Identifying security breaches from clustering properties
First Claim
1. A computer-implemented method of identifying security breaches in a computer system comprising:
- monitoring behavior of users or resources of at least one computer system and storing information on the monitored behaviors;
analyzing the stored information on the monitored behaviors to generate clusters and train clustering models;
receiving information relating to labeling to a user or resource;
determining and scoring anomalies between a user or resource and at least one cluster to which the user or resource has been assigned;
detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned; and
generating an alert indicating detection of the outlier.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the present invention may provide the capability to identify security breaches in computer systems from clustering properties of clusters generated based on monitored behavior of users of the computer systems by using techniques that provide improved performance and reduced resource requirements. For example, behavior of users or resources may be monitored and analyzed to generate clusters and train clustering models. Labeling information relating to some user or resource may be received. When users or resources are clustered and when a cluster contains some labeled users/resources then an anomaly score can be determined for a user/resource belonging to the cluster. A user or resource may be detected to be an outlier of at least one cluster to which the user or resource has been assigned, and an alert indicating detection of the outlier may be generated.
-
Citations
18 Claims
-
1. A computer-implemented method of identifying security breaches in a computer system comprising:
-
monitoring behavior of users or resources of at least one computer system and storing information on the monitored behaviors; analyzing the stored information on the monitored behaviors to generate clusters and train clustering models; receiving information relating to labeling to a user or resource; determining and scoring anomalies between a user or resource and at least one cluster to which the user or resource has been assigned; detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned; and generating an alert indicating detection of the outlier. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for identifying security breaches in a computer system, the system comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor to perform:
-
monitoring behavior of users or resources of at least one computer system and storing information on the monitored behaviors; analyzing the stored information on the monitored behaviors to generate clusters and train clustering models; receiving information relating to labeling to a user or resource; determining and scoring anomalies between a user or resource and at least one cluster to which the user or resource has been assigned; detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned; and generating an alert indicating detection of the outlier. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product for identifying security breaches in a computer system, the computer program product comprising a non-transitory computer readable storage having program instructions embodied therewith, the program instructions executable by a computer, to cause the computer to perform a method comprising:
-
monitoring behavior of users or resources of at least one computer system and storing information on the monitored behaviors; analyzing the stored information on the monitored behaviors to generate clusters and train clustering models; receiving information relating to labeling to a user or resource; determining and scoring anomalies between a user or resource and at least one cluster to which the user or resource has been assigned; detecting a user or resource to be an outlier of at least one cluster to which the user or resource has been assigned; and generating an alert indicating detection of the outlier. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification