Using hypergraphs to determine suspicious user activities
First Claim
Patent Images
1. A method comprising:
- processing input data to derive a set of features for each user account or event for a plurality of user accounts;
generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts;
generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison;
using the generated hypergraphs to detect suspicious graph nodes based on the respective feature profiles of each graph node and a global feature profile;
using the suspicious graph nodes to detect malicious graph communities; and
using the malicious graph communities to determine whether a particular user account is likely to correspond to a malicious user.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.
21 Citations
19 Claims
-
1. A method comprising:
-
processing input data to derive a set of features for each user account or event for a plurality of user accounts; generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts; generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison; using the generated hypergraphs to detect suspicious graph nodes based on the respective feature profiles of each graph node and a global feature profile; using the suspicious graph nodes to detect malicious graph communities; and using the malicious graph communities to determine whether a particular user account is likely to correspond to a malicious user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
one or more computers configured to perform operations comprising; processing input data to derive a set of features for each user account or event for a plurality of user accounts; generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts; generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison; using the generated hypergraphs to detect suspicious graph nodes based on the respective feature profiles of each graph node and a global feature profile; using the suspicious graph nodes to detect malicious graph communities; and using the malicious graph communities to determine whether a particular user account is likely to correspond to a malicious user. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
Specification