SYSTEM AND METHOD FOR MODELING BEHAVIOR CHANGE AND CONSISTENCY TO DETECT MALICIOUS INSIDERS
First Claim
Patent Images
1. A computer-executable method for identifying anomalies, the method comprising:
- obtaining work practice data associated with a plurality of users, wherein the work practice data includes a plurality of user events;
categorizing the work practice data into a plurality of domains based on types of the user events;
modeling user behaviors within a respective domain based on work practice data associated with the respective domain; and
identifying at least one anomalous user based on modeled user behaviors from the multiple domains.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system for identifying anomalies. During operation, the system obtains work practice data associated with a plurality of users. The work practice data includes a plurality of user events. The system further categorizes the work practice data into a plurality of domains based on types of the user events, models user behaviors within a respective domain based on work practice data associated with the respective domain, and identifies at least one anomalous user based on modeled user behaviors from the multiple domains.
64 Citations
21 Claims
-
1. A computer-executable method for identifying anomalies, the method comprising:
-
obtaining work practice data associated with a plurality of users, wherein the work practice data includes a plurality of user events; categorizing the work practice data into a plurality of domains based on types of the user events; modeling user behaviors within a respective domain based on work practice data associated with the respective domain; and identifying at least one anomalous user based on modeled user behaviors from the multiple domains. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for identifying anomalies, the method comprising:
-
obtaining work practice data associated with a plurality of users, wherein the work practice data includes a plurality of user events; categorizing the work practice data into a plurality of domains based on types of the user events; modeling user behaviors within a respective domain based on work practice data associated with the respective domain; and identifying at least one anomalous user based on modeled user behaviors from the multiple domains. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for identifying anomalies, comprising:
-
a data-obtaining mechanism configured to obtain work practice data associated with a plurality of users, wherein the work practice data includes a plurality of user events; a data-categorizing mechanism configured to categorize the work practice data into a plurality of domains based on types of the user events; a modeling mechanism configured to model user behaviors within a respective domain based on work practice data associated with the respective domain; and an anomaly-detection mechanism configured to detect at least one anomalous user based on modeled user behaviors from the multiple domains. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification