DETECTING ANOMALOUS ACTIVITY FROM ACCOUNTS OF AN ONLINE SERVICE
First Claim
1. A method for detecting anomalous activity in an online service, comprising:
- accessing a baseline profile comprising past event information related to events that originate from accounts of the online service;
accessing a recent profile comprising recent event information related to recent events that originate from accounts of the online service;
comparing a frequency of the past event information in the baseline profile to a frequency of the recent event information in the recent profile to determine when anomalous activity is detected in the online service; and
reporting the anomalous activity when detected.
2 Assignments
0 Petitions
Accused Products
Abstract
Anomalous activity is detected using event information that is received from accounts from within an online service. Generally, anomalous activity is detected by comparing a baseline profile that includes past event information for accounts of the online service with a recent profile that includes recent event information for the accounts. Anomalous activity is detected when the recent profile shows that one or more events are occurring more frequently as compared to the occurrence of the event the associated baseline profile. The events that are recorded and used in the anomaly detection may include all or a portion of events that are monitored by the online service. One or more reports may also be automatically generated and provided to one or more users to show activity that may be considered anomalous activity.
28 Citations
20 Claims
-
1. A method for detecting anomalous activity in an online service, comprising:
-
accessing a baseline profile comprising past event information related to events that originate from accounts of the online service; accessing a recent profile comprising recent event information related to recent events that originate from accounts of the online service; comparing a frequency of the past event information in the baseline profile to a frequency of the recent event information in the recent profile to determine when anomalous activity is detected in the online service; and reporting the anomalous activity when detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable storage medium storing computer-executable instructions for detecting anomalous activity in an online service, comprising:
-
accessing a baseline profile comprising past event information related to events comprising security events that originate from accounts of the online service; accessing a recent profile comprising recent event information related to recent events comprising the security events that originated within a last day from accounts of the online service; comparing the baseline profile to the recent profile and when the baseline profile and the recent profile are different then detecting anomalous activity; and reporting the anomalous activity when detected. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system for detecting anomalous activity in an online service, comprising:
-
a processor and memory; an operating environment executing using the processor; and an anomaly detector that is configured to perform actions comprising; accessing a baseline profile comprising past event information related to events comprising security events that originate from accounts of the online service; accessing a recent profile comprising recent event information related to recent events comprising the security events that originated within a last day from accounts of the online service; comparing frequencies of past event information in the baseline profile to frequencies of the recent event information in the recent profile to determine when anomalous activity is detected in the online service; and reporting the anomalous activity when detected. - View Dependent Claims (18, 19, 20)
-
Specification