Detecting anomalies in work practice data by combining multiple domains of information

US 9,264,442 B2
Filed: 04/26/2013
Issued: 02/16/2016
Est. Priority Date: 04/26/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-executable method for multi-domain clustering, comprising:

receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization;

determining a hyperparameter value for a respective prior distribution of a probability distributing associated with a domain;

estimating a probability distribution for generating a multi-domain probability model;

generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution;

analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user'"'"'s corresponding user role; and

determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user'"'"'s cluster indices to one or more of the first user'"'"'s plurality of cluster indices.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for multi-domain clustering. During operation, the system collects domain data for at least two domains associated with users, wherein a domain is a source of data describing observable activities of a user. Next, the system estimates a probability distribution for a domain associated with the user. The system also estimates a probability distribution for a second domain associated with the user. Then, the system analyzes the domain data with a multi-domain probability model that includes variables for two or more domains to determine a probability distribution of each domain associated with the probability model and to assign users to clusters associated with user roles.

Citations

20 Claims

1. A computer-executable method for multi-domain clustering, comprising:
- receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization;
  
  determining a hyperparameter value for a respective prior distribution of a probability distributing associated with a domain;
  
  estimating a probability distribution for generating a multi-domain probability model;
  
  generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution;
  
  analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user'"'"'s corresponding user role; and
  
  determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user'"'"'s cluster indices to one or more of the first user'"'"'s plurality of cluster indices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the domain data includes one or more of average number of e-mails, topical content of e-mail, average number of files, average number of HTTP access, addresses for HTTP access, and average number of logons.
  - 3. The method of claim 1, further comprising:
    - computing an anomaly score for a respective user for each of the domains; and
      
      computing an aggregate anomaly score for the respective user that includes weighted anomaly scores for each of the domains.
  - 4. The method of claim 1, further comprising:
    - clustering domain data for a first domain;
      
      associating a first cluster index for the first domain with a particular user;
      
      clustering domain data for a second domain;
      
      associating a second cluster index for the second domain with the particular user; and
      
      generating a discrete distribution for the particular user that includes the first cluster index and the second cluster index.
  - 5. The method of claim 4, further comprising comparing a user'"'"'s cluster indices with other users'"'"' cluster indices to determine whether the user'"'"'s activities are anomalous.
  - 6. The method of claim 4, wherein associating the first cluster index for the first domain with the particular user comprises:
    - estimating a maximum a posteriori probability cluster index for the user; and
      
      associating the user with the maximum a posteriori probability cluster index.
  - 7. The method of claim 1, wherein determining that the activity being performed by the second user is anomalous comprises:
    - generating a discrete distribution for the second user that assigns the second user to a plurality of cluster indices; and
      
      comparing the plurality of cluster indices for the second user with the plurality of cluster indices associated with the first user.

8. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for multi-domain clustering, the method comprising:
- receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization;
  
  determining a hyperparameter value for a respective prior distribution of a probability distribution associated with a domain;
  
  estimating a probability distribution for generating a multi-domain probability model;
  
  generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution;
  
  analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user'"'"'s corresponding user role; and
  
  determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user'"'"'s cluster indices to one or more of the first user'"'"'s plurality of cluster indices.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the domain data includes one or more of average number of e-mails, topical content of e-mail, average number of files, average number of HTTP access, addresses for HTTP access, and average number of logons.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the computer-readable storage medium stores additional instructions that, when executed, cause the computer to perform additional steps comprising:
    - computing an anomaly score for a respective user for each of the domains; and
      
      computing an aggregate anomaly score for the respective user that includes weighted anomaly scores for each of the domains.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein the computer-readable storage medium stores additional instructions that, when executed, cause the computer to perform additional steps comprising:
    - clustering domain data for a first domain;
      
      associating a first cluster index for the first domain with a particular user;
      
      clustering domain data for a second domain;
      
      associating a second cluster index for the second domain with the particular user; and
      
      generating a discrete distribution for the particular user that includes the first cluster index and the second cluster index.
  - 12. The non-transitory computer-readable storage medium of claim 11, further comprising comparing a user'"'"'s cluster indices with other users'"'"' cluster indices to determine whether the user'"'"'s activities are anomalous.
  - 13. The non-transitory computer-readable storage medium of claim 11, wherein associating the first cluster index for the first domain with the particular user comprises:
    - estimating a maximum a posteriori probability cluster index for the user; and
      
      associating the user with the maximum a posteriori probability cluster index.

14. A computing system for multi-domain clustering, the system comprising:
- one or more processors,a computer-readable medium coupled to the one or more processors having instructions stored thereon that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization;
  
  determining a hyperparameter value for a respective prior distribution of a probability distribution associated with a domain;
  
  estimating a probability distribution for generating a multi-domain probability model;
  
  generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution;
  
  analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user'"'"'s corresponding user role; and
  
  determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user'"'"'s cluster indices to one or more of the first user'"'"'s plurality of cluster indices.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computing system claim 14, wherein the domain data includes one or more of average number of e-mails, topical content of e-mail, average number of files, average number of HTTP access, addresses for HTTP access, and average number of logons.
  - 16. The computing system of claim 14, wherein the computing system stores additional instructions that, when executed, cause the computer to perform additional steps comprising:
    - computing an anomaly score for a respective user for each of the domains; and
      
      computing an aggregate anomaly score for the respective user that includes weighted anomaly scores for each of the domains.
  - 17. The computing system of claim 14, wherein the computing system stores additional instructions that, when executed, cause the computer to perform additional steps comprising:
    - clustering domain data for a first domain;
      
      associating a first cluster index for the first domain with a particular user;
      
      clustering domain data for a second domain;
      
      associating a second cluster index for the second domain with the particular user;
      
      generating a discrete distribution for the particular user that includes the first cluster index and the second cluster index.
  - 18. The computing system of claim 17, wherein the computing system stores additional instructions that, when executed, cause the computer to perform additional steps comprising:
    - comparing a user'"'"'s cluster indices with other users'"'"' cluster indices todetermine whether the user'"'"'s activities are anomalous.
  - 19. The computing system of claim 17, wherein associating the first cluster index for the first domain with the particular user comprises:
    - estimating a maximum a posteriori probability cluster index for the user; and
      
      associating the user with the maximum a posteriori probability cluster index.
  - 20. The computing system of claim 14, wherein determining that the activity being performed by the second user is anomalous comprises:
    - generating a discrete distribution for the second user that assigns the second user to a plurality of cluster indices; and
      
      comparing the plurality of cluster indices for the second user with the plurality of cluster indices associated with the first user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Bart, Evgeniy, Liu, Juan J., Eldardiry, Hoda M. A., Price, Robert R.
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US13/871,985
Publication Number

US 20140325643A1
Time in Patent Office

1,026 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Detecting anomalies in work practice data by combining multiple domains of information

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting anomalies in work practice data by combining multiple domains of information

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links