de-duplicated activity events with enrichment criteria to create enriched activity events;
receiving exclusion criteria comprising for at least one activity event of at least one user account; and
determining whether to transmit an actionable alert, andtransmitting an actionable alert.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosure addresses the detection of anomalous activity. Some embodiments are directed towards consolidating information from multiple data feeds. Exemplary information may relate to: extrusion violations, failed logins, sensitive fields access, sensitive objects access, escalation of privileges, or activity during a specific time frame within a time period, and combinations of one or more of these. In one embodiment, duplicate data may be removed or consolidated.
-
Citations
21 Claims
-
15. A tangible computer-readable medium comprising computer-executable instructions that when executed by a processor cause a system to perform:
-
receiving a plurality of data feeds comprising information regarding activity events associated with at least one of a plurality of user accounts during a first time period; removing duplicate activity events that exist without technical or human error from the electronic information to create de-duplicated activity events, wherein the electronic information of at least one duplicate activity event generated by a first data feed and the electronic information of at least another activity event was generated by a second application; enriching the de-duplicated activity events with enrichment criteria to create enriched activity events; receiving exclusion criteria comprising for at least one activity event of at least one user account; and determining whether to transmit an actionable alert, and transmitting an actionable alert. - View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20)
-
-
18-1. The computer-readable medium of claim 16, the instructions further comprising:
determining if a new pattern exists within the enriched activity events.
-
21. A system comprising:
-
a processor in operative communication with at least one memory comprising a staging module, a de-duplication module, an enrichment module, an exclusion, wherein the staging module is configured to receive electronic information generated from a plurality of data feeds regarding activity events for about a 48 hour period regarding plurality of user accounts; wherein the electronic information comprises information selected from the group consisting of;
extrusion violations, failed logins, sensitive field access, sensitive object access, escalation of privileges;wherein the de-duplication module is configured to remove duplicate activity events that exist without technical or human error from the electronic information to create de-duplicated activity events, comprising; a key component configured to detect values within the electronic information of the plurality of activity events to detect duplicates a single activity event; a non-key component configured to detect time values within the electronic information of the plurality of activity events to detect duplicates of a single activity event; a sum component configured to detect repetitive electronic information among different activity events over a time frame within the time period; and an append component configured to append a value onto one or more de-duplicated activity events relating to the electronic information of a plurality of activity events; wherein the enrichment module is configured to enrich the de-duplicated activity events with enrichment criteria from an updatable knowledge base to create enriched activity events; wherein the exclusion module is in operative communication with the enrichment module, configured to detect known patterns within the electronic information relating to one or more user accounts, wherein at least a portion of the known patterns are received from the knowledge base, wherein in combination the enrichment module and the exclusion module are configured to exclude at least a portion of de-duplicated activity events and enrich at least a portion of the de-duplicated activity events; and a mechanism for transmitting transmit an actionable alert comprising information regarding a plurality of enriched activity events.
-
Specification