Modeling user access to computer resources

US 8,214,364 B2
Filed: 05/21/2008
Issued: 07/03/2012
Est. Priority Date: 05/21/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method to model user access to computer resources, the method comprising:

collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;

aggregating the first set of log records at one or more chronological levels;

generating, by operation of one or more computer processors, a model of user behavior by running one or more selected model types using data associated with one or more attributes selected from the first set of log records, wherein the data is aggregated into one or more mining tables according to the one or more chronological levels, and further using at least one algorithm parameter selected for the one or more model types, wherein the generated model includes a plurality of clusters of the selected one or more model types, wherein each cluster is associated with a distinct, respective authorized user role that is authorized to access the computer resources, wherein each cluster characterizes a distinct, legitimate pattern with which any user of the respective authorized user role is expected to access the computer resources, wherein the generated model comprises at least one of a classification model, a clustering model, and an association rule model, wherein the clustering model comprises at least one of a distribution-based clustering model and a center-based clustering model; and

scoring, based on the generated model and at least one scoring rule, a set of user actions to determine whether the set of actions is suspect, wherein the at least one scoring rule comprises at least one of a first scoring rule specifying to score the user against the plurality of clusters, a second scoring rule specifying to adjust one or more chronological levels at which the set of actions is aggregated, and a third scoring rule specifying that the one or more chronological levels at which the set of actions is aggregated include a plurality of overlapping time frames;

wherein the set of actions is determined to be suspect based on at least one of;

(i) the set of user actions being classified by the generated model as characterizing a first authorized user role at a first point in time and characterizing a second authorized user role at a second point in time subsequent to the first point in time, wherein the second authorized user role is different from the first authorized user role;

(ii) a resource access frequency monitored for the second authorized user role exceeding the resource access frequency monitored for the first authorized user role by at least a predetermined, user-specified amount, and wherein the resource access frequency characterizes a frequency of accessing one or more computer resources; and

(iii) the set of actions satisfying one or more inference rules for identifying user behavior likely to cause data loss.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes.

192 Citations

24 Claims

1. A computer-implemented method to model user access to computer resources, the method comprising:
- collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;
  
  aggregating the first set of log records at one or more chronological levels;
  
  generating, by operation of one or more computer processors, a model of user behavior by running one or more selected model types using data associated with one or more attributes selected from the first set of log records, wherein the data is aggregated into one or more mining tables according to the one or more chronological levels, and further using at least one algorithm parameter selected for the one or more model types, wherein the generated model includes a plurality of clusters of the selected one or more model types, wherein each cluster is associated with a distinct, respective authorized user role that is authorized to access the computer resources, wherein each cluster characterizes a distinct, legitimate pattern with which any user of the respective authorized user role is expected to access the computer resources, wherein the generated model comprises at least one of a classification model, a clustering model, and an association rule model, wherein the clustering model comprises at least one of a distribution-based clustering model and a center-based clustering model; and
  
  scoring, based on the generated model and at least one scoring rule, a set of user actions to determine whether the set of actions is suspect, wherein the at least one scoring rule comprises at least one of a first scoring rule specifying to score the user against the plurality of clusters, a second scoring rule specifying to adjust one or more chronological levels at which the set of actions is aggregated, and a third scoring rule specifying that the one or more chronological levels at which the set of actions is aggregated include a plurality of overlapping time frames;
  
  wherein the set of actions is determined to be suspect based on at least one of;
  
  (i) the set of user actions being classified by the generated model as characterizing a first authorized user role at a first point in time and characterizing a second authorized user role at a second point in time subsequent to the first point in time, wherein the second authorized user role is different from the first authorized user role;
  
  (ii) a resource access frequency monitored for the second authorized user role exceeding the resource access frequency monitored for the first authorized user role by at least a predetermined, user-specified amount, and wherein the resource access frequency characterizes a frequency of accessing one or more computer resources; and
  
  (iii) the set of actions satisfying one or more inference rules for identifying user behavior likely to cause data loss.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein each record in the first set of log records includes a user identification (ID) indicating that the record is associated with actions of the user.
  - 3. The method of claim 2, wherein each record in the first set of log records is assigned to one of the clusters.
  - 4. The method of claim 1, wherein the one or more model types comprise a distribution-based clustering model, a center-based clustering model, and/or an association rule model.
  - 5. The method of claim 1, wherein the at least one algorithm parameter comprises at least one of learning rate, number of clusters, and similarity measure.
  - 6. The method of claim 1, wherein generating the model of user behavior further comprises performing a test procedure to validate the model of user behavior.
  - 7. The method of claim 6, wherein the test procedure comprises performing statistical analysis of predictive and generalization capabilities of the model of user behavior.
  - 8. The method of claim 1, wherein the computer resources comprise computer source code.

9. A computer-readable storage medium storing a computer program which, when executed by a processor, performs an operation to model user access to computer resources, the operation comprising:
- collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;
  
  aggregating the first set of log records at one or more chronological levels;
  
  selecting one or more model types; and
  
  generating, by operation of one or more computer processors when executing the computer program, the model of user behavior by running one or more selected model types using data associated with one or more attributes selected from the first set of log records, wherein the data is aggregated into one or more mining tables according to the one or more chronological levels, and further using at least one algorithm parameter selected for the one or more model types, wherein the generated model includes a plurality of clusters of the selected one or more model types, wherein each cluster is associated with a distinct, respective authorized user role that is authorized to access the computer resources, wherein each cluster characterizes a distinct, legitimate pattern with which any user of the respective authorized user role is expected to access the computer resources, wherein the generated model comprises at least one of a classification model, a clustering model, and an association rule model, wherein the clustering model comprises at least one of a distribution-based clustering model and a center-based clustering model; and
  
  scoring, based on the generated model and at least one scoring rule, a set of user actions to determine whether the set of actions is suspect, wherein the at least one scoring rule comprises at least one of a first scoring rule specifying to score the user against the plurality of clusters, a second scoring rule specifying to adjust one or more chronological levels at which the set of actions is aggregated, and a third scoring rule specifying that the one or more chronological levels at which the set of actions is aggregated include a plurality of overlapping time frames;
  
  wherein the set of actions is determined to be suspect based on at least one of;
  
  (i) the set of user actions being classified by the generated model as characterizing a first authorized user role at a first point in time and characterizing a second authorized user role at a second point in time subsequent to the first point in time, wherein the second authorized user role is different from the first authorized user role;
  
  (ii) a resource access frequency monitored for the second authorized user role exceeding the resource access frequency monitored for the first authorized user role by at least a predetermined, user-specified amount, and wherein the resource access frequency characterizes a frequency of accessing one or more computer resources; and
  
  (iii) the set of actions satisfying one or more inference rules for identifying user behavior likely to cause data loss.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage medium of claim 9, wherein each record in the first set of log records includes a user identification (ID) indicating that the record is associated with actions of the user.
  - 11. The computer-readable storage medium of claim 10, wherein each record in the first set of log records is assigned to one of the clusters.
  - 12. The computer-readable storage medium of claim 9, wherein the one or more model types comprise a distribution-based clustering model, a center-based clustering model, and/or an association rule model.
  - 13. The computer-readable storage medium of claim 9, wherein the at least one algorithm parameter comprises at least one of learning rate, number of clusters, and similarity measure.
  - 14. The computer-readable storage medium of claim 9, wherein generating the model of user behavior further comprises performing a test procedure to validate the model of user behavior.
  - 15. The computer-readable storage medium of claim 14, wherein the test procedure comprises performing statistical analysis of predictive and generalization capabilities of the model of user behavior.
  - 16. The computer-readable storage medium of claim 9, wherein the computer resources comprise computer source code.

17. A system, comprising:
- a processor; and
  
  a memory containing a program, which when executed by the processor is configured to perform an operation to model user access to computer resources, the operation comprising;
  
  collecting a first set of log records documenting user actions in accessing the computer resources during a first time interval;
  
  aggregating the first set of log records at one or more chronological levels;
  
  generating a model of user behavior by running one or more selected model types using data associated with one or more attributes selected from the first set of log records, wherein the data is aggregated into one or more mining tables according to the one or more chronological levels, and further using at least one algorithm parameter selected for the one or more model types, wherein the generated model includes a plurality of clusters of the selected one or more model types, wherein each cluster is associated with a distinct, respective authorized user role that is authorized to access the computer resources, wherein each cluster characterizes a distinct, legitimate pattern with which any user of the respective authorized user role is expected to access the computer resources, wherein the generated model comprises at least one of a classification model, a clustering model, and an association rule model, wherein the clustering model comprises at least one of a distribution-based clustering model and a center-based clustering model; and
  
  scoring, based on the generated model and at least one scoring rule, a set of user actions to determine whether the set of actions is suspect, wherein the at least one scoring rule comprises at least one of a first scoring rule specifying to score the user against the plurality of clusters, a second scoring rule specifying to adjust one or more chronological levels at which the set of actions is aggregated, and a third scoring rule specifying that the one or more chronological levels at which the set of actions is aggregated include a plurality of overlapping time frames;
  
  wherein the set of actions is determined to be suspect based on at least one of;
  
  (i) the set of user actions being classified by the generated model as characterizing a first authorized user role at a first point in time and characterizing a second authorized user role at a second point in time subsequent to the first point in time, wherein the second authorized user role is different from the first authorized user role;
  
  (ii) a resource access frequency monitored for the second authorized user role exceeding the resource access frequency monitored for the first authorized user role by at least a predetermined, user-specified amount, and wherein the resource access frequency characterizes a frequency of accessing one or more computer resources; and
  
  (iii) the set of actions satisfying one or more inference rules for identifying user behavior likely to cause data loss.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein each record in the first set of log records includes a user identification (ID) indicating that the record is associated with actions of the user.
  - 19. The system of claim 18, each record in the first set of log records is assigned to one of the clusters.
  - 20. The system of claim 17, wherein the one or more model types comprise a distribution-based clustering model, a center-based clustering model, and/or an association rule model.
  - 21. The system of claim 17, wherein the at least one algorithm parameter comprises at least one of learning rate, number of clusters, and similarity measure.
  - 22. The system of claim 17, wherein generating the model of user behavior further comprises performing a test procedure to validate the model of user behavior.
  - 23. The system of claim 22, wherein the test procedure comprises performing statistical analysis of predictive and generalization capabilities of the model of user behavior.
  - 24. The system of claim 17, wherein the computer resources comprise computer source code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Taiwan Semiconductor Manufacturing Company Limited
Original Assignee
International Business Machines Corporation
Inventors
Bigus, Joseph P., Gong, Leon, Lingenfelder, Christoph
Primary Examiner(s)
Vo, Tim T
Assistant Examiner(s)
OWYANG, MICHELLE N

Application Number

US12/124,274
Publication Number

US 20090292743A1
Time in Patent Office

1,504 Days
Field of Search

None
US Class Current

707/737
CPC Class Codes

G06F 21/316 by observing the pattern of...

G06F 21/552 involving long-term monitor...

Modeling user access to computer resources

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

192 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Modeling user access to computer resources

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

192 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others