Detecting anomalies in work practice data by combining multiple domains of information
First Claim
1. A computer-executable method for multi-domain clustering, comprising:
- receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization;
determining a hyperparameter value for a respective prior distribution of a probability distributing associated with a domain;
estimating a probability distribution for generating a multi-domain probability model;
generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution;
analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user'"'"'s corresponding user role; and
determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user'"'"'s cluster indices to one or more of the first user'"'"'s plurality of cluster indices.
7 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system for multi-domain clustering. During operation, the system collects domain data for at least two domains associated with users, wherein a domain is a source of data describing observable activities of a user. Next, the system estimates a probability distribution for a domain associated with the user. The system also estimates a probability distribution for a second domain associated with the user. Then, the system analyzes the domain data with a multi-domain probability model that includes variables for two or more domains to determine a probability distribution of each domain associated with the probability model and to assign users to clusters associated with user roles.
-
Citations
20 Claims
-
1. A computer-executable method for multi-domain clustering, comprising:
-
receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization; determining a hyperparameter value for a respective prior distribution of a probability distributing associated with a domain; estimating a probability distribution for generating a multi-domain probability model; generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution; analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user'"'"'s corresponding user role; and determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user'"'"'s cluster indices to one or more of the first user'"'"'s plurality of cluster indices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for multi-domain clustering, the method comprising:
-
receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization; determining a hyperparameter value for a respective prior distribution of a probability distribution associated with a domain; estimating a probability distribution for generating a multi-domain probability model; generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution; analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user'"'"'s corresponding user role; and determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user'"'"'s cluster indices to one or more of the first user'"'"'s plurality of cluster indices. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computing system for multi-domain clustering, the system comprising:
-
one or more processors, a computer-readable medium coupled to the one or more processors having instructions stored thereon that, when executed by the one or more processors, cause the one or more processors to perform operations comprising; receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization; determining a hyperparameter value for a respective prior distribution of a probability distribution associated with a domain; estimating a probability distribution for generating a multi-domain probability model; generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution; analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user'"'"'s corresponding user role; and determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user'"'"'s cluster indices to one or more of the first user'"'"'s plurality of cluster indices. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification