ACTIVITY MODEL FOR DETECTING SUSPICIOUS USER ACTIVITY

US 20160203316A1
Filed: 01/14/2015
Published: 07/14/2016
Est. Priority Date: 01/14/2015
Status: Abandoned Application

First Claim

Patent Images

1. At a computer system including at least one processor, a computer-implemented method for generating an account process profile based on meta-events, the method comprising:

accessing an indication of which processes were initiated by an account over a specified period of time;

analyzing at least some of the processes identified in the indication to extract one or more features associated with the processes;

assigning the processes to one or more meta-events based on the extracted features, each meta-event comprising a representation of how the processes are executed within the computer system; and

generating an account process profile for the account based on the meta-events, the account process profile providing a view of the account'"'"'s behavior over the specified period of time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to generating an account process profile based on meta-events and to detecting account behavior anomalies based on account process profiles. In one scenario, a computer system accesses an indication of which processes were initiated by an account over a specified period of time. The computer system analyzes at least some of the processes identified in the indication to extract features associated with the processes. The computer system assigns the processes to meta-events based on the extracted features, where each meta-event is a representation of how the processes are executed within the computer system. The computer system then generates an account process profile for the account based on the meta-events, where the account process profile provides a comprehensive view of the account'"'"'s behavior over the specified period of time. This account process profile can be used to identify anomalies in process execution.

58 Citations

20 Claims

1. At a computer system including at least one processor, a computer-implemented method for generating an account process profile based on meta-events, the method comprising:
- accessing an indication of which processes were initiated by an account over a specified period of time;
  
  analyzing at least some of the processes identified in the indication to extract one or more features associated with the processes;
  
  assigning the processes to one or more meta-events based on the extracted features, each meta-event comprising a representation of how the processes are executed within the computer system; and
  
  generating an account process profile for the account based on the meta-events, the account process profile providing a view of the account'"'"'s behavior over the specified period of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising implementing the account process profile to detect one or more anomalies in account behavior.
  - 3. The method of claim 1, wherein the account comprises a user account, a system account, a service account, or a local computer account.
  - 4. The method of claim 1, further comprising accessing the generated account process profile for the account to generate an expected behavior profile which provides a projected view of the account'"'"'s future behavior over a future period of time.
  - 5. The method of claim 4, wherein the expected behavior profile includes a dynamically variable window of acceptability indicating a specified tolerance for anomalous behavior.
  - 6. The method of claim 5, further comprising triggering an alert upon determining that the window of acceptability has been surpassed by one or more of the account'"'"'s actions.
  - 7. The method of claim 5, wherein the window of acceptability indicating the specified tolerance for anomalous behavior is generated based on account process profiles generated for at least one other account that is determined to be similar to the account.
  - 8. The method of claim 5, wherein the window of acceptability is different for different accounts and account groups, and dynamically changes within individual accounts and account groups.
  - 9. The method of claim 1, wherein machine learning is used to assign the processes to meta-events, such that over time, process behavior is learned and quantified for each meta-event.
  - 10. The method of claim 9, wherein each meta-event includes processes with a specified set of one or more features or characteristics.
  - 11. The method of claim 1, wherein the meta-events are aggregated to generate the account process profile which provides a comprehensive view of the account'"'"'s behavior over the specified period of time.

12. A computer program product for implementing a method for detecting account behavior anomalies based on account process profiles, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by one or more processors of a computing system, cause the computing system to perform the method, the method comprising:
- accessing an account process profile that includes one or more meta-events, the meta-events comprising representations of how the process is executed within the computing system;
  
  determining past process behavior for the account based on the accessed account process profile including which meta-events were present in the account process profile;
  
  generating an indication of expected deviations for a specified future period of time, the expected deviations indicating a likelihood that the account will initiate a process that is outside of the account'"'"'s past behavior, or is outside of behavior of at least one account similar to the account;
  
  monitoring those processes that are initiated by the account over the specified future period of time to detect anomalies; and
  
  based on the detected anomalies, assigning a suspiciousness ranking to the account profile.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer program product of claim 12, wherein one or more alerts are generated for account profiles with a suspiciousness ranking that is beyond a specified threshold.
  - 14. The computer program product of claim 12, wherein the indication of expected deviations includes a dynamically variable acceptability window that indicates how far outside of the account'"'"'s past behavior the account can go before being flagged as anomalous.
  - 15. The computer program product of claim 12, wherein monitoring those processes that are initiated by the account over the specified future period of time to detect anomalies comprises teasing apart behavior of the account from behavior of a masquerading account.
  - 16. The computer program product of claim 12, further comprising training an anomaly detection model using existing stored account profiles, such that a fast approximation may be performed on future account process initiations.
  - 17. The computer program product of claim 16, wherein performing a fast approximation comprises interpolating range of movement parameters for new users without performing at least a portion of background processing.

18. A computer system comprising the following:
- one or more processors;
  
  an account process profile accessing module for accessing an account process profile that includes one or more meta-events, the meta-events comprising representations of how the process is executed within the computing system;
  
  a behavior determining module for determining past process behavior for the account based on the accessed account process profile including which meta-events were present in the account process profile;
  
  an expected deviations determining module for generating an indication of expected deviations for a specified future period of time, the expected deviations indicating a likelihood that the account will initiate a process that is outside of the account'"'"'s past behavior, or is outside of behavior of at least one account similar to the account;
  
  a process monitoring module for monitoring those processes that are initiated by the account over the specified future period of time to detect anomalies; and
  
  a ranking module for assigning a suspiciousness ranking to the account profile based on the detected anomalies.
- View Dependent Claims (19, 20)
- - 19. The computer system of claim 18, wherein domain-specific information is used to generate the indication of expected deviations for the specified future period of time.
  - 20. The computer system of claim 18, wherein an account'"'"'s process profile shifts into new process behavior profile upon the account receiving a new role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Mace, Daniel Lee, Shafriri, Gil Lapid, Wittenberg, Craig Henry

Application Number

US14/597,015
Publication Number

US 20160203316A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06N 7/02   using fuzzy logic computing...

ACTIVITY MODEL FOR DETECTING SUSPICIOUS USER ACTIVITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ACTIVITY MODEL FOR DETECTING SUSPICIOUS USER ACTIVITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links