Detecting anomalous activity from accounts of an online service
First Claim
1. A method for detecting anomalous activity in an online service, comprising:
- accessing a baseline profile comprising past event information related to a plurality of past events, wherein each past event in the plurality of past events originates from at least one account of the online service;
calculating a first past event frequency for a first past event, wherein the first past event frequency is determined in relation to the other past events in the plurality of past events;
calculating a second past event frequency for a second past event, wherein the second past event frequency is determined in relation to the other past events in the plurality of past events;
accessing a recent profile comprising recent event information related to recent events that originate from accounts of the online service;
calculating a first recent event frequency for a first recent event in the recent events, wherein the first recent event frequency is determined in relation to the other recent events;
calculating a second recent event frequency for a second recent, wherein the second recent event frequency is determined in relation to other recent events determining that the first past event occurs at a higher frequency than the first recent event;
determining that the second past event occurs at a lower frequency than the second recent event; and
generating a report, wherein the report includes information related to the first past event occurring at the higher frequency than the first recent event and the second past event occurring at the lower frequency than the second recent event.
4 Assignments
0 Petitions
Accused Products
Abstract
Anomalous activity is detected using event information that is received from accounts from within an online service. Generally, anomalous activity is detected by comparing a baseline profile that includes past event information for accounts of the online service with a recent profile that includes recent event information for the accounts. Anomalous activity is detected when the recent profile shows that one or more events are occurring more frequently as compared to the occurrence of the event the associated baseline profile. The events that are recorded and used in the anomaly detection may include all or a portion of events that are monitored by the online service. One or more reports may also be automatically generated and provided to one or more users to show activity that may be considered anomalous activity.
48 Citations
20 Claims
-
1. A method for detecting anomalous activity in an online service, comprising:
-
accessing a baseline profile comprising past event information related to a plurality of past events, wherein each past event in the plurality of past events originates from at least one account of the online service; calculating a first past event frequency for a first past event, wherein the first past event frequency is determined in relation to the other past events in the plurality of past events; calculating a second past event frequency for a second past event, wherein the second past event frequency is determined in relation to the other past events in the plurality of past events; accessing a recent profile comprising recent event information related to recent events that originate from accounts of the online service; calculating a first recent event frequency for a first recent event in the recent events, wherein the first recent event frequency is determined in relation to the other recent events; calculating a second recent event frequency for a second recent, wherein the second recent event frequency is determined in relation to other recent events determining that the first past event occurs at a higher frequency than the first recent event; determining that the second past event occurs at a lower frequency than the second recent event; and generating a report, wherein the report includes information related to the first past event occurring at the higher frequency than the first recent event and the second past event occurring at the lower frequency than the second recent event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage device storing computer-executable instructions for detecting anomalous activity in an online service, comprising:
-
accessing a baseline profile comprising past event information related to a first category of event and a second category of event, wherein each event in the first category and each event in the second category originates from accounts of the online service; calculating the ratio between the occurrence of each event in the first category to the occurrence of each event in the second category of event to form a baseline frequency; accessing a recent profile comprising recent event information that originated within a last day from an account of the online service, wherein the recent event information comprises a first plurality of events, wherein each event of the first plurality of events is categorized as the first category of event;
wherein the recent event information comprises a second plurality of events, wherein each event in the second plurality of events is categorized as the second category of events;calculating the ratio between each event in the first plurality of events to the occurrence of each event in the second plurality of events to form a recent event frequency; comparing the baseline frequency with the recent event frequency; determining that the baseline frequency is different than the recent event frequency; and
reporting an indication that the baseline frequency and the recent event frequency are different. - View Dependent Claims (10, 11, 12, 13, 14, 19)
-
-
15. A system for detecting anomalous activity in an online service, comprising:
-
a processor and memory; an operating environment executing using the processor; and an anomaly detector that is configured to perform actions comprising; accessing a baseline profile comprising past event information related to a first category of event and a second category of event, wherein each event in the first category and each event in the second category originates from accounts of the online service; comparing the first category of event to the second category of event to form a baseline frequency; accessing a recent profile comprising recent event information, wherein the recent event information comprises a first plurality of events, wherein each event of the first plurality of events is categorized as the first category of event;
wherein the recent event information comprises a second plurality of events, wherein each event in the second plurality of events is categorized as the second category of event;comparing the first plurality of events and the second plurality of events to form a recent event frequency; comparing the baseline frequency with the recent event frequency; and reporting activity that is an anomaly based on the comparison between the baseline frequency and the recent event frequency. - View Dependent Claims (16, 17, 18, 20)
-
Specification