Identifying changes in use of user credentials
First Claim
1. A method, comprising:
- extracting, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource at a given time;
creating a set of first records, each first record comprising a sub-group of the extracted events of a single training user;
creating a set of second records, each second record including events of at least two different training users;
assigning safe labels to the first records suspicious labels to the second records;
performing, by a processor, an analysis to fit, to the first and the second records and their respective labels, a model for predicting the label for a given record;
filtering, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and
upon detecting a given sequence of events predicted as suspicious by the model, generating an alert,wherein filtering the subsequent data comprises extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users,wherein using the model comprises applying the model to the sequences of the additional events, andwherein when the model classifies a given sequence of events as suspicious, generating an alert or sending a message on a user interface device for one production user associated with the given sequence of events.
4 Assignments
0 Petitions
Accused Products
Abstract
A method including extracting, from initial data transmitted on a network, multiple events, each of the events including a user accessing a resource. First and second sets of records are created, each first set record including a sub-group of the events of a user, each second set record including a sub-group of the events of a multiple users during respective sub-periods of a training period. Safe labels are assigned to the first set records and suspicious labels are assigned to the second set records. An analysis fits, to the first and the second set records and their respective labels, a model for predicting the label for a given record. The model filters subsequent network data to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, an alert is generated.
106 Citations
12 Claims
-
1. A method, comprising:
-
extracting, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource at a given time; creating a set of first records, each first record comprising a sub-group of the extracted events of a single training user; creating a set of second records, each second record including events of at least two different training users; assigning safe labels to the first records suspicious labels to the second records; performing, by a processor, an analysis to fit, to the first and the second records and their respective labels, a model for predicting the label for a given record; filtering, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and upon detecting a given sequence of events predicted as suspicious by the model, generating an alert, wherein filtering the subsequent data comprises extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users, wherein using the model comprises applying the model to the sequences of the additional events, and wherein when the model classifies a given sequence of events as suspicious, generating an alert or sending a message on a user interface device for one production user associated with the given sequence of events. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus, comprising:
-
a memory; and a hardware processor configured; to extract, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource at a given time, to create a set of first records, each first record comprising a sub-group of the extracted events of a single training user; to create a set of second records, each second record including events of at least two different training users; to assign safe labels to the first records suspicious labels to the second records; to perform an analysis to fit, to the first and the second records and their respective labels, a model for predicting the label for a given record, to filter, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model, and upon detecting a given sequence of events predicted as suspicious by the model, to generate an alert, wherein the processor is configured to filter the subsequent data by extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users, wherein the processor is configured to use the model by applying the model to the sequences of the additional events, and wherein when the model classifies a given sequence of events as suspicious, the processor generates an alert or sends a message on a user interface device for one production user associated with the given sequence of events. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
-
to extract, from initial data transmitted on a data network comprising a set of resources accessed by a set of training users, a plurality of events, each of the events comprising a given training user accessing a given resource at a given time; to create a set of first records, each first record comprising a sub-group of the extracted events of a single training user; to create a set of second records, each second record including events of at least two different training users; to assign safe labels to the first records suspicious labels to the second records; to perform an analysis to fit, to the first and the second records and their respective labels, a model for predicting the label for a given record; to filter, using the model, subsequent data transmitted on the data network to identify, in the subsequent data, sequences of events predicted to be labeled suspicious by the model; and upon detecting a given sequence of events predicted as suspicious by the model, to generate an alert, wherein the filtering of the subsequent data includes extracting, from the data transmitted on the data network between a set of resources accessed by a set of production users, a plurality of additional events, and creating respective sequences of the additional events for the production users, wherein the instructions cause the computer to use the model by applying the model to the sequences of the additional events, and wherein when the model classifies a given sequence of events as suspicious, the computer generates an alert or sends a message on a user interface device for one production user associated with the given sequence of events.
-
Specification