Identifying Changes in Use of User Credentials
First Claim
1. A method, comprising:
- extracting, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource;
creating first and second sets of records, each given record in the first set comprising a sub-group of the extracted events of a single training user, each given record in the second set comprising a sub-group of the events of a plurality of the training users during respective sub-periods of a training period;
assigning safe labels to the records in the first set and suspicious labels to the records in the second set;
performing, by a processor, an analysis to fit, to the records in the first and the second sets and their respective labels, a model for predicting the label for a given record;
filtering, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and
upon detecting a given sequence of events predicted as suspicious by the model, generating an alert.
4 Assignments
0 Petitions
Accused Products
Abstract
A method including extracting, from initial data transmitted on a network, multiple events, each of the events including a user accessing a resource. First and second sets of records are created, each first set record including a sub-group of the events of a user, each second set record including a sub-group of the events of a multiple users during respective sub-periods of a training period. Safe labels are assigned to the first set records and suspicious labels are assigned to the second set records. An analysis fits, to the first and the second set records and their respective labels, a model for predicting the label for a given record. The model filters subsequent network data to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, an alert is generated.
25 Citations
17 Claims
-
1. A method, comprising:
-
extracting, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource; creating first and second sets of records, each given record in the first set comprising a sub-group of the extracted events of a single training user, each given record in the second set comprising a sub-group of the events of a plurality of the training users during respective sub-periods of a training period; assigning safe labels to the records in the first set and suspicious labels to the records in the second set; performing, by a processor, an analysis to fit, to the records in the first and the second sets and their respective labels, a model for predicting the label for a given record; filtering, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and upon detecting a given sequence of events predicted as suspicious by the model, generating an alert. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus, comprising:
-
a memory; and a processor configured; to extract, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource, to create, in the memory, first and second sets of records, each given record in the first set comprising a sub-group of the extracted events of a single training user, each given record in the second set comprising a sub-group of the events of a plurality of the training users during respective sub-periods of a training period, to assign safe labels to the records in the first set and suspicious labels to the records in the second set, to perform an analysis to fit, to the records in the first and the second sets and their respective labels, a model for predicting the label for a given record, to filter, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, to generate an alert. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
-
to extract, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource; to create first and second sets of records, each given record in the first set comprising a sub-group of the extracted events of a single training user, each given record in the second set comprising a sub-group of the events of a plurality of the training users during respective sub-periods of a training period; to assign safe labels to the records in the first set and suspicious labels to the records in the second set; to perform an analysis to fit, to the records in the first and the second sets and their respective labels, a model for predicting the label for a given record; to filter, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and upon detecting a given sequence of events predicted as suspicious by the model, to generate an alert.
-
Specification