Using hypergraphs to determine suspicious user activities

US 9,787,640 B1
Filed: 02/11/2015
Issued: 10/10/2017
Est. Priority Date: 02/11/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

processing input data to derive a set of features for each user account or event for a plurality of user accounts;

generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts;

generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison;

using the generated hypergraphs to detect suspicious graph nodes based on the respective feature profiles of each graph node and a global feature profile;

using the suspicious graph nodes to detect malicious graph communities; and

using the malicious graph communities to determine whether a particular user account is likely to correspond to a malicious user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.

21 Citations

View as Search Results

19 Claims

1. A method comprising:
- processing input data to derive a set of features for each user account or event for a plurality of user accounts;
  
  generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts;
  
  generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison;
  
  using the generated hypergraphs to detect suspicious graph nodes based on the respective feature profiles of each graph node and a global feature profile;
  
  using the suspicious graph nodes to detect malicious graph communities; and
  
  using the malicious graph communities to determine whether a particular user account is likely to correspond to a malicious user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein, in the hypergraph, the feature profile corresponding to each node is a profile created for a set of user accounts or a set of user events.
  - 3. The method of claim 1, wherein each feature profile is a combination of features and wherein feature profiles can include user profiles, group profiles, and a global profile.
  - 4. The method of claim 1, wherein edges are pruned according to normal user behaviors, leaving only edges that contains some suspicious behavior.
  - 5. The method of claim 1, wherein detecting suspicious graph nodes comprises comparing a feature profile associated with each graph node to a global feature profile that captures common behavior of a population of users.
  - 6. The method of claim 1, further comprising:
    - identifying additional suspicious graph nodes based on an initial list of suspicious graph nodes and the graph structure, using a graph diffusion process.
  - 7. The method of claim 1, wherein using the suspicious graph nodes to detect malicious graph communities comprises:
    - using one or more graph algorithms to generate sub-graphs each corresponding to a graph community;
      
      examining each graph community to determine whether it is a suspicious community based on the relative fraction of suspicious nodes in the graph community; and
      
      outputting the nodes of communities determined to be suspicious communities as suspicious community nodes.
  - 8. The method of claim 7, further comprising building a community profile for each suspicious community and determining whether an individual user is likely to be a malicious user by comparing the community profile to a profile of the individual user.
  - 9. The method of claim 7, further comprising comparing users in each suspicious community over time and identifying users that are transient as malicious users using dynamic graph analysis.
  - 10. The method of claim 7, further comprising detecting suspicious users from a suspicious community based on a predefined set of rules.

11. A system comprising:
- one or more computers configured to perform operations comprising;
  
  processing input data to derive a set of features for each user account or event for a plurality of user accounts;
  
  generating a set of feature profiles, each feature profile having a set of features derived from a profile constructed from a set of correlated events or a set of correlated user accounts;
  
  generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes, wherein the measure of similarity between a pair of nodes is based at least in part on a comparison of a plurality of feature values associated with each node of the pair of nodes and weighting the edges based on the comparison;
  
  using the generated hypergraphs to detect suspicious graph nodes based on the respective feature profiles of each graph node and a global feature profile;
  
  using the suspicious graph nodes to detect malicious graph communities; and
  
  using the malicious graph communities to determine whether a particular user account is likely to correspond to a malicious user.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein determining the measure of similarity between nodes includes comparing feature values between the respective nodes.
  - 13. The system of claim 11, wherein edges are pruned according to normal user behaviors, leaving only edges that contains some suspicious behavior.
  - 14. The system of claim 11, wherein detecting suspicious graph nodes comprises comparing a feature profile associated with each graph node to a global feature profile that captures common behavior of a population of users.
  - 15. The system of claim 11, further configured to perform operations comprising:
    - identifying additional suspicious graph nodes based on an initial list of suspicious graph nodes and the graph structure, using a graph diffusion process.
  - 16. The system of claim 11, wherein using the suspicious graph nodes to detect malicious graph communities comprises:
    - using one or more graph algorithms to generate sub-graphs each corresponding to a graph community;
      
      examining each graph community to determine whether it is a suspicious community based on the relative fraction of suspicious nodes in the graph community; and
      
      outputting the nodes of communities determined to be suspicious communities as suspicious community nodes.
  - 17. The system of claim 16, further configured to perform operations comprising building a community profile for each suspicious community and determining whether an individual user is likely to be a malicious user by comparing the community profile to a profile of the individual user.
  - 18. The system of claim 16, further configured to perform operations comprising comparing users in each suspicious community over time and identifying users that are transient as malicious users using dynamic graph analysis.
  - 19. The system of claim 16, further configured to perform operations comprising detecting suspicious users from a suspicious community based on a predefined set of rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DataVisor, Inc.
Original Assignee
DataVisor, Inc.
Inventors
Xie, Yinglian, Yu, Fang
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin

Application Number

US14/620,028
Time in Patent Office

972 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

Using hypergraphs to determine suspicious user activities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Using hypergraphs to determine suspicious user activities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links