System and method of automatically detecting outliers in usage patterns

US 9,064,097 B2
Filed: 06/06/2012
Issued: 06/23/2015
Est. Priority Date: 06/06/2012
Status: Active Grant

First Claim

Patent Images

1. A system for detecting an outlier in a usage pattern, comprising:

a computer system operating on one or more microprocessors and accessible to perform an operation, the computer system including an audit forensics engine having an outlier detection module and a pattern recognition module;

wherein when an instance occurs where the operation is performed, audit trail data are captured related to the operation;

wherein the pattern recognition module statistically analyzes audit trail data related to previous instances when the operation was performed on the content item to generate a content usage pattern; and

wherein the outlier detection module determines for the instance where the operation is performed whether the instance is an outlier in the content usage pattern based on a comparison of the audit trail data associated with the instance to the content usage pattern.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting an outlier in a usage pattern comprises a computer accessible to perform an operation. The system includes an audit forensics engine having an outlier detection module. When an instance occurs where the operation is performed, audit trail data is captured related to the operation. The outlier detection module determines for the instance where the operation is performed whether the instance is an outlier in a usage pattern based on a comparison of the audit trail data to the usage pattern.

17 Citations

View as Search Results

17 Claims

1. A system for detecting an outlier in a usage pattern, comprising:
- a computer system operating on one or more microprocessors and accessible to perform an operation, the computer system including an audit forensics engine having an outlier detection module and a pattern recognition module;
  
  wherein when an instance occurs where the operation is performed, audit trail data are captured related to the operation;
  
  wherein the pattern recognition module statistically analyzes audit trail data related to previous instances when the operation was performed on the content item to generate a content usage pattern; and
  
  wherein the outlier detection module determines for the instance where the operation is performed whether the instance is an outlier in the content usage pattern based on a comparison of the audit trail data associated with the instance to the content usage pattern.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein:
    - the computer system is a content management system accessible to perform an operation on a content item;
      
      the operation is performed on the content item; and
      
      the outlier detection module determines for the instance where the operation is performed on the content item whether the instance is an outlier based on a comparison of the audit trail data to a content usage pattern of the content item.
  - 3. The system of claim 1, wherein:
    - the computer system is system management accessible to changes in modules of the system management;
      
      the operation is performed on a module; and
      
      the outlier detection module determines for the instance where the operation is performed on the module whether the instance is an outlier based on a comparison of the audit trail data to a usage pattern of the module.
  - 4. The system of claim 2, wherein the content management system includes a content policy file;
    - wherein the content policy file includes rules; and
      
      wherein the content usage pattern is determined based on one or both of the analysis of the pattern recognition module and the rules of the content policy file.
  - 5. The system of claim 2, further comprising:
    - a reporting mechanism for reporting an outlier to a responsible party; and
      
      a feedback loop for modifying the pattern recognition module so that outliers having substantially the same audit trail data, which are part of a white list, are not reported by the reporting mechanism.
  - 6. The system of claim 2, further comprising:
    - wherein the content management system is accessed by a user using a computer, or any computing device such as a tablet personal computer (PC), smart phone to perform an operation on a content item;
      
      wherein the content management system further includes a content policy file;
      
      wherein the content policy file includes rules; and
      
      wherein the outlier detection module determines for the instance where the operation is performed on the content item whether the instance is an outlier in a content usage pattern based on a comparison of the audit trail data to a content usage pattern of the content item;
      
      wherein the content usage pattern is determined based on one or both of the analysis of the pattern recognition module and the rules of the content policy file.

7. A method of detecting an outlier in a usage pattern in a computer system operating on one or more microprocessors, comprising the steps of:
- receiving an instruction to perform an operation;
  
  accessing the computer system including an audit forensic engine having an outlier detection module and a pattern recognition module;
  
  performing the operation;
  
  capturing audit trail data related to the operation;
  
  statistically analyzing audit trail data related to previous instances when the operation was performed to generate a usage pattern;
  
  comparing the audit trail data related to the operation to the usage pattern; and
  
  determining based on the comparison whether the instance is an outlier in the usage pattern.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein:
    - the computer system is a content management system accessible to perform an operation on a content item;
      
      the instruction received is to perform an operation on a content item;
      
      the operation is performed on the content item; and
      
      the captured audit trail data is compared to a content usage pattern of the content item.
  - 9. The method of claim 7, wherein:
    - the computer system is system management accessible to changes in modules of the system management;
      
      the instruction received is to perform an operation on a module; and
      
      the operation is performed on the module;
      
      the captured audit trail data is compared to a usage pattern of the module.
  - 10. The method of claim 8, wherein the content management system includes a content policy file;
    - and further comprising;
      
      one or both ofdetermining the content usage pattern based on the analysis of the pattern; and
      
      determining the content usage pattern based on the content policy file.
  - 11. The method of claim 8, wherein the content management system includes an audit framework, a content repository storing the content item, and an audit repository for storing audit trail data;
    - and further comprising;
      
      accessing the content item from the content repository prior to performing the operation on the content item;
      
      retrieving audit trail data related to previous instances prior to analyzing audit trail data related to previous instances;
      
      storing the audit trail data related to the operation in the audit repository; and
      
      notifying a content administrator of the content item when the content item is determined to be an outlier.
  - 12. The method of claim 11, further comprising:
    - receiving from the content administrator feedback that the outlier is an acceptable business activity and thereby part of a white list;
      
      modifying one or both of the pattern recognition module and the content policy file so that the content administrator is not notified when instances having substantially the same audit trail data are determined to be outliers.

13. A non-transitory computer readable storage medium, including instructions stored thereon, which when read and executed by one or more microprocessors cause the one or more microprocessors to perform the steps comprising:
- receiving an instruction to perform an operation;
  
  accessing a computer system including an audit forensic engine having an outlier detection module and a pattern recognition module;
  
  performing the operation;
  
  capturing audit trail data related to the operation;
  
  statistically analyzing audit trail data related to previous instances when the operation was performed to generate a usage pattern;
  
  comparing the audit trail data related to the operation to the usage pattern; and
  
  determining based on the comparison whether the instance is an outlier in the usage pattern.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein:
    - the computer system is a content management system accessible to perform an operation on a content item;
      
      the instruction received is to perform an operation on a content item;
      
      the operation is performed on the content item; and
      
      the captured audit trail data is compared to a content usage pattern of the content item.
  - 15. The non-transitory computer readable storage medium of claim 13, wherein:
    - the computer system is system management accessible to changes in modules of the system management;
      
      the instruction received is to perform an operation on a module; and
      
      the operation is performed on the module;
      
      the captured audit trail data is compared to a usage pattern of the module.
  - 16. The non-transitory computer readable storage medium of claim 14, wherein when the content management system includes a content policy file defining the content usage pattern, the non-transitory computer readable storage medium further includes instructions stored thereon, which when read and executed by one or more microprocessors cause the one or more microprocessors to perform the steps further comprising:
    - one or both ofdetermining the content usage pattern based on the analysis of the pattern; and
      
      determining the content usage pattern based on the content policy file.
  - 17. The non-transitory computer readable storage medium of claim 14, wherein when the content management system includes an audit framework, a content repository storing the content item, and an audit repository for storing audit trail data, the non-transitory computer readable storage medium further includes instructions stored thereon, which when read and executed by one or more microprocessors cause the one or more microprocessors to perform the steps further comprising:
    - accessing the content item from the content repository prior to performing the operation on the content item;
      
      retrieving audit trail data related to previous instances prior to analyzing audit trail data related to previous instances;
      
      storing the audit trail data related to the operation in the audit repository; and
      
      notifying a content administrator of the content item when the content item is determined to be an outlier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sambamurthy, Govinda Raj
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/490,069
Publication Number

US 20130333046A1
Time in Patent Office

1,112 Days
Field of Search

726/26
US Class Current

1/1
CPC Class Codes

G06F 21/10 Protecting distributed prog...

System and method of automatically detecting outliers in usage patterns

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of automatically detecting outliers in usage patterns

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links