Detecting anomalous activity from accounts of an online service

US 9,210,183 B2
Filed: 12/19/2013
Issued: 12/08/2015
Est. Priority Date: 12/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting anomalous activity in an online service, comprising:

accessing a baseline profile comprising past event information related to a plurality of past events, wherein each past event in the plurality of past events originates from at least one account of the online service;

calculating a first past event frequency for a first past event, wherein the first past event frequency is determined in relation to the other past events in the plurality of past events;

calculating a second past event frequency for a second past event, wherein the second past event frequency is determined in relation to the other past events in the plurality of past events;

accessing a recent profile comprising recent event information related to recent events that originate from accounts of the online service;

calculating a first recent event frequency for a first recent event in the recent events, wherein the first recent event frequency is determined in relation to the other recent events;

calculating a second recent event frequency for a second recent, wherein the second recent event frequency is determined in relation to other recent events determining that the first past event occurs at a higher frequency than the first recent event;

determining that the second past event occurs at a lower frequency than the second recent event; and

generating a report, wherein the report includes information related to the first past event occurring at the higher frequency than the first recent event and the second past event occurring at the lower frequency than the second recent event.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Anomalous activity is detected using event information that is received from accounts from within an online service. Generally, anomalous activity is detected by comparing a baseline profile that includes past event information for accounts of the online service with a recent profile that includes recent event information for the accounts. Anomalous activity is detected when the recent profile shows that one or more events are occurring more frequently as compared to the occurrence of the event the associated baseline profile. The events that are recorded and used in the anomaly detection may include all or a portion of events that are monitored by the online service. One or more reports may also be automatically generated and provided to one or more users to show activity that may be considered anomalous activity.

48 Citations

View as Search Results

20 Claims

1. A method for detecting anomalous activity in an online service, comprising:
- accessing a baseline profile comprising past event information related to a plurality of past events, wherein each past event in the plurality of past events originates from at least one account of the online service;
  
  calculating a first past event frequency for a first past event, wherein the first past event frequency is determined in relation to the other past events in the plurality of past events;
  
  calculating a second past event frequency for a second past event, wherein the second past event frequency is determined in relation to the other past events in the plurality of past events;
  
  accessing a recent profile comprising recent event information related to recent events that originate from accounts of the online service;
  
  calculating a first recent event frequency for a first recent event in the recent events, wherein the first recent event frequency is determined in relation to the other recent events;
  
  calculating a second recent event frequency for a second recent, wherein the second recent event frequency is determined in relation to other recent events determining that the first past event occurs at a higher frequency than the first recent event;
  
  determining that the second past event occurs at a lower frequency than the second recent event; and
  
  generating a report, wherein the report includes information related to the first past event occurring at the higher frequency than the first recent event and the second past event occurring at the lower frequency than the second recent event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the past event information and the recent event information comprises security events of the online service.
  - 3. The method of claim 1, wherein the recent profile comprises recent event information that occurs from between a few hours and a day of activity related data.
  - 4. The method of claim 1, further comprising periodically accessing event information from accounts of the online service and updating the baseline profile and the recent profile using the accessed information.
  - 5. The method of claim 1, wherein determining that the first past event occurs at the higher frequency than the first recent event includes setting a weight.
  - 6. The method of claim 1, wherein the baseline profile and the recent profile comprises event information that is obtained from operator accounts that have permissions to create, modify, and delete accounts for users.
  - 7. The method of claim 1, further comprising receiving configuration information relating to configuring events to monitor and include in the recent profile and the baseline profile.
  - 8. The method of claim 1, wherein reporting the anomalous activity when detected comprises automatically creating a report that ranks each account being monitored according to a detected level of anomalous activity and displaying more detailed information relating to the anomalous activity of at least one of the accounts when determined.

9. A computer-readable storage device storing computer-executable instructions for detecting anomalous activity in an online service, comprising:
- accessing a baseline profile comprising past event information related to a first category of event and a second category of event, wherein each event in the first category and each event in the second category originates from accounts of the online service;
  
  calculating the ratio between the occurrence of each event in the first category to the occurrence of each event in the second category of event to form a baseline frequency;
  
  accessing a recent profile comprising recent event information that originated within a last day from an account of the online service, wherein the recent event information comprises a first plurality of events, wherein each event of the first plurality of events is categorized as the first category of event;
  
  wherein the recent event information comprises a second plurality of events, wherein each event in the second plurality of events is categorized as the second category of events;
  
  calculating the ratio between each event in the first plurality of events to the occurrence of each event in the second plurality of events to form a recent event frequency;
  
  comparing the baseline frequency with the recent event frequency;
  
  determining that the baseline frequency is different than the recent event frequency; and
  
  reporting an indication that the baseline frequency and the recent event frequency are different.
- View Dependent Claims (10, 11, 12, 13, 14, 19)
- - 10. The computer-readable storage device of claim 9, further comprising periodically accessing a system log to obtain event information from the accounts of the online service and updating the baseline profile and the recent profile using the accessed information.
  - 11. The computer-readable storage device of claim 9, further comprising associating a weight with each of the events that are included in the baseline profile, wherein the weights affect how much an occurrence of the event is used in calculating the baseline frequency.
  - 12. The computer-readable storage device of claim 9, wherein the baseline profile comprises past event information from operator accounts.
  - 13. The computer-readable storage device of claim 9, further comprising displaying a Graphical User Interface (GUI) and receiving configuration information relating to configuring the events from the GUI.
  - 14. The computer-readable storage device of claim 9, wherein reporting comprises automatically creating a report and delivering the report and displaying more detailed information relating to at least one of the accounts in response to a selection of an account within the report.
  - 19. The computer-readable storage medium of claim 9, wherein the first category of event is a permission change and the second category of events is logging onto the online service.

15. A system for detecting anomalous activity in an online service, comprising:
- a processor and memory;
  
  an operating environment executing using the processor; and
  
  an anomaly detector that is configured to perform actions comprising;
  
  accessing a baseline profile comprising past event information related to a first category of event and a second category of event, wherein each event in the first category and each event in the second category originates from accounts of the online service;
  
  comparing the first category of event to the second category of event to form a baseline frequency;
  
  accessing a recent profile comprising recent event information, wherein the recent event information comprises a first plurality of events, wherein each event of the first plurality of events is categorized as the first category of event;
  
  wherein the recent event information comprises a second plurality of events, wherein each event in the second plurality of events is categorized as the second category of event;
  
  comparing the first plurality of events and the second plurality of events to form a recent event frequency;
  
  comparing the baseline frequency with the recent event frequency; and
  
  reporting activity that is an anomaly based on the comparison between the baseline frequency and the recent event frequency.
- View Dependent Claims (16, 17, 18, 20)
- - 16. The system of claim 15, further comprising periodically accessing a system log to obtain event information from accounts of the online service and updating the baseline profile and the recent profile using the accessed information.
  - 17. The system of claim 15, further comprising associating a weight with each of the events that are included in the baseline profile.
  - 18. The system of claim 15, further comprising displaying a Graphical User Interface (GUI) and receiving configuration information relating to configuring the events from the GUI.
  - 20. The system of claim 15, wherein the first category of event is a permission change and the second category of events is logging onto the online service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Sadovsky, Art, Sharma, Vivek, Rajagopalan, Rajmohan, Lalkaka, Rustam, Macleod, Alexander
Primary Examiner(s)
RAHIM, MONJUR

Application Number

US14/134,575
Publication Number

US 20150180894A1
Time in Patent Office

719 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

G06F 3/0481   based on specific propertie...

G06Q 20/4016   involving fraud or risk lev...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

H04W 12/12   Detection or prevention of ...

Detecting anomalous activity from accounts of an online service

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting anomalous activity from accounts of an online service

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links