Anomalous activity detection
First Claim
Patent Images
1. A system comprising:
- a processor in operative communication with at least one memory storing computer executable instructions that, when executed, cause the system to perform a method comprising;
receiving a determination relating to a plurality of controls being monitored in relation to activity events of a plurality of user accounts wherein the controls are determined based upon detecting or receiving information regarding capabilities of one or more security applications;
receiving from multiple data feeds, information regarding a plurality of activity events associated with a least one user account from the plurality of user accounts and conducted during a first time period;
identifying information relating to the plurality of user accounts;
organizing at least a portion of the plurality of user accounts into a group based upon information relating to the user accounts; and
receiving identification information associated with a responsible account that is responsible for a plurality of user accounts;
storing an output of a reports analysis engine;
detecting duplicate activity events that exist without technical or human error from the information to create de-duplicated activity events, creating de-duplicated activity events including removing a detected duplicate activity event, and generating data comprising comma separated values, each value representing a plurality of duplicative activity events organized into an aggregate event;
enriching the de-duplicated activity events with enrichment criteria from an updatable repository to create enriched activity events;
comparing known patterns relating to one or more user accounts stored in a repository to the information of the de-duplicated activity events, excluding at least a portion of de-duplicated activity events and enrich at least a portion of the de-duplicated activity events; and
determining whether to escalate an activity event processed by an enrichment module to a notification.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosure addresses the detection of anomalous activity. Some embodiments are directed towards a system for receiving an indication relating to a plurality of controls, identification information associated with a responsible account, and instructions from a responsible account associated with the monitoring of thresholds of controls being monitored. The plurality of user account may be organized into groups based upon information relating to the user accounts, and instructions may be applied to the groups to create a dynamic security policy.
-
Citations
4 Claims
-
1. A system comprising:
a processor in operative communication with at least one memory storing computer executable instructions that, when executed, cause the system to perform a method comprising; receiving a determination relating to a plurality of controls being monitored in relation to activity events of a plurality of user accounts wherein the controls are determined based upon detecting or receiving information regarding capabilities of one or more security applications; receiving from multiple data feeds, information regarding a plurality of activity events associated with a least one user account from the plurality of user accounts and conducted during a first time period; identifying information relating to the plurality of user accounts; organizing at least a portion of the plurality of user accounts into a group based upon information relating to the user accounts; and receiving identification information associated with a responsible account that is responsible for a plurality of user accounts; storing an output of a reports analysis engine; detecting duplicate activity events that exist without technical or human error from the information to create de-duplicated activity events, creating de-duplicated activity events including removing a detected duplicate activity event, and generating data comprising comma separated values, each value representing a plurality of duplicative activity events organized into an aggregate event; enriching the de-duplicated activity events with enrichment criteria from an updatable repository to create enriched activity events; comparing known patterns relating to one or more user accounts stored in a repository to the information of the de-duplicated activity events, excluding at least a portion of de-duplicated activity events and enrich at least a portion of the de-duplicated activity events; and
determining whether to escalate an activity event processed by an enrichment module to a notification.- View Dependent Claims (2, 3, 4)
Specification