Modeling user access to computer resources
First Claim
1. A computer-implemented method to model user access to computer resources, the method comprising:
- collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;
aggregating the first set of log records at one or more chronological levels;
generating, by operation of one or more computer processors, a model of user behavior by running one or more selected model types using data associated with one or more attributes selected from the first set of log records, wherein the data is aggregated into one or more mining tables according to the one or more chronological levels, and further using at least one algorithm parameter selected for the one or more model types, wherein the generated model includes a plurality of clusters of the selected one or more model types, wherein each cluster is associated with a distinct, respective authorized user role that is authorized to access the computer resources, wherein each cluster characterizes a distinct, legitimate pattern with which any user of the respective authorized user role is expected to access the computer resources, wherein the generated model comprises at least one of a classification model, a clustering model, and an association rule model, wherein the clustering model comprises at least one of a distribution-based clustering model and a center-based clustering model; and
scoring, based on the generated model and at least one scoring rule, a set of user actions to determine whether the set of actions is suspect, wherein the at least one scoring rule comprises at least one of a first scoring rule specifying to score the user against the plurality of clusters, a second scoring rule specifying to adjust one or more chronological levels at which the set of actions is aggregated, and a third scoring rule specifying that the one or more chronological levels at which the set of actions is aggregated include a plurality of overlapping time frames;
wherein the set of actions is determined to be suspect based on at least one of;
(i) the set of user actions being classified by the generated model as characterizing a first authorized user role at a first point in time and characterizing a second authorized user role at a second point in time subsequent to the first point in time, wherein the second authorized user role is different from the first authorized user role;
(ii) a resource access frequency monitored for the second authorized user role exceeding the resource access frequency monitored for the first authorized user role by at least a predetermined, user-specified amount, and wherein the resource access frequency characterizes a frequency of accessing one or more computer resources; and
(iii) the set of actions satisfying one or more inference rules for identifying user behavior likely to cause data loss.
5 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes.
192 Citations
24 Claims
-
1. A computer-implemented method to model user access to computer resources, the method comprising:
-
collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval; aggregating the first set of log records at one or more chronological levels; generating, by operation of one or more computer processors, a model of user behavior by running one or more selected model types using data associated with one or more attributes selected from the first set of log records, wherein the data is aggregated into one or more mining tables according to the one or more chronological levels, and further using at least one algorithm parameter selected for the one or more model types, wherein the generated model includes a plurality of clusters of the selected one or more model types, wherein each cluster is associated with a distinct, respective authorized user role that is authorized to access the computer resources, wherein each cluster characterizes a distinct, legitimate pattern with which any user of the respective authorized user role is expected to access the computer resources, wherein the generated model comprises at least one of a classification model, a clustering model, and an association rule model, wherein the clustering model comprises at least one of a distribution-based clustering model and a center-based clustering model; and scoring, based on the generated model and at least one scoring rule, a set of user actions to determine whether the set of actions is suspect, wherein the at least one scoring rule comprises at least one of a first scoring rule specifying to score the user against the plurality of clusters, a second scoring rule specifying to adjust one or more chronological levels at which the set of actions is aggregated, and a third scoring rule specifying that the one or more chronological levels at which the set of actions is aggregated include a plurality of overlapping time frames; wherein the set of actions is determined to be suspect based on at least one of;
(i) the set of user actions being classified by the generated model as characterizing a first authorized user role at a first point in time and characterizing a second authorized user role at a second point in time subsequent to the first point in time, wherein the second authorized user role is different from the first authorized user role;
(ii) a resource access frequency monitored for the second authorized user role exceeding the resource access frequency monitored for the first authorized user role by at least a predetermined, user-specified amount, and wherein the resource access frequency characterizes a frequency of accessing one or more computer resources; and
(iii) the set of actions satisfying one or more inference rules for identifying user behavior likely to cause data loss. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage medium storing a computer program which, when executed by a processor, performs an operation to model user access to computer resources, the operation comprising:
-
collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval; aggregating the first set of log records at one or more chronological levels; selecting one or more model types; and generating, by operation of one or more computer processors when executing the computer program, the model of user behavior by running one or more selected model types using data associated with one or more attributes selected from the first set of log records, wherein the data is aggregated into one or more mining tables according to the one or more chronological levels, and further using at least one algorithm parameter selected for the one or more model types, wherein the generated model includes a plurality of clusters of the selected one or more model types, wherein each cluster is associated with a distinct, respective authorized user role that is authorized to access the computer resources, wherein each cluster characterizes a distinct, legitimate pattern with which any user of the respective authorized user role is expected to access the computer resources, wherein the generated model comprises at least one of a classification model, a clustering model, and an association rule model, wherein the clustering model comprises at least one of a distribution-based clustering model and a center-based clustering model; and scoring, based on the generated model and at least one scoring rule, a set of user actions to determine whether the set of actions is suspect, wherein the at least one scoring rule comprises at least one of a first scoring rule specifying to score the user against the plurality of clusters, a second scoring rule specifying to adjust one or more chronological levels at which the set of actions is aggregated, and a third scoring rule specifying that the one or more chronological levels at which the set of actions is aggregated include a plurality of overlapping time frames; wherein the set of actions is determined to be suspect based on at least one of;
(i) the set of user actions being classified by the generated model as characterizing a first authorized user role at a first point in time and characterizing a second authorized user role at a second point in time subsequent to the first point in time, wherein the second authorized user role is different from the first authorized user role;
(ii) a resource access frequency monitored for the second authorized user role exceeding the resource access frequency monitored for the first authorized user role by at least a predetermined, user-specified amount, and wherein the resource access frequency characterizes a frequency of accessing one or more computer resources; and
(iii) the set of actions satisfying one or more inference rules for identifying user behavior likely to cause data loss. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system, comprising:
-
a processor; and a memory containing a program, which when executed by the processor is configured to perform an operation to model user access to computer resources, the operation comprising; collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval; aggregating the first set of log records at one or more chronological levels; generating a model of user behavior by running one or more selected model types using data associated with one or more attributes selected from the first set of log records, wherein the data is aggregated into one or more mining tables according to the one or more chronological levels, and further using at least one algorithm parameter selected for the one or more model types, wherein the generated model includes a plurality of clusters of the selected one or more model types, wherein each cluster is associated with a distinct, respective authorized user role that is authorized to access the computer resources, wherein each cluster characterizes a distinct, legitimate pattern with which any user of the respective authorized user role is expected to access the computer resources, wherein the generated model comprises at least one of a classification model, a clustering model, and an association rule model, wherein the clustering model comprises at least one of a distribution-based clustering model and a center-based clustering model; and scoring, based on the generated model and at least one scoring rule, a set of user actions to determine whether the set of actions is suspect, wherein the at least one scoring rule comprises at least one of a first scoring rule specifying to score the user against the plurality of clusters, a second scoring rule specifying to adjust one or more chronological levels at which the set of actions is aggregated, and a third scoring rule specifying that the one or more chronological levels at which the set of actions is aggregated include a plurality of overlapping time frames; wherein the set of actions is determined to be suspect based on at least one of;
(i) the set of user actions being classified by the generated model as characterizing a first authorized user role at a first point in time and characterizing a second authorized user role at a second point in time subsequent to the first point in time, wherein the second authorized user role is different from the first authorized user role;
(ii) a resource access frequency monitored for the second authorized user role exceeding the resource access frequency monitored for the first authorized user role by at least a predetermined, user-specified amount, and wherein the resource access frequency characterizes a frequency of accessing one or more computer resources; and
(iii) the set of actions satisfying one or more inference rules for identifying user behavior likely to cause data loss. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification