SYSTEM AND METHOD FOR MODELING BEHAVIOR CHANGE AND CONSISTENCY TO DETECT MALICIOUS INSIDERS

US 20150235152A1
Filed: 02/18/2014
Published: 08/20/2015
Est. Priority Date: 02/18/2014
Status: Abandoned Application

First Claim

Patent Images

1. A computer-executable method for identifying anomalies, the method comprising:

obtaining work practice data associated with a plurality of users, wherein the work practice data includes a plurality of user events;

categorizing the work practice data into a plurality of domains based on types of the user events;

modeling user behaviors within a respective domain based on work practice data associated with the respective domain; and

identifying at least one anomalous user based on modeled user behaviors from the multiple domains.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for identifying anomalies. During operation, the system obtains work practice data associated with a plurality of users. The work practice data includes a plurality of user events. The system further categorizes the work practice data into a plurality of domains based on types of the user events, models user behaviors within a respective domain based on work practice data associated with the respective domain, and identifies at least one anomalous user based on modeled user behaviors from the multiple domains.

64 Citations

View as Search Results

21 Claims

1. A computer-executable method for identifying anomalies, the method comprising:
- obtaining work practice data associated with a plurality of users, wherein the work practice data includes a plurality of user events;
  
  categorizing the work practice data into a plurality of domains based on types of the user events;
  
  modeling user behaviors within a respective domain based on work practice data associated with the respective domain; and
  
  identifying at least one anomalous user based on modeled user behaviors from the multiple domains.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the plurality of domains includes one or more of:
    - a logon domain;
      
      an email domain;
      
      a Hyper Text Transfer Protocol (HTTP) domain;
      
      a file domain; and
      
      a device domain.
  - 3. The method of claim 1, wherein modeling the user behaviors within the respective domain involves:
    - constructing feature vectors for the plurality of users based on the work practice data associated with the respective domain; and
      
      applying a clustering algorithm to the feature vectors, wherein a subset of users are clustered into a first cluster.
  - 4. The method of claim 3, further comprising calculating an anomaly score associated with a respective user within a second domain based on a probability that the user is clustered into a second cluster into which other users within the subset of users are clustered.
  - 5. The method of claim 1, wherein modeling the user behaviors within a respective domain further comprises modeling changes in the user behaviors within the respective domain by clustering users within the respective domain based on work practice data associated with a time instance.
  - 6. The method of claim 5, wherein modeling the changes in the user behaviors further comprises calculating a probability of a user transitioning from a first cluster at a time instance to a second cluster at a subsequent time instance.
  - 7. The method of claim 1, wherein identifying at least one anomalous user involves calculating a weighted sum of anomaly scores associated with the at least one anomalous user from the plurality of domains.

8. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for identifying anomalies, the method comprising:
- obtaining work practice data associated with a plurality of users, wherein the work practice data includes a plurality of user events;
  
  categorizing the work practice data into a plurality of domains based on types of the user events;
  
  modeling user behaviors within a respective domain based on work practice data associated with the respective domain; and
  
  identifying at least one anomalous user based on modeled user behaviors from the multiple domains.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein the plurality of domains includes one or more of:
    - a logon domain;
      
      an email domain;
      
      a Hyper Text Transfer Protocol (HTTP) domain;
      
      a file domain; and
      
      a device domain.
  - 10. The computer-readable storage medium of claim 8, wherein modeling the user behaviors within the respective domain involves:
    - constructing feature vectors for the plurality of users based on the work practice data associated with the respective domain; and
      
      applying a clustering algorithm to the feature vectors, wherein a subset of users are clustered into a first cluster.
  - 11. The computer-readable storage medium of claim 10, wherein the method further comprises calculating an anomaly score associated with a respective user within a second domain based on a probability that the user is clustered into a second cluster into which other users within the subset of users are clustered.
  - 12. The computer-readable storage medium of claim 8, wherein modeling the user behaviors within a respective domain further comprises modeling changes in the user behaviors within the respective domain by clustering users within the respective domain based on work practice data associated with a time instance.
  - 13. The computer-readable storage medium of claim 12, wherein modeling the changes in the user behaviors further comprises calculating a probability of a user transitioning from a first cluster at a time instance to a second cluster at a subsequent time instance.
  - 14. The computer-readable storage medium of claim 8, wherein identifying at least one anomalous user involves calculating a weighted sum of anomaly scores associated with the at least one anomalous user from the plurality of domains.

15. A computer system for identifying anomalies, comprising:
- a data-obtaining mechanism configured to obtain work practice data associated with a plurality of users, wherein the work practice data includes a plurality of user events;
  
  a data-categorizing mechanism configured to categorize the work practice data into a plurality of domains based on types of the user events;
  
  a modeling mechanism configured to model user behaviors within a respective domain based on work practice data associated with the respective domain; and
  
  an anomaly-detection mechanism configured to detect at least one anomalous user based on modeled user behaviors from the multiple domains.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15, wherein the plurality of domains includes one or more of:
    - a logon domain;
      
      an email domain;
      
      a Hyper Text Transfer Protocol (HTTP) domain;
      
      a file domain; and
      
      a device domain.
  - 17. The computer system of claim 15, wherein while modeling the user behaviors within the respective domain, the modeling mechanism is configured to:
    - construct feature vectors for the plurality of users based on the work practice data associated with the respective domain; and
      
      apply a clustering algorithm to the feature vectors, wherein a subset of users are clustered into a first cluster.
  - 18. The computer system of claim 17, further comprising an anomaly-score calculator configured to calculate an anomaly score associated with a respective user within a second domain based on a probability that the user is clustered into a second cluster into which other users within the subset of users are clustered.
  - 19. The computer system of claim 15, wherein while modeling the user behaviors within a respective domain, the modeling mechanism is further configured to model changes in the user behaviors within the respective domain by clustering users within the respective domain based on work practice data associated with a time instance.
  - 20. The computer system of claim 19, wherein while modeling the changes in the user behaviors, the modeling mechanism is further configured to calculate a probability of a user transitioning from a first cluster at a time instance to a second cluster at a subsequent time instance.
  - 21. The computer system of claim 15, wherein while detecting the at least one anomalous user, the anomaly-detection mechanism is configured to calculate a weighted sum of anomaly scores associated with the at least one anomalous user from the plurality of domains.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Bart, Evgeniy, Liu, Juan J., Price, Robert R., Brdiczka, Oliver, Eldardiry, Hoda M.A., Hanley, John

Application Number

US14/183,298
Publication Number

US 20150235152A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/6218   to a system of files or obj...

G06Q 10/0635   Risk analysis of enterprise...

G06Q 50/26   Government or public servic...

H04L 63/1425   Traffic logging, e.g. anoma...

SYSTEM AND METHOD FOR MODELING BEHAVIOR CHANGE AND CONSISTENCY TO DETECT MALICIOUS INSIDERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

64 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR MODELING BEHAVIOR CHANGE AND CONSISTENCY TO DETECT MALICIOUS INSIDERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links