ACTIVITY MODEL FOR DETECTING SUSPICIOUS USER ACTIVITY
First Claim
1. At a computer system including at least one processor, a computer-implemented method for generating an account process profile based on meta-events, the method comprising:
- accessing an indication of which processes were initiated by an account over a specified period of time;
analyzing at least some of the processes identified in the indication to extract one or more features associated with the processes;
assigning the processes to one or more meta-events based on the extracted features, each meta-event comprising a representation of how the processes are executed within the computer system; and
generating an account process profile for the account based on the meta-events, the account process profile providing a view of the account'"'"'s behavior over the specified period of time.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed to generating an account process profile based on meta-events and to detecting account behavior anomalies based on account process profiles. In one scenario, a computer system accesses an indication of which processes were initiated by an account over a specified period of time. The computer system analyzes at least some of the processes identified in the indication to extract features associated with the processes. The computer system assigns the processes to meta-events based on the extracted features, where each meta-event is a representation of how the processes are executed within the computer system. The computer system then generates an account process profile for the account based on the meta-events, where the account process profile provides a comprehensive view of the account'"'"'s behavior over the specified period of time. This account process profile can be used to identify anomalies in process execution.
58 Citations
20 Claims
-
1. At a computer system including at least one processor, a computer-implemented method for generating an account process profile based on meta-events, the method comprising:
-
accessing an indication of which processes were initiated by an account over a specified period of time; analyzing at least some of the processes identified in the indication to extract one or more features associated with the processes; assigning the processes to one or more meta-events based on the extracted features, each meta-event comprising a representation of how the processes are executed within the computer system; and generating an account process profile for the account based on the meta-events, the account process profile providing a view of the account'"'"'s behavior over the specified period of time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer program product for implementing a method for detecting account behavior anomalies based on account process profiles, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by one or more processors of a computing system, cause the computing system to perform the method, the method comprising:
-
accessing an account process profile that includes one or more meta-events, the meta-events comprising representations of how the process is executed within the computing system; determining past process behavior for the account based on the accessed account process profile including which meta-events were present in the account process profile; generating an indication of expected deviations for a specified future period of time, the expected deviations indicating a likelihood that the account will initiate a process that is outside of the account'"'"'s past behavior, or is outside of behavior of at least one account similar to the account; monitoring those processes that are initiated by the account over the specified future period of time to detect anomalies; and based on the detected anomalies, assigning a suspiciousness ranking to the account profile. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A computer system comprising the following:
-
one or more processors; an account process profile accessing module for accessing an account process profile that includes one or more meta-events, the meta-events comprising representations of how the process is executed within the computing system; a behavior determining module for determining past process behavior for the account based on the accessed account process profile including which meta-events were present in the account process profile; an expected deviations determining module for generating an indication of expected deviations for a specified future period of time, the expected deviations indicating a likelihood that the account will initiate a process that is outside of the account'"'"'s past behavior, or is outside of behavior of at least one account similar to the account; a process monitoring module for monitoring those processes that are initiated by the account over the specified future period of time to detect anomalies; and a ranking module for assigning a suspiciousness ranking to the account profile based on the detected anomalies. - View Dependent Claims (19, 20)
-
Specification