US20230394367A1 - Classifying user behavior as anomalous - Google Patents
Classifying user behavior as anomalous Download PDFInfo
- Publication number
- US20230394367A1 US20230394367A1 US18/450,263 US202318450263A US2023394367A1 US 20230394367 A1 US20230394367 A1 US 20230394367A1 US 202318450263 A US202318450263 A US 202318450263A US 2023394367 A1 US2023394367 A1 US 2023394367A1
- Authority
- US
- United States
- Prior art keywords
- user
- data
- test
- accessed
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002547 anomalous effect Effects 0.000 title claims abstract description 57
- 238000012360 testing method Methods 0.000 claims abstract description 104
- 238000012549 training Methods 0.000 claims abstract description 55
- 238000000034 method Methods 0.000 claims abstract description 38
- 238000012952 Resampling Methods 0.000 claims abstract description 31
- 238000004590 computer program Methods 0.000 abstract description 14
- 230000006399 behavior Effects 0.000 description 73
- 239000011159 matrix material Substances 0.000 description 24
- 230000008569 process Effects 0.000 description 21
- 239000013598 vector Substances 0.000 description 21
- 238000012545 processing Methods 0.000 description 16
- 238000001514 detection method Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 6
- 238000000513 principal component analysis Methods 0.000 description 5
- 238000000354 decomposition reaction Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000013179 statistical model Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000003466 anti-cipated effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013016 damping Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 229920001690 polydopamine Polymers 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
- G06F16/285—Clustering or classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Definitions
- This specification relates to detecting anomalies in large data sets.
- Techniques for detecting anomalies in large data sets can be used in multiple areas of data processing application, including computer network security and health care.
- This specification describes how a data processing system can classify user behavior as anomalous or not anomalous according to a variety of techniques that make use of data that indicates resources accessed by the user in a one or more particular data processing systems. Even though a user may have had permission to access all resources accessed, the system can still classify some user behavior as suspicious.
- one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of obtaining user behavior data representing behavior of a user in a subject system, wherein the user behavior data indicates one or more resources accessed by the user in the subject system and, for each resource accessed by the user, when the resource was accessed; generating test data from the user behavior data, the test data comprising a first representation of resources accessed by the user during a test time period; generating training data from the user behavior data, the training data comprising a respective second representation of resources accessed by the user for each of multiple time periods prior to the test time period; generating an initial model from the training data, the initial model having first characteristic features of the training data; generating a resampling model from the training data and from multiple instances of the first representation for the test time period, the resampling model having second characteristic features of the training data and the multiple instances of the first representation for the test time period; computing a difference between the initial model and the resampling model including comparing the first characteristic
- inventions of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
- a system of one or more computers to be configured to perform particular operations or actions means that the system has installed on it software, firmware, hardware, or a combination of them that in operation cause the system to perform the operations or actions.
- one or more computer programs to be configured to perform particular operations or actions means that the one or more programs include instructions that, when executed by data processing apparatus, cause the apparatus to perform the operations or actions.
- the user behavior data comprises user access records that each represent a folder or a file accessed by the user in a file system.
- the actions include generating a first matrix that includes vectors of the training data and N instances of a same vector of the test data; performing principal component analysis on the first matrix to generate a first plurality of principal components of the first matrix; generating a second matrix from a plurality of vectors of the training data; and performing principal component analysis on the second matrix to generate a second plurality of principal components of the second matrix, wherein computing a difference between the initial model and the resampling model comprises computing an angle between one or more of the first plurality of principal components and the second plurality of principal components.
- the actions include generating a first matrix that includes vectors of the training data and N instances of a same vector of the test data; performing singular value decomposition on the first matrix to generate a first plurality of principal components of the first matrix; generating a second matrix from a plurality of vectors of the training data; and performing singular value decomposition on the second matrix to generate a second plurality of principal components of the second matrix, wherein computing a difference between the initial model and the resampling model comprises computing an angle between one or more of the first plurality of principal components and the second plurality of principal components.
- Another innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of obtaining a plurality of topics, each topic being data representing a plurality of file types that frequently co-occur in user behavior data of individual users; obtaining user behavior data representing behavior of a user in a subject system, wherein the user behavior data indicates file types of files accessed by the user in the subject system and when the file was accessed by the user; generating test data from the user behavior data, the test data comprising a first representation of which topics the user accessed during a test time period according to the file types of the user behavior data; generating training data from the user behavior data, the training data comprising respective second representations of which topics the user accessed in each of multiple time periods prior to the test time period; generating an initial SVD model from the test data; generating a resampling model from the training data from multiple instances of the first representation of which topics the user accessed during the test time period; computing a difference between the initial model and the resampling model; and class
- the actions include generating the plurality of topics from file types of files accessed by multiple users in the subject system.
- the actions include generating the topics using a topic modeling process including defining each user to be a document and each file type accessed by each user to be a term in the corresponding document.
- Generating the topics using the topic modeling process comprises generating a predetermined number K of topics.
- the actions include iterating over a plurality of candidate values of K; and selecting a particular candidate value of K as the predetermined number K.
- Another innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of obtaining user behavior data representing behavior of a user in a subject system, wherein the user behavior data indicates one or more resources accessed by the user in the subject system and, for each resource accessed by the user, when the resource was accessed; generating test data from the user behavior data, the test data comprising a first representation of resources accessed by the user during a test time period; generating training data from the user behavior data, the training data comprising respective second representations of resource accessed by the user in each of multiple time periods prior to the test time period; generating an initial path graph from the training data, wherein the initial path graph comprises nodes that represent resources accessed by the user in the subject system during one or more time periods represented by the training data, and links between one or more pairs of nodes, wherein each link between each pair of nodes represents that the user accessed a first resource represented by a first node of the pair from a second resource represented by a second node of the pair; generating
- the user behavior data comprises user access records that each represent a folder or a file accessed by the user in a file system.
- Generating the initial path graph comprises generating the initial path graph from training data of the user and training data of one or more peers of the user in the subject system.
- the actions include determining one or more other users in the subject system that accessed at least a threshold number of resources in common with the user during the time periods represented by the training data; and designating the one or more other users as peers of the user in the subject system.
- Computing the difference between the initial path graph and the test path graph comprises computing a Jaccard distance between the initial path graph and the test path graph, wherein the Jaccard distance is based on the cardinality of intersecting nodes between the initial path graph and the test path graph, and the cardinality of the union of nodes between the initial path graph and the test path graph.
- Computing the difference between the initial path graph and the test path graph comprises obtaining weights associated with resources represented by nodes in the initial path graph and the test path graph; and computing a weighted Jaccard distance between the initial path graph and the test path graph, wherein the weighted Jaccard distance is based on a sum of weights for all nodes that occur in the intersection of the initial path graph and the test path graph, and the sum of weights for all nodes that occur in the test path graph.
- the actions include assigning higher a weight to a folder in the subject system than a subfolder of the folder in the subject system.
- the actions include assigning a same weight to all resources in the subject system that are above a threshold number of levels in a hierarchy of the resources.
- the weights are based on a measure of popularity of the resources.
- the actions include generating a hybrid graph, wherein the hybrid graph comprises user nodes that represent users in the system and resource nodes that represent resources in the system, wherein the hybrid graph includes user-resource links, wherein each user-resource link represents a respective user accessing a resource in the system, and resource-resource links, wherein each resource-resource link represents a structure of resources in the system; computing a measure of popularity for one or more resources in the system according to the hybrid graph; selecting one or more nodes having the highest measures of popularity; and adding, to the initial path graph for the user, paths to each of the one or more nodes having the highest measures of popularity.
- the system can classify user access patterns as anomalous even if the patterns have not been seen before, which rule-based systems cannot do.
- the system can use test data resampling to make anomaly detection much more sensitive than previous approaches.
- the system can generate a user model for each user in the system and automatically flag a user's behavior as anomalous.
- the actions of a user's peers can be incorporated in the analysis to reduce false positives in anomaly detection.
- the system can make use of data at a more granular level than previous approaches, e.g., it can use data describing folder accesses and file accesses.
- the system can use topic modeling to detect when a user is accessing unexpected groups of file types.
- FIG. 1 A is a diagram of an example anomaly detection system.
- FIG. 1 B is a diagram of a segment node.
- FIG. 2 is a flow chart of an example process for classifying user access records as anomalous using a resampling model.
- FIG. 3 is a flow chart of an example process for classifying user behavior as anomalous using a topic model.
- FIG. 4 is a flow chart of an example process for classifying user behavior as anomalous using a path graphs.
- FIG. 5 A illustrates an initial path graph
- FIG. 5 B illustrates an example test path graph
- FIG. 5 C illustrates another example test path graph.
- FIG. 6 is a flow chart of an example process for determining the most popular resources in the subject system.
- FIG. 7 illustrates an example hybrid graph.
- FIG. 1 A is a diagram of an example anomaly detection system 100 .
- the anomaly detection system 100 is an example of a computing system that can be used to detect anomalous user behavior.
- the anomaly detection system 100 includes a user device 102 , a master node 110 , and multiple segment nodes 114 a , 114 b , through 114 n.
- the anomalous user behavior to be detected is typically behavior by users in a subject system that is distinct from the anomaly detection system 100 .
- the subject system can be a computer network belonging to a corporation.
- a user of the user device 102 can access data stored in the anomaly detection system 100 by communicating with the master node 110 .
- the user device 102 can be a personal computer, smartphone, or any other kind of computer-based device with which a user can interact.
- a user can query the master node for anomalous user behavior that occurred during a specified time period, e.g., the previous day or week.
- the master node 110 can then communicate with the segment nodes 114 a - n to obtain an identification of users whose behavior during the specified time period was suspicious, which the master node 110 can then communicate to the user device 102 .
- each segment node 114 a - n are implemented as software installed on one or more physical computers or as software installed as one or more virtual machines on one or more physical computers, or both.
- each segment node 114 a - n may execute multiple segment processes within the segment node.
- the segment nodes may be multi-core computers in which each segment process executes on a different core.
- the each physical segment nodes has between 8 and 12 segment processes.
- the master node 110 is connected to each of the segment nodes 114 a - n , e.g., by one or more communications networks, e.g., a local area network or the Internet, or by a direct connection.
- each of the segment nodes 114 a - n may be connected to one or more other segment nodes.
- the master node 110 assigns each segment node to operate on a portion of the data stored in the anomaly detection system 100 .
- Each data portion is generally a collection of user behavior data by users in the subject system.
- all user behavior data for each distinct user can be stored in a single portion.
- the segment nodes 114 a - n can also communicate with each other to share information so that a single segment node can obtain all user behavior data for a particular user.
- the user behavior data is data representing users accessing resources in the subject system.
- the data can represent how many times a user accessed a server, a website, a web page, a file, a directory, a database, or any other accessible resource in the subject system.
- Each instance of a user accessing a resource is represented in the user behavior data, e.g., by an access record.
- An access record can include information describing the resource, the user, and the date and time that the resource was accessed.
- the user behavior data may also include aggregated access records.
- the user behavior data can include, for each user, data representing how many times each resource was accessed during a particular time period.
- the system 100 can store millions or billions of access records in any appropriate format.
- the system can store each access record as a file in a file system or a line or row of data in a file in a file system or a record in a database.
- the access records can be indexed.
- the master node 110 can divide the processing among N segment nodes, e.g., the segment nodes 114 a - n .
- the segment nodes can obtain the access records by communicating with data nodes in an underlying distributed storage system, for example, one implementing a Hadoop File System (HDFS).
- HDFS Hadoop File System
- the data is generally partitioned among multiple storage devices and can be organized by any appropriate key-value storage subsystem.
- the data portions can be table partitions of a relational database distributed among multiple storage devices, e.g., as part of a massively parallel processing (MPP) database.
- MPP massively parallel processing
- the data portions can also be stored as part of a distributed, non-relational database, e.g., in a Hadoop Database (HBase) that organizes data by key-value pairs in distinct column families and distributed across multiple storage devices.
- HBase Hadoop Database
- the data portions can also be partitioned to be stored locally by the segment nodes 114 a - n.
- the master node 110 has assigned the segment node 114 a to operate on access records 142 a for a first group of users stored in a first storage subsystem 132 a of the underlying distributed storage system. Similarly, the master node 110 has assigned the segment node 114 b to operate on access records 142 b stored in a second storage subsystem 132 b , and the master node 110 has assigned the segment node 114 n to operate on access records 142 n stored in an Nth storage subsystem 132 n.
- FIG. 1 B is a diagram of a segment node 114 .
- Each of the segment nodes 114 a - n in the system computes per-user models in parallel. In other words, the system generates one or more distinct models for each user of the subject system.
- Each segment node 114 runs anomaly detection software installed on the segment node 114 that that receives a user ID 145 assigned by a master node.
- the anomaly detection software then obtains the user access records 142 of a user corresponding to the user ID 145 from an underlying storage subsystem and determines which access records 142 are training data and which access records are test data. Some individual access records may be used as both training data and test data.
- the test data includes a representation of the resources accessed by the user for a recent time period
- the training data includes representations of resources accessed for multiple time periods prior to the time period of the test data. For example, if the time periods are weeks of the year, the test data can include a representation of resources accessed during a most-recent week, and the training data can include representations of resources accessed during the previous month or year.
- the time period corresponding to the test data may be referred to as the test period.
- test data need not represent a recent time period, however.
- the system can use, as test data, access records for any appropriate time period in order to identify anomalous behavior that occurred in the past.
- the anomaly detection software installed on the segment node 114 makes use of one or more modeling engines 180 , 182 , and 184 installed on each segment node in order to determine whether the user's access records 142 reflect anomalous behavior by the user. All of the modeling engines 180 , 182 , and 184 , or only some of the modeling engines 180 , 182 , and 184 , may have been installed on any particular segment node.
- the segment node 114 can use a resampling model engine 180 , which resamples some of the test data as training data.
- the resampling model is described in more detail below with reference to FIG. 2 .
- the segment node 114 can also use a topic model engine 182 , which generates a topic model based on file types accessed by the user.
- the topic model is described in more detail below with reference to FIG. 3 .
- the segment node 114 can also use a path graph model engine 184 , which builds path graphs from training data and test data to determine anomalous behavior. The path graphs are described in more detail below with reference to FIGS. 4 - 7 .
- the system can use the modeling engines 180 , 182 , and 184 to classify the test data of the user access records 142 as anomalous or not anomalous. If the test data is classified as anomalous, the segment node 114 can generate an anomalous behavior notification 155 and provide the notification 155 to another node in the system, e.g., back to the master node 110 . The master node 110 can then propagate the notification back to the user device 102 .
- FIG. 2 is a flow chart of an example process for classifying user access records as anomalous using a resampling model.
- the system determines how much test data, when resampled multiple times, affects the characteristic features of an initial statistical model of the user's access behavior.
- the example process will be described as being performed by an appropriately programmed system of one or more computers.
- the system obtains a user's access records ( 210 ).
- the access records indicate which resources were accessed by a user during each of multiple time periods.
- the system generates a representation of the user's access records ( 220 ).
- the representation is a vector or a matrix, and the system generates a vector for each of several time periods.
- Each position in the vector represents a resource in the subject system, and each value in the vector represents a number of times that the user accessed the resource in the subject system that corresponds to the position of the value in the vector.
- the system generates an initial model using the training data ( 230 ).
- the training data includes representations of the user's access records for previous time periods.
- the system can generate the initial model as any appropriate statistical model for representing characteristic features a data set.
- the system represents the data as a matrix and uses any appropriate matrix factorization technique, e.g., Singular Value Decomposition (SVD), Principal Component Analysis (PCA), or Non-negative Matrix Factorization (NMF), to generate the representation of the characteristic features of the training data for the user.
- SVD Singular Value Decomposition
- PCA Principal Component Analysis
- NMF Non-negative Matrix Factorization
- the system can generate a matrix X of the access record vectors from the training data.
- the system can then perform SVD to generate a matrix T representing the principal components of X.
- the system generates a resampling model from the training data and the test data sampled multiple times ( 240 ). Resampling the test data multiple times has the effect of magnifying differences between the training data and the test data.
- the system can use all vectors of the training data and N instances of the vector of test data.
- the system can generate a matrix X′ that includes the vectors of training data and N instances of the vector of test data.
- the matrix X′ will include more columns than the matrix X for the initial model.
- the system can then perform SVD to generate a matrix T′ representing the principal components of X′
- the system compares the initial model and the resampling model ( 250 ).
- the system can use any appropriate comparison method to determine how different the initial model and the resampling model are, for example, by computing a distance between characteristic features of the models. If using SVD, the system can compute the angle between the principal components for the initial model T and the principal components for the resampling model T.′
- the system classifies the user behavior in the test period as anomalous or not anomalous based on the comparison ( 260 ).
- the difference between the initial model and the resampling model will be large whenever the test data had a more dramatic effect on the resampling model relative to the initial model. Thus, the test data is more likely to be anomalous when the difference is large.
- test data had a minimal impact on the initial model generated from only the training data. Thus, the test data is less likely to be anomalous.
- the system can thus determine whether the difference between the models satisfies a threshold and classify the user behavior as anomalous if the difference satisfies the threshold.
- FIG. 3 is a flow chart of an example process for classifying user behavior as anomalous using a topic model.
- the system represents a user's behavior in the subject system according to groups of related file types accessed by the user, rather than according to resources accessed by the user.
- the groups of related file types can be represented as topics and the system can classify a user's behavior as anomalous if the test data indicates that the user accessed substantially different file types during the test period.
- the process will be described as being performed by an appropriately programmed system of one or more computers.
- the system generates topics from files in the subject system ( 310 ).
- the system can generate topics where each topic represents groups of file types that frequently co-occur in user access records of individual users.
- the system generates the topics using user access records from many different users.
- the system uses the extension of a file to indicate the type of the file.
- the system may use other metadata about files in the system to determine file types.
- the system can use any appropriate topic modeling technique by treating each user as a document and each file type accessed by the user as a term occurring in the document.
- the system can use the topic modeling technique over all user access records that represent users access files in the subject system. The result is then a number of topics that each represent frequently occurring file types.
- the system can assign a unique identifier for each discovered topic.
- the system can generate K topics using Latent Dirichlet Allocation (LDA).
- LDA takes as an input parameter a number K of topics, and generates a probability distribution for each of the K topics.
- Each probability distribution assigns a likelihood to a particular file type being accessed by a user who accesses file types assigned to the topic.
- the system can choose a value for K by iterating over candidate values for K and computing the perplexity of the model.
- the system can choose a value for K that balances the number of topics in the model and the perplexity of the model.
- the system obtains a user's access records ( 320 ).
- the access records can indicate electronic files that were accessed by the user and file type information of the files accessed by the user.
- the system generates a representation of the user's access records ( 330 ).
- the system can generate a vector for each of several time periods.
- Each element of the vector represents one of the K topics, and each value in the vector represents a number of times the user accessed a file type belonging to each of the corresponding topics.
- each element represents a number of days in each time period that the user accessed a file type belonging to each of the corresponding topics.
- the system uses an initial SVD model generated from training data to reconstruct the test data ( 340 ).
- the system can use any appropriate statistical model to represent the characteristic features of the training data and the test data, e.g., SVD or PCA.
- the system can similarly use the resampling technique described above with reference to FIG. 2 to determine how the initial SVD model changes relative to a resampling model when the test data is added multiple times to the training data.
- the system can use singular value decomposition (SVD) to compare the models. For example, the system can a matrix X from the training data, where each column represents a time period in the training data and each row represents one of the K topics. The system can then perform SVD to generate a matrix Y. The system can then select, from Y, the top-k right singular column vectors V as being representative of the user's behavior during the training time period.
- SVD singular value decomposition
- the system can then compare the test data, represented as a vector of training data by computing a distance D according to:
- the system classifies the user behavior in the test period as anomalous or not anomalous based on the comparison ( 350 ). If the difference satisfies a threshold, the system can classify the user behavior as anomalous. Otherwise, the system can classify the user behavior as not anomalous.
- FIG. 4 is a flow chart of an example process for classifying user behavior as anomalous using a path graphs.
- a path graph is a representation of how a user navigated to resources in the subject system during the relevant time periods. If the path graph changes significantly in the test period, the system can classify the user behavior as anomalous.
- the process will be described as being performed by an appropriately programmed system of one or more computers.
- the system generates an initial path graph using training data ( 410 ).
- a path graph represents relationships between resources accessed by the user in the subject system.
- a path graph includes nodes that represent resources accessed by the user in the subject system.
- the nodes of the path graph can represent folders and files in a file system.
- the nodes of the path graph can also represent web pages maintained by the subject system.
- a path graph includes a link between two nodes to represent a user accessing a one node from another.
- the path graph includes a link to represent a user visiting a first resource represented by a first node, and then visiting a second resource represented by a second node.
- the links can therefore represent folder and subfolder relationships, links between web pages, symbolic links or shortcuts in a file system, or any other appropriate method for accessing one resource from another.
- FIG. 5 A illustrates an initial path graph.
- the nodes of the path graph represent folders in a file system
- the links represent a user accessing a subfolder from a parent folder.
- the initial path graph has a root node 510 representing the “home” directory.
- the initial path graph also include other nodes 520 , 522 , and 530 representing subfolders of the “home” directory.
- a link between the node 510 and the node 520 represents that the user visited the “home” directory and then visited “folderB” from the “home” directory.
- a link between the node 520 and the node 530 represents that the user visited the “subfolderC” directory from the “folderB” directory.
- the resulting initial path graph includes nodes representing resources accessed by the user and links representing how the user navigated to those resources.
- the system can also include data from the user's peers when generating the initial path graph. In some instances, using an initial path graph with data from the user's peers can reduce false positive detections of anomalous behavior.
- a user's peers are generally users in the subject system that have a substantial overlap with the user in terms of resources accessed.
- a user's peers may be other members on a same team within an organization or other employees in a same department, location, or company.
- the system determines the user's peers by identifying other users having at least a threshold amount of resource overlap. In other words, the system uses the training data for all users in the subject system to compute which other users accessed at least the threshold amount of resources in common with the user under consideration, e.g., at least 10%, 50%, or 80% of the same resources.
- the system can also use organizational data for an organization owning the subject system. For example, the system can designate users who are part of the same team or department as peers. The system can also designate users having the same or similar roles within the organization to be peers.
- the system can generate the initial path graph using training data for the user and all of the user's peers.
- the system generates a test path graph using test data ( 420 ).
- the test path graph is a path graph generated from the test data.
- the test data may represent resources accessed by the user during a most recent time period.
- the test path graph represents how the user navigated to resources in the subject system during the time period represented by the test data.
- FIG. 5 B illustrates an example test path graph.
- the test path graph includes two new nodes, nodes 540 and 542 , and corresponding new links, represented by dashed lines.
- the new nodes 540 and 542 represent resources accessed by the user during the test time period, but not during the training time periods.
- the system compares the initial path graph and the test path graph ( 430 ).
- the system can use a variety of methods for comparing the initial path graph and the test path graph.
- the system computes measure of overlap between the initial path graph and the test path graph.
- a test path graph that significantly overlaps the initial path graph is indicative of normal user behavior.
- a test path graph having many nodes and edges that do not overlap the initial path graph is indicative of anomalous user behavior.
- the system can compute a Jaccard distance D between an initial path graph, G1, and a test path graph, G2, according to:
- represents the cardinality of the intersection of the set of nodes in G1 and the set of nodes in G2
- represents the cardinality of the union of the set of nodes in G1 and the set of nodes in G2.
- the system computes a weighted Jaccard distance according to weights to the resources.
- the system can assign weights to the resources based on a variety of factors. For example, the system can assign higher weights to resources that include sensitive information, e.g., sensitive corporate or employee data. Thus, the detection of anomalous behavior becomes more sensitive to a user accessing folders with higher weights.
- the system can also assign weights based on hierarchical relationships of the resources. For example, if the resources represent folders and subfolders, the system can assign a higher weight to a folders than a subfolder of the folder. This makes the detection of anomalous behavior less sensitive to situations where a user merely accesses a new subfolder of a folder that the user already accessed.
- the system assigns a first weight to all resources that are above a threshold number of levels in the hierarchy, and a smaller, second weight to all other resources. For example, the system can assign a first weight to a root directory of a file system and all directories up to three levels below the root directory. For all other subfolders, the system can assign the second weight.
- the system can also assign weights based on the age of resources in the system. In some situations, anomalous behavior is more likely to involve newly created resources than old resources. Thus, the system can increase the weight assigned to new resources and decrease the weight for resources as the resources become older.
- the system can also assign weights based on a measure of popularity of the resources in the subject system. For example, the system can lower the weights assigned to popular resources accessed by many users in the subject system. The system can similarly lower the weights of all child resources of popular resources, e.g., subfolders of popular folders.
- the system can compute the weighted Jaccard distance WD according to:
- numerator term represents the sum of weights for all nodes that occur in the intersection of G1 and G2
- denominator term represents the sum of weights for all nodes that occur in G2.
- the system classifies the user behavior in the test period as anomalous or not anomalous based on the comparison ( 440 ). If the computed distance between the initial path graph and the test path graph is large, the user behavior is more likely to be anomalous. If the computed distance is small, the user behavior is less likely to be anomalous. Thus, the system can classify the user behavior as anomalous if the computed distance satisfies a threshold.
- Anomalous events typically require follow up by a forensic team of the subject system.
- the system can adjust the threshold for each test time period based on the anticipated availability of the team to investigate the anomalous cases.
- the Jaccard distance between the initial path graph illustrated in FIG. 5 A and the test path graph illustrated in FIG. 5 B is a relatively low 0.333. Therefore, the system may not consider the user behavior to be anomalous.
- FIG. 5 C illustrates another example test path graph.
- the test path graph includes six new nodes 540 , 542 , 544 , 550 , 552 , and 554 , and corresponding new links, represented by dashed lines.
- the Jaccard distance between the initial path graph illustrated in FIG. 5 A and the test path graph illustrated in FIG. 5 C is a relatively high 0.6. Therefore, the system may consider the user behavior to be anomalous.
- FIG. 6 is a flow chart of an example process for determining the most popular resources in the subject system.
- the system can take into account which resources are popular when making determinations of user behavior that is anomalous or not. If a user's behavior is normal but for accessing a resource that is otherwise popular, the system avoid flagging the users behavior as anomalous.
- the process will be described as being performed by an appropriately programmed system of one or more computers.
- the system generates a hybrid user/resource graph ( 610 ).
- the hybrid graph has two types of nodes, user nodes representing users and resource nodes representing resources in the subject system.
- the hybrid graph also has two types of corresponding links, a resource-resource link representing a structure of resources in the subject system, and a user-resource link representing a user accessing a resource in the subject system.
- FIG. 7 illustrates an example hybrid graph.
- the hybrid graph has the same resource structure as the example graph shown in FIG. 5 A , having four resource nodes 710 , 720 , 722 , and 730 representing folders in a file system.
- the hybrid graph has resource-resource links between resource nodes, which represent the structure of the resources in the system.
- the resource-resource links represent directory inclusion.
- the hybrid graph also includes two user nodes 760 and 762 representing distinct users in the system.
- the hybrid graph has user-resource links that represent which resources each user accessed.
- the user-resource links are likely to indicate that the home folder is more popular than the other folders because the home folder was accessed by more users than the other folders.
- the system computes a score for resources in the system according to the hybrid graph ( 620 ).
- the score represents a measure of popularity for resources in the system based on the relationships represented by the graph. Thus, resources that are accessed by more users will have higher scores and resources that are accessed by fewer users will have lower scores.
- the system computes a score having a first component representing the likelihood of a user performing a random navigation through resource-resource links ending up at the node and a second component representing the likelihood of a user reaching a resource represented by a child node from a resource represented by a parent node of the child node.
- the system can iteratively compute the score for each node S(i) according to the following equation:
- each node j represents another user node or another resource node having a link to the node i
- N is the number of nodes in the hybrid graph
- d is a damping factor.
- the system can distribute their scores equally among all the N nodes in the graph.
- the system selects resource nodes having the highest scores ( 630 ).
- the system can rank the resources nodes by the computed scores and select the highest-ranking resource nodes as being the most popular nodes in the system.
- the system can select a predetermined number of the highest-ranking resource nodes, or alternatively, the system can select all resource nodes having a score that satisfies a threshold.
- the system adds paths to the selected resource nodes to all initial path graphs ( 640 ). After determining the most popular nodes, the system can add paths to all of the most popular nodes to the initial path graphs for all users in the subject system. By doing so, the system treats each user as if the user had accessed each of the most popular folders. When using the peer-based approach, the system treats each of the user's peers as if they had accessed each of the most popular folders.
- the system can reduce the amount of false positives generated due to users visiting folders that they don't frequently visit, but which are otherwise popular among users in the system.
- Embodiments of the subject matter and the functional operations described in this specification can be implemented in digital electronic circuitry, in tangibly-embodied computer software or firmware, in computer hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them.
- Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions encoded on a tangible non-transitory program carrier for execution by, or to control the operation of, data processing apparatus.
- the program instructions can be encoded on an artificially-generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus for execution by a data processing apparatus.
- the computer storage medium can be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them. The computer storage medium is not, however, a propagated signal.
- data processing apparatus encompasses all kinds of apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, or multiple processors or computers.
- the apparatus can include special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
- the apparatus can also include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them.
- a computer program (which may also be referred to or described as a program, software, a software application, a module, a software module, a script, or code) can be written in any form of programming language, including compiled or interpreted languages, or declarative or procedural languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
- a computer program may, but need not, correspond to a file in a file system.
- a program can be stored in a portion of a file that holds other programs or data, e.g., one or more scripts stored in a markup language document, in a single file dedicated to the program in question, or in multiple coordinated files, e.g., files that store one or more modules, sub-programs, or portions of code.
- a computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
- an “engine,” or “software engine,” refers to a software implemented input/output system that provides an output that is different from the input.
- An engine can be an encoded block of functionality, such as a library, a platform, a software development kit (“SDK”), or an object.
- SDK software development kit
- Each engine can be implemented on any appropriate type of computing device, e.g., servers, mobile phones, tablet computers, notebook computers, music players, e-book readers, laptop or desktop computers, PDAs, smart phones, or other stationary or portable devices, that includes one or more processors and computer readable media. Additionally, two or more of the engines may be implemented on the same computing device, or on different computing devices.
- the processes and logic flows described in this specification can be performed by one or more programmable computers executing one or more computer programs to perform functions by operating on input data and generating output.
- the processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
- special purpose logic circuitry e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
- Computers suitable for the execution of a computer program include, by way of example, can be based on general or special purpose microprocessors or both, or any other kind of central processing unit.
- a central processing unit will receive instructions and data from a read-only memory or a random access memory or both.
- the essential elements of a computer are a central processing unit for performing or executing instructions and one or more memory devices for storing instructions and data.
- a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
- mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
- a computer need not have such devices.
- a computer can be embedded in another device, e.g., a mobile telephone, a personal digital assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device, e.g., a universal serial bus (USB) flash drive, to name just a few.
- PDA personal digital assistant
- GPS Global Positioning System
- USB universal serial bus
- Computer-readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
- semiconductor memory devices e.g., EPROM, EEPROM, and flash memory devices
- magnetic disks e.g., internal hard disks or removable disks
- magneto-optical disks e.g., CD-ROM and DVD-ROM disks.
- the processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
- a computer having a display device, e.g., a CRT (cathode ray tube) monitor, an LCD (liquid crystal display) monitor, or an OLED display, for displaying information to the user, as well as input devices for providing input to the computer, e.g., a keyboard, a mouse, or a presence sensitive display or other surface.
- a display device e.g., a CRT (cathode ray tube) monitor, an LCD (liquid crystal display) monitor, or an OLED display
- input devices for providing input to the computer, e.g., a keyboard, a mouse, or a presence sensitive display or other surface.
- Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
- a computer can interact with a user
- Embodiments of the subject matter described in this specification can be implemented in a computing system that includes a back-end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the subject matter described in this specification, or any combination of one or more such back-end, middleware, or front-end components.
- the components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), e.g., the Internet.
- LAN local area network
- WAN wide area network
- the computing system can include clients and servers.
- a client and server are generally remote from each other and typically interact through a communication network.
- the relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.
Description
- This application is a continuation of U.S. application Ser. No. 17/870,733, filed on Jul. 21, 2022, entitled “Classifying User Behavior as Anomalous”, which is a divisional application of U.S. application Ser. No. 16/575,279, filed on Sep. 18, 2019, entitled “Classifying User Behavior As Anomalous”, now U.S. Pat. No. 11,436,530, which is a divisional application of U.S. application Ser. No. 14/810,328, filed on Jul. 27, 2015, entitled “Classifying User Behavior As Anomalous”, now U.S. Pat. No. 10,430,721, the entirety of the disclosure of the prior applications are herein incorporated by reference.
- This specification relates to detecting anomalies in large data sets.
- Techniques for detecting anomalies in large data sets can be used in multiple areas of data processing application, including computer network security and health care.
- This specification describes how a data processing system can classify user behavior as anomalous or not anomalous according to a variety of techniques that make use of data that indicates resources accessed by the user in a one or more particular data processing systems. Even though a user may have had permission to access all resources accessed, the system can still classify some user behavior as suspicious.
- In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of obtaining user behavior data representing behavior of a user in a subject system, wherein the user behavior data indicates one or more resources accessed by the user in the subject system and, for each resource accessed by the user, when the resource was accessed; generating test data from the user behavior data, the test data comprising a first representation of resources accessed by the user during a test time period; generating training data from the user behavior data, the training data comprising a respective second representation of resources accessed by the user for each of multiple time periods prior to the test time period; generating an initial model from the training data, the initial model having first characteristic features of the training data; generating a resampling model from the training data and from multiple instances of the first representation for the test time period, the resampling model having second characteristic features of the training data and the multiple instances of the first representation for the test time period; computing a difference between the initial model and the resampling model including comparing the first characteristic features of the training data and the second characteristic features of the training data and the multiple instances of the first representation for the test time period; and classifying the user behavior in the test time period as anomalous based on the difference between the initial model and the resampling model. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods. For a system of one or more computers to be configured to perform particular operations or actions means that the system has installed on it software, firmware, hardware, or a combination of them that in operation cause the system to perform the operations or actions. For one or more computer programs to be configured to perform particular operations or actions means that the one or more programs include instructions that, when executed by data processing apparatus, cause the apparatus to perform the operations or actions.
- The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. The user behavior data comprises user access records that each represent a folder or a file accessed by the user in a file system. The actions include generating a first matrix that includes vectors of the training data and N instances of a same vector of the test data; performing principal component analysis on the first matrix to generate a first plurality of principal components of the first matrix; generating a second matrix from a plurality of vectors of the training data; and performing principal component analysis on the second matrix to generate a second plurality of principal components of the second matrix, wherein computing a difference between the initial model and the resampling model comprises computing an angle between one or more of the first plurality of principal components and the second plurality of principal components. The actions include generating a first matrix that includes vectors of the training data and N instances of a same vector of the test data; performing singular value decomposition on the first matrix to generate a first plurality of principal components of the first matrix; generating a second matrix from a plurality of vectors of the training data; and performing singular value decomposition on the second matrix to generate a second plurality of principal components of the second matrix, wherein computing a difference between the initial model and the resampling model comprises computing an angle between one or more of the first plurality of principal components and the second plurality of principal components.
- Another innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of obtaining a plurality of topics, each topic being data representing a plurality of file types that frequently co-occur in user behavior data of individual users; obtaining user behavior data representing behavior of a user in a subject system, wherein the user behavior data indicates file types of files accessed by the user in the subject system and when the file was accessed by the user; generating test data from the user behavior data, the test data comprising a first representation of which topics the user accessed during a test time period according to the file types of the user behavior data; generating training data from the user behavior data, the training data comprising respective second representations of which topics the user accessed in each of multiple time periods prior to the test time period; generating an initial SVD model from the test data; generating a resampling model from the training data from multiple instances of the first representation of which topics the user accessed during the test time period; computing a difference between the initial model and the resampling model; and classifying the user behavior in the test time period as anomalous based on the difference between the initial model and the resampling model. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
- The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. The actions include generating the plurality of topics from file types of files accessed by multiple users in the subject system. The actions include generating the topics using a topic modeling process including defining each user to be a document and each file type accessed by each user to be a term in the corresponding document. Generating the topics using the topic modeling process comprises generating a predetermined number K of topics. The actions include iterating over a plurality of candidate values of K; and selecting a particular candidate value of K as the predetermined number K.
- Another innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of obtaining user behavior data representing behavior of a user in a subject system, wherein the user behavior data indicates one or more resources accessed by the user in the subject system and, for each resource accessed by the user, when the resource was accessed; generating test data from the user behavior data, the test data comprising a first representation of resources accessed by the user during a test time period; generating training data from the user behavior data, the training data comprising respective second representations of resource accessed by the user in each of multiple time periods prior to the test time period; generating an initial path graph from the training data, wherein the initial path graph comprises nodes that represent resources accessed by the user in the subject system during one or more time periods represented by the training data, and links between one or more pairs of nodes, wherein each link between each pair of nodes represents that the user accessed a first resource represented by a first node of the pair from a second resource represented by a second node of the pair; generating a test path graph from the test data, wherein the test path graph comprises nodes that represent resources accessed by the user in the subject system during the test time period, and links between one or more pairs of nodes, wherein each link between each pair of nodes represents that the user accessed a first resource represented by a first node of the pair from a second resource represented by a second node of the pair; computing a difference between the initial path graph and the test path graph; and classifying the user behavior by the user in the test time period as anomalous based on the difference between the initial path graph and the test path graph.
- The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. The user behavior data comprises user access records that each represent a folder or a file accessed by the user in a file system. Generating the initial path graph comprises generating the initial path graph from training data of the user and training data of one or more peers of the user in the subject system. The actions include determining one or more other users in the subject system that accessed at least a threshold number of resources in common with the user during the time periods represented by the training data; and designating the one or more other users as peers of the user in the subject system. Computing the difference between the initial path graph and the test path graph comprises computing a Jaccard distance between the initial path graph and the test path graph, wherein the Jaccard distance is based on the cardinality of intersecting nodes between the initial path graph and the test path graph, and the cardinality of the union of nodes between the initial path graph and the test path graph. Computing the difference between the initial path graph and the test path graph comprises obtaining weights associated with resources represented by nodes in the initial path graph and the test path graph; and computing a weighted Jaccard distance between the initial path graph and the test path graph, wherein the weighted Jaccard distance is based on a sum of weights for all nodes that occur in the intersection of the initial path graph and the test path graph, and the sum of weights for all nodes that occur in the test path graph. The actions include assigning higher a weight to a folder in the subject system than a subfolder of the folder in the subject system. The actions include assigning a same weight to all resources in the subject system that are above a threshold number of levels in a hierarchy of the resources. The weights are based on a measure of popularity of the resources. The actions include generating a hybrid graph, wherein the hybrid graph comprises user nodes that represent users in the system and resource nodes that represent resources in the system, wherein the hybrid graph includes user-resource links, wherein each user-resource link represents a respective user accessing a resource in the system, and resource-resource links, wherein each resource-resource link represents a structure of resources in the system; computing a measure of popularity for one or more resources in the system according to the hybrid graph; selecting one or more nodes having the highest measures of popularity; and adding, to the initial path graph for the user, paths to each of the one or more nodes having the highest measures of popularity.
- Particular embodiments of the subject matter described in this specification can be implemented so as to realize one or more of the following advantages. The system can classify user access patterns as anomalous even if the patterns have not been seen before, which rule-based systems cannot do. The system can use test data resampling to make anomaly detection much more sensitive than previous approaches. The system can generate a user model for each user in the system and automatically flag a user's behavior as anomalous. The actions of a user's peers can be incorporated in the analysis to reduce false positives in anomaly detection. The system can make use of data at a more granular level than previous approaches, e.g., it can use data describing folder accesses and file accesses. The system can use topic modeling to detect when a user is accessing unexpected groups of file types.
- The details of one or more embodiments of the subject matter of this specification are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the subject matter will become apparent from the description, the drawings, and the claims.
-
FIG. 1A is a diagram of an example anomaly detection system. -
FIG. 1B is a diagram of a segment node. -
FIG. 2 is a flow chart of an example process for classifying user access records as anomalous using a resampling model. -
FIG. 3 is a flow chart of an example process for classifying user behavior as anomalous using a topic model. -
FIG. 4 is a flow chart of an example process for classifying user behavior as anomalous using a path graphs. -
FIG. 5A illustrates an initial path graph. -
FIG. 5B illustrates an example test path graph. -
FIG. 5C illustrates another example test path graph. -
FIG. 6 is a flow chart of an example process for determining the most popular resources in the subject system. -
FIG. 7 illustrates an example hybrid graph. - Like reference numbers and designations in the various drawings indicate like elements.
-
FIG. 1A is a diagram of an exampleanomaly detection system 100. Theanomaly detection system 100 is an example of a computing system that can be used to detect anomalous user behavior. In general, theanomaly detection system 100 includes a user device 102, amaster node 110, andmultiple segment nodes - The anomalous user behavior to be detected is typically behavior by users in a subject system that is distinct from the
anomaly detection system 100. For example, the subject system can be a computer network belonging to a corporation. - A user of the user device 102 can access data stored in the
anomaly detection system 100 by communicating with themaster node 110. The user device 102 can be a personal computer, smartphone, or any other kind of computer-based device with which a user can interact. For example, a user can query the master node for anomalous user behavior that occurred during a specified time period, e.g., the previous day or week. Themaster node 110 can then communicate with thesegment nodes 114 a-n to obtain an identification of users whose behavior during the specified time period was suspicious, which themaster node 110 can then communicate to the user device 102. - The
master node 110 and eachsegment node 114 a-n are implemented as software installed on one or more physical computers or as software installed as one or more virtual machines on one or more physical computers, or both. In addition, eachsegment node 114 a-n may execute multiple segment processes within the segment node. For example, the segment nodes may be multi-core computers in which each segment process executes on a different core. In some implementations, the each physical segment nodes has between 8 and 12 segment processes. - The
master node 110 is connected to each of thesegment nodes 114 a-n, e.g., by one or more communications networks, e.g., a local area network or the Internet, or by a direct connection. In addition, each of thesegment nodes 114 a-n may be connected to one or more other segment nodes. Themaster node 110 assigns each segment node to operate on a portion of the data stored in theanomaly detection system 100. - Each data portion is generally a collection of user behavior data by users in the subject system. To leverage parallel processing by the
segment nodes 114 a-n, all user behavior data for each distinct user can be stored in a single portion. However, thesegment nodes 114 a-n can also communicate with each other to share information so that a single segment node can obtain all user behavior data for a particular user. - The user behavior data is data representing users accessing resources in the subject system. For example, the data can represent how many times a user accessed a server, a website, a web page, a file, a directory, a database, or any other accessible resource in the subject system.
- Each instance of a user accessing a resource is represented in the user behavior data, e.g., by an access record. An access record can include information describing the resource, the user, and the date and time that the resource was accessed. The user behavior data may also include aggregated access records. For example, the user behavior data can include, for each user, data representing how many times each resource was accessed during a particular time period.
- The
system 100 can store millions or billions of access records in any appropriate format. For example, the system can store each access record as a file in a file system or a line or row of data in a file in a file system or a record in a database. The access records can be indexed. - The
master node 110 can divide the processing among N segment nodes, e.g., thesegment nodes 114 a-n. The segment nodes can obtain the access records by communicating with data nodes in an underlying distributed storage system, for example, one implementing a Hadoop File System (HDFS). The data is generally partitioned among multiple storage devices and can be organized by any appropriate key-value storage subsystem. For example, the data portions can be table partitions of a relational database distributed among multiple storage devices, e.g., as part of a massively parallel processing (MPP) database. The data portions can also be stored as part of a distributed, non-relational database, e.g., in a Hadoop Database (HBase) that organizes data by key-value pairs in distinct column families and distributed across multiple storage devices. The data portions can also be partitioned to be stored locally by thesegment nodes 114 a-n. - In the example
anomaly detection system 100 illustrated inFIG. 1A , themaster node 110 has assigned thesegment node 114 a to operate onaccess records 142 a for a first group of users stored in afirst storage subsystem 132 a of the underlying distributed storage system. Similarly, themaster node 110 has assigned thesegment node 114 b to operate onaccess records 142 b stored in asecond storage subsystem 132 b, and themaster node 110 has assigned thesegment node 114 n to operate onaccess records 142 n stored in anNth storage subsystem 132 n. -
FIG. 1B is a diagram of asegment node 114. Each of thesegment nodes 114 a-n in the system computes per-user models in parallel. In other words, the system generates one or more distinct models for each user of the subject system. - Each
segment node 114 runs anomaly detection software installed on thesegment node 114 that that receives auser ID 145 assigned by a master node. The anomaly detection software then obtains the user access records 142 of a user corresponding to theuser ID 145 from an underlying storage subsystem and determines which access records 142 are training data and which access records are test data. Some individual access records may be used as both training data and test data. - In general, the test data includes a representation of the resources accessed by the user for a recent time period, and the training data includes representations of resources accessed for multiple time periods prior to the time period of the test data. For example, if the time periods are weeks of the year, the test data can include a representation of resources accessed during a most-recent week, and the training data can include representations of resources accessed during the previous month or year. The time period corresponding to the test data may be referred to as the test period.
- The test data need not represent a recent time period, however. For example, the system can use, as test data, access records for any appropriate time period in order to identify anomalous behavior that occurred in the past.
- The anomaly detection software installed on the
segment node 114 makes use of one ormore modeling engines modeling engines modeling engines - The
segment node 114 can use aresampling model engine 180, which resamples some of the test data as training data. The resampling model is described in more detail below with reference toFIG. 2 . Thesegment node 114 can also use atopic model engine 182, which generates a topic model based on file types accessed by the user. The topic model is described in more detail below with reference toFIG. 3 . Thesegment node 114 can also use a pathgraph model engine 184, which builds path graphs from training data and test data to determine anomalous behavior. The path graphs are described in more detail below with reference toFIGS. 4-7 . - The system can use the
modeling engines segment node 114 can generate ananomalous behavior notification 155 and provide thenotification 155 to another node in the system, e.g., back to themaster node 110. Themaster node 110 can then propagate the notification back to the user device 102. -
FIG. 2 is a flow chart of an example process for classifying user access records as anomalous using a resampling model. In general, the system determines how much test data, when resampled multiple times, affects the characteristic features of an initial statistical model of the user's access behavior. The example process will be described as being performed by an appropriately programmed system of one or more computers. - The system obtains a user's access records (210). As described above, the access records indicate which resources were accessed by a user during each of multiple time periods.
- The system generates a representation of the user's access records (220). In some implementations, the representation is a vector or a matrix, and the system generates a vector for each of several time periods. Each position in the vector represents a resource in the subject system, and each value in the vector represents a number of times that the user accessed the resource in the subject system that corresponds to the position of the value in the vector.
- The system generates an initial model using the training data (230). As described above, the training data includes representations of the user's access records for previous time periods.
- The system can generate the initial model as any appropriate statistical model for representing characteristic features a data set. In some implementations, the system represents the data as a matrix and uses any appropriate matrix factorization technique, e.g., Singular Value Decomposition (SVD), Principal Component Analysis (PCA), or Non-negative Matrix Factorization (NMF), to generate the representation of the characteristic features of the training data for the user.
- For example, the system can generate a matrix X of the access record vectors from the training data. The system can then perform SVD to generate a matrix T representing the principal components of X.
- The system generates a resampling model from the training data and the test data sampled multiple times (240). Resampling the test data multiple times has the effect of magnifying differences between the training data and the test data.
- For example, if using SVD to generate the resampling model, the system can use all vectors of the training data and N instances of the vector of test data. In other words, the system can generate a matrix X′ that includes the vectors of training data and N instances of the vector of test data. Generally, the matrix X′ will include more columns than the matrix X for the initial model. The system can then perform SVD to generate a matrix T′ representing the principal components of X′
- The system compares the initial model and the resampling model (250). The system can use any appropriate comparison method to determine how different the initial model and the resampling model are, for example, by computing a distance between characteristic features of the models. If using SVD, the system can compute the angle between the principal components for the initial model T and the principal components for the resampling model T.′
- The system classifies the user behavior in the test period as anomalous or not anomalous based on the comparison (260). The difference between the initial model and the resampling model will be large whenever the test data had a more dramatic effect on the resampling model relative to the initial model. Thus, the test data is more likely to be anomalous when the difference is large.
- If, however, the difference between the initial model and the resampling model is small, the test data had a minimal impact on the initial model generated from only the training data. Thus, the test data is less likely to be anomalous.
- The system can thus determine whether the difference between the models satisfies a threshold and classify the user behavior as anomalous if the difference satisfies the threshold.
-
FIG. 3 is a flow chart of an example process for classifying user behavior as anomalous using a topic model. In this example process, the system represents a user's behavior in the subject system according to groups of related file types accessed by the user, rather than according to resources accessed by the user. The groups of related file types can be represented as topics and the system can classify a user's behavior as anomalous if the test data indicates that the user accessed substantially different file types during the test period. The process will be described as being performed by an appropriately programmed system of one or more computers. - The system generates topics from files in the subject system (310). The system can generate topics where each topic represents groups of file types that frequently co-occur in user access records of individual users. Typically, the system generates the topics using user access records from many different users.
- In some implementations, the system uses the extension of a file to indicate the type of the file. However, the system may use other metadata about files in the system to determine file types.
- The system can use any appropriate topic modeling technique by treating each user as a document and each file type accessed by the user as a term occurring in the document. The system can use the topic modeling technique over all user access records that represent users access files in the subject system. The result is then a number of topics that each represent frequently occurring file types. The system can assign a unique identifier for each discovered topic.
- For example, the system can generate K topics using Latent Dirichlet Allocation (LDA). LDA takes as an input parameter a number K of topics, and generates a probability distribution for each of the K topics. Each probability distribution assigns a likelihood to a particular file type being accessed by a user who accesses file types assigned to the topic.
- The system can choose a value for K by iterating over candidate values for K and computing the perplexity of the model. The system can choose a value for K that balances the number of topics in the model and the perplexity of the model.
- The system obtains a user's access records (320). The access records can indicate electronic files that were accessed by the user and file type information of the files accessed by the user.
- The system generates a representation of the user's access records (330). The system can generate a vector for each of several time periods. Each element of the vector represents one of the K topics, and each value in the vector represents a number of times the user accessed a file type belonging to each of the corresponding topics. In some implementations, each element represents a number of days in each time period that the user accessed a file type belonging to each of the corresponding topics.
- The system uses an initial SVD model generated from training data to reconstruct the test data (340). As described above, the system can use any appropriate statistical model to represent the characteristic features of the training data and the test data, e.g., SVD or PCA.
- The system can similarly use the resampling technique described above with reference to
FIG. 2 to determine how the initial SVD model changes relative to a resampling model when the test data is added multiple times to the training data. - In some implementations, the system can use singular value decomposition (SVD) to compare the models. For example, the system can a matrix X from the training data, where each column represents a time period in the training data and each row represents one of the K topics. The system can then perform SVD to generate a matrix Y. The system can then select, from Y, the top-k right singular column vectors V as being representative of the user's behavior during the training time period.
- The system can then compare the test data, represented as a vector of training data by computing a distance D according to:
-
D=∥x t+1 −V×(V T ×x t+1)∥ - The system classifies the user behavior in the test period as anomalous or not anomalous based on the comparison (350). If the difference satisfies a threshold, the system can classify the user behavior as anomalous. Otherwise, the system can classify the user behavior as not anomalous.
-
FIG. 4 is a flow chart of an example process for classifying user behavior as anomalous using a path graphs. A path graph is a representation of how a user navigated to resources in the subject system during the relevant time periods. If the path graph changes significantly in the test period, the system can classify the user behavior as anomalous. The process will be described as being performed by an appropriately programmed system of one or more computers. - The system generates an initial path graph using training data (410). A path graph represents relationships between resources accessed by the user in the subject system.
- A path graph includes nodes that represent resources accessed by the user in the subject system. For example, the nodes of the path graph can represent folders and files in a file system. The nodes of the path graph can also represent web pages maintained by the subject system.
- A path graph includes a link between two nodes to represent a user accessing a one node from another. In other words, the path graph includes a link to represent a user visiting a first resource represented by a first node, and then visiting a second resource represented by a second node. The links can therefore represent folder and subfolder relationships, links between web pages, symbolic links or shortcuts in a file system, or any other appropriate method for accessing one resource from another.
-
FIG. 5A illustrates an initial path graph. In this example, the nodes of the path graph represent folders in a file system, and the links represent a user accessing a subfolder from a parent folder. - The initial path graph has a
root node 510 representing the “home” directory. The initial path graph also includeother nodes - A link between the
node 510 and thenode 520 represents that the user visited the “home” directory and then visited “folderB” from the “home” directory. Similarly, a link between thenode 520 and thenode 530 represents that the user visited the “subfolderC” directory from the “folderB” directory. - Thus, when the system generates the initial path graph using the training data, the resulting initial path graph includes nodes representing resources accessed by the user and links representing how the user navigated to those resources.
- The system can also include data from the user's peers when generating the initial path graph. In some instances, using an initial path graph with data from the user's peers can reduce false positive detections of anomalous behavior.
- A user's peers are generally users in the subject system that have a substantial overlap with the user in terms of resources accessed. For example, a user's peers may be other members on a same team within an organization or other employees in a same department, location, or company.
- In some implementations, the system determines the user's peers by identifying other users having at least a threshold amount of resource overlap. In other words, the system uses the training data for all users in the subject system to compute which other users accessed at least the threshold amount of resources in common with the user under consideration, e.g., at least 10%, 50%, or 80% of the same resources.
- The system can also use organizational data for an organization owning the subject system. For example, the system can designate users who are part of the same team or department as peers. The system can also designate users having the same or similar roles within the organization to be peers.
- After identifying the user's peers, the system can generate the initial path graph using training data for the user and all of the user's peers.
- As shown in
FIG. 4 , the system generates a test path graph using test data (420). The test path graph is a path graph generated from the test data. As discussed above, the test data may represent resources accessed by the user during a most recent time period. Thus, the test path graph represents how the user navigated to resources in the subject system during the time period represented by the test data. -
FIG. 5B illustrates an example test path graph. The test path graph includes two new nodes,nodes new nodes - As shown in
FIG. 4 , the system compares the initial path graph and the test path graph (430). The system can use a variety of methods for comparing the initial path graph and the test path graph. In general, the system computes measure of overlap between the initial path graph and the test path graph. A test path graph that significantly overlaps the initial path graph is indicative of normal user behavior. On the other hand, a test path graph having many nodes and edges that do not overlap the initial path graph is indicative of anomalous user behavior. - For example, the system can compute a Jaccard distance D between an initial path graph, G1, and a test path graph, G2, according to:
-
- where ∥G1∩G2| represents the cardinality of the intersection of the set of nodes in G1 and the set of nodes in G2, and |G1∪G2| represents the cardinality of the union of the set of nodes in G1 and the set of nodes in G2.
- In some implementations, the system computes a weighted Jaccard distance according to weights to the resources. The system can assign weights to the resources based on a variety of factors. For example, the system can assign higher weights to resources that include sensitive information, e.g., sensitive corporate or employee data. Thus, the detection of anomalous behavior becomes more sensitive to a user accessing folders with higher weights.
- The system can also assign weights based on hierarchical relationships of the resources. For example, if the resources represent folders and subfolders, the system can assign a higher weight to a folders than a subfolder of the folder. This makes the detection of anomalous behavior less sensitive to situations where a user merely accesses a new subfolder of a folder that the user already accessed. In some implementations, the system assigns a first weight to all resources that are above a threshold number of levels in the hierarchy, and a smaller, second weight to all other resources. For example, the system can assign a first weight to a root directory of a file system and all directories up to three levels below the root directory. For all other subfolders, the system can assign the second weight.
- The system can also assign weights based on the age of resources in the system. In some situations, anomalous behavior is more likely to involve newly created resources than old resources. Thus, the system can increase the weight assigned to new resources and decrease the weight for resources as the resources become older.
- The system can also assign weights based on a measure of popularity of the resources in the subject system. For example, the system can lower the weights assigned to popular resources accessed by many users in the subject system. The system can similarly lower the weights of all child resources of popular resources, e.g., subfolders of popular folders.
- After assigning weights to the resources in the system, the system can compute the weighted Jaccard distance WD according to:
-
- where the numerator term represents the sum of weights for all nodes that occur in the intersection of G1 and G2, and the denominator term represents the sum of weights for all nodes that occur in G2.
- The system classifies the user behavior in the test period as anomalous or not anomalous based on the comparison (440). If the computed distance between the initial path graph and the test path graph is large, the user behavior is more likely to be anomalous. If the computed distance is small, the user behavior is less likely to be anomalous. Thus, the system can classify the user behavior as anomalous if the computed distance satisfies a threshold.
- Anomalous events typically require follow up by a forensic team of the subject system. Thus, the system can adjust the threshold for each test time period based on the anticipated availability of the team to investigate the anomalous cases.
- For example, the Jaccard distance between the initial path graph illustrated in
FIG. 5A and the test path graph illustrated inFIG. 5B is a relatively low 0.333. Therefore, the system may not consider the user behavior to be anomalous. -
FIG. 5C illustrates another example test path graph. The test path graph includes sixnew nodes - The Jaccard distance between the initial path graph illustrated in
FIG. 5A and the test path graph illustrated inFIG. 5C is a relatively high 0.6. Therefore, the system may consider the user behavior to be anomalous. -
FIG. 6 is a flow chart of an example process for determining the most popular resources in the subject system. The system can take into account which resources are popular when making determinations of user behavior that is anomalous or not. If a user's behavior is normal but for accessing a resource that is otherwise popular, the system avoid flagging the users behavior as anomalous. The process will be described as being performed by an appropriately programmed system of one or more computers. - The system generates a hybrid user/resource graph (610). The hybrid graph has two types of nodes, user nodes representing users and resource nodes representing resources in the subject system. The hybrid graph also has two types of corresponding links, a resource-resource link representing a structure of resources in the subject system, and a user-resource link representing a user accessing a resource in the subject system.
-
FIG. 7 illustrates an example hybrid graph. The hybrid graph has the same resource structure as the example graph shown inFIG. 5A , having fourresource nodes - The hybrid graph has resource-resource links between resource nodes, which represent the structure of the resources in the system. In this example, the resource-resource links represent directory inclusion.
- The hybrid graph also includes two user nodes 760 and 762 representing distinct users in the system. The hybrid graph has user-resource links that represent which resources each user accessed.
- In this example, the user-resource links are likely to indicate that the home folder is more popular than the other folders because the home folder was accessed by more users than the other folders.
- As shown in
FIG. 6 , the system computes a score for resources in the system according to the hybrid graph (620). In general the score represents a measure of popularity for resources in the system based on the relationships represented by the graph. Thus, resources that are accessed by more users will have higher scores and resources that are accessed by fewer users will have lower scores. - In some implementations, the system computes a score having a first component representing the likelihood of a user performing a random navigation through resource-resource links ending up at the node and a second component representing the likelihood of a user reaching a resource represented by a child node from a resource represented by a parent node of the child node.
- The system can iteratively compute the score for each node S(i) according to the following equation:
-
- where each node j represents another user node or another resource node having a link to the node i, N is the number of nodes in the hybrid graph, and where d is a damping factor. For nodes that do not have any outgoing edges, the system can distribute their scores equally among all the N nodes in the graph.
- The system selects resource nodes having the highest scores (630). The system can rank the resources nodes by the computed scores and select the highest-ranking resource nodes as being the most popular nodes in the system. The system can select a predetermined number of the highest-ranking resource nodes, or alternatively, the system can select all resource nodes having a score that satisfies a threshold.
- The system adds paths to the selected resource nodes to all initial path graphs (640). After determining the most popular nodes, the system can add paths to all of the most popular nodes to the initial path graphs for all users in the subject system. By doing so, the system treats each user as if the user had accessed each of the most popular folders. When using the peer-based approach, the system treats each of the user's peers as if they had accessed each of the most popular folders.
- By adding the paths to the most popular folders, the system can reduce the amount of false positives generated due to users visiting folders that they don't frequently visit, but which are otherwise popular among users in the system.
- Embodiments of the subject matter and the functional operations described in this specification can be implemented in digital electronic circuitry, in tangibly-embodied computer software or firmware, in computer hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them. Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions encoded on a tangible non-transitory program carrier for execution by, or to control the operation of, data processing apparatus. Alternatively or in addition, the program instructions can be encoded on an artificially-generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus for execution by a data processing apparatus. The computer storage medium can be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them. The computer storage medium is not, however, a propagated signal.
- The term “data processing apparatus” encompasses all kinds of apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, or multiple processors or computers. The apparatus can include special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit). The apparatus can also include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them.
- A computer program (which may also be referred to or described as a program, software, a software application, a module, a software module, a script, or code) can be written in any form of programming language, including compiled or interpreted languages, or declarative or procedural languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program may, but need not, correspond to a file in a file system. A program can be stored in a portion of a file that holds other programs or data, e.g., one or more scripts stored in a markup language document, in a single file dedicated to the program in question, or in multiple coordinated files, e.g., files that store one or more modules, sub-programs, or portions of code. A computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
- As used in this specification, an “engine,” or “software engine,” refers to a software implemented input/output system that provides an output that is different from the input. An engine can be an encoded block of functionality, such as a library, a platform, a software development kit (“SDK”), or an object. Each engine can be implemented on any appropriate type of computing device, e.g., servers, mobile phones, tablet computers, notebook computers, music players, e-book readers, laptop or desktop computers, PDAs, smart phones, or other stationary or portable devices, that includes one or more processors and computer readable media. Additionally, two or more of the engines may be implemented on the same computing device, or on different computing devices.
- The processes and logic flows described in this specification can be performed by one or more programmable computers executing one or more computer programs to perform functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
- Computers suitable for the execution of a computer program include, by way of example, can be based on general or special purpose microprocessors or both, or any other kind of central processing unit. Generally, a central processing unit will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a central processing unit for performing or executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, a computer need not have such devices. Moreover, a computer can be embedded in another device, e.g., a mobile telephone, a personal digital assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device, e.g., a universal serial bus (USB) flash drive, to name just a few.
- Computer-readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
- To provide for interaction with a user, embodiments of the subject matter described in this specification can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) monitor, an LCD (liquid crystal display) monitor, or an OLED display, for displaying information to the user, as well as input devices for providing input to the computer, e.g., a keyboard, a mouse, or a presence sensitive display or other surface. Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input. In addition, a computer can interact with a user by sending resources to and receiving resources from a device that is used by the user; for example, by sending web pages to a web browser on a user's client device in response to requests received from the web browser.
- Embodiments of the subject matter described in this specification can be implemented in a computing system that includes a back-end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the subject matter described in this specification, or any combination of one or more such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), e.g., the Internet.
- The computing system can include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
- While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features that may be specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
- Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
- Particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. For example, the actions recited in the claims can be performed in a different order and still achieve desirable results. As one example, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking and parallel processing may be advantageous.
Claims (1)
1. A method comprising:
obtaining a plurality of topics, each topic being data representing a plurality of file types that frequently co-occur in user behavior data of individual users;
obtaining user behavior data representing behavior of a user in a subject system, wherein the user behavior data indicates file types of files accessed by the user in the subject system and when the file was accessed by the user;
generating test data from the user behavior data, the test data comprising a first representation of which topics the user accessed during a test time period according to the file types of the user behavior data;
generating training data from the user behavior data, the training data comprising respective second representations of which topics the user accessed in each of multiple time periods prior to the test time period;
generating an initial SVD model from the test data;
generating a resampling model from the training data from multiple instances of the first representation of which topics the user accessed during the test time period;
computing a difference between the initial model and the resampling model; and
classifying the user behavior in the test time period as anomalous based on the difference between the initial model and the resampling model.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/450,263 US20230394367A1 (en) | 2015-07-27 | 2023-08-15 | Classifying user behavior as anomalous |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/810,328 US10430721B2 (en) | 2015-07-27 | 2015-07-27 | Classifying user behavior as anomalous |
US16/575,279 US11436530B2 (en) | 2015-07-27 | 2019-09-18 | Classifying user behavior as anomalous |
US17/870,733 US11727311B2 (en) | 2015-07-27 | 2022-07-21 | Classifying user behavior as anomalous |
US18/450,263 US20230394367A1 (en) | 2015-07-27 | 2023-08-15 | Classifying user behavior as anomalous |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/870,733 Continuation US11727311B2 (en) | 2015-07-27 | 2022-07-21 | Classifying user behavior as anomalous |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230394367A1 true US20230394367A1 (en) | 2023-12-07 |
Family
ID=56609977
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/810,328 Active 2038-05-04 US10430721B2 (en) | 2015-07-27 | 2015-07-27 | Classifying user behavior as anomalous |
US16/575,279 Active 2036-11-15 US11436530B2 (en) | 2015-07-27 | 2019-09-18 | Classifying user behavior as anomalous |
US17/870,733 Active US11727311B2 (en) | 2015-07-27 | 2022-07-21 | Classifying user behavior as anomalous |
US18/450,263 Pending US20230394367A1 (en) | 2015-07-27 | 2023-08-15 | Classifying user behavior as anomalous |
Family Applications Before (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/810,328 Active 2038-05-04 US10430721B2 (en) | 2015-07-27 | 2015-07-27 | Classifying user behavior as anomalous |
US16/575,279 Active 2036-11-15 US11436530B2 (en) | 2015-07-27 | 2019-09-18 | Classifying user behavior as anomalous |
US17/870,733 Active US11727311B2 (en) | 2015-07-27 | 2022-07-21 | Classifying user behavior as anomalous |
Country Status (6)
Country | Link |
---|---|
US (4) | US10430721B2 (en) |
EP (1) | EP3329411B1 (en) |
JP (1) | JP6661768B2 (en) |
CN (1) | CN108140075B (en) |
AU (2) | AU2016298250B2 (en) |
WO (1) | WO2017019735A1 (en) |
Families Citing this family (52)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2526501A (en) | 2013-03-01 | 2015-11-25 | Redowl Analytics Inc | Modeling social behavior |
US20140250033A1 (en) | 2013-03-01 | 2014-09-04 | RedOwl Analytics, Inc. | Social behavior hypothesis testing |
WO2016190868A1 (en) * | 2015-05-28 | 2016-12-01 | Hewlett Packard Enterprise Development Lp | Processing network data using a graph data structure |
US10037425B2 (en) * | 2015-08-26 | 2018-07-31 | Symantec Corporation | Detecting suspicious file prospecting activity from patterns of user activity |
US9942252B1 (en) * | 2015-09-08 | 2018-04-10 | EMC IP Holding Co. LLC | Graph-based techniques for detecting coordinated network attacks |
US9888007B2 (en) | 2016-05-13 | 2018-02-06 | Idm Global, Inc. | Systems and methods to authenticate users and/or control access made by users on a computer network using identity services |
US11030673B2 (en) | 2016-07-28 | 2021-06-08 | International Business Machines Corporation | Using learned application flow to assist users in network business transaction based apps |
US11222270B2 (en) | 2016-07-28 | 2022-01-11 | International Business Machiness Corporation | Using learned application flow to predict outcomes and identify trouble spots in network business transactions |
US10210283B2 (en) | 2016-09-28 | 2019-02-19 | International Business Machines Corporation | Accessibility detection and resolution |
US10187369B2 (en) | 2016-09-30 | 2019-01-22 | Idm Global, Inc. | Systems and methods to authenticate users and/or control access made by users on a computer network based on scanning elements for inspection according to changes made in a relation graph |
US10250583B2 (en) | 2016-10-17 | 2019-04-02 | Idm Global, Inc. | Systems and methods to authenticate users and/or control access made by users on a computer network using a graph score |
US10320819B2 (en) * | 2017-02-27 | 2019-06-11 | Amazon Technologies, Inc. | Intelligent security management |
US10965668B2 (en) | 2017-04-27 | 2021-03-30 | Acuant, Inc. | Systems and methods to authenticate users and/or control access made by users based on enhanced digital identity verification |
US10999296B2 (en) | 2017-05-15 | 2021-05-04 | Forcepoint, LLC | Generating adaptive trust profiles using information derived from similarly situated organizations |
US11888859B2 (en) | 2017-05-15 | 2024-01-30 | Forcepoint Llc | Associating a security risk persona with a phase of a cyber kill chain |
US10318729B2 (en) | 2017-07-26 | 2019-06-11 | Forcepoint, LLC | Privacy protection during insider threat monitoring |
US10803178B2 (en) | 2017-10-31 | 2020-10-13 | Forcepoint Llc | Genericized data model to perform a security analytics operation |
US11188917B2 (en) * | 2018-03-29 | 2021-11-30 | Paypal, Inc. | Systems and methods for compressing behavior data using semi-parametric or non-parametric models |
US11314787B2 (en) | 2018-04-18 | 2022-04-26 | Forcepoint, LLC | Temporal resolution of an entity |
US11755584B2 (en) | 2018-07-12 | 2023-09-12 | Forcepoint Llc | Constructing distributions of interrelated event features |
US11810012B2 (en) | 2018-07-12 | 2023-11-07 | Forcepoint Llc | Identifying event distributions using interrelated events |
US10949428B2 (en) | 2018-07-12 | 2021-03-16 | Forcepoint, LLC | Constructing event distributions via a streaming scoring operation |
US11436512B2 (en) | 2018-07-12 | 2022-09-06 | Forcepoint, LLC | Generating extracted features from an event |
US11025638B2 (en) | 2018-07-19 | 2021-06-01 | Forcepoint, LLC | System and method providing security friction for atypical resource access requests |
CN108984791A (en) * | 2018-08-02 | 2018-12-11 | 苏州市千尺浪信息科技服务有限公司 | A kind of storage system based on block chain big data |
US11811799B2 (en) | 2018-08-31 | 2023-11-07 | Forcepoint Llc | Identifying security risks using distributions of characteristic features extracted from a plurality of events |
US11048807B2 (en) * | 2018-09-12 | 2021-06-29 | International Business Machines Corporation | Protecting data security with hierarchical authorization analysis |
CN109413036B (en) * | 2018-09-12 | 2022-02-08 | 全球能源互联网研究院有限公司 | Sensitive information abnormal outflow monitoring method and device and server |
CN109299592B (en) * | 2018-09-29 | 2021-08-10 | 武汉极意网络科技有限公司 | Man-machine behavior characteristic boundary construction method, system, server and storage medium |
US11025659B2 (en) | 2018-10-23 | 2021-06-01 | Forcepoint, LLC | Security system using pseudonyms to anonymously identify entities and corresponding security risk related behaviors |
US11171980B2 (en) | 2018-11-02 | 2021-11-09 | Forcepoint Llc | Contagion risk detection, analysis and protection |
CN109753906B (en) * | 2018-12-25 | 2022-06-07 | 西北工业大学 | Method for detecting abnormal behaviors in public places based on domain migration |
JP2021015421A (en) * | 2019-07-11 | 2021-02-12 | 富士通株式会社 | Information processing program, information processing method, and information processing apparatus |
US11736503B2 (en) | 2019-10-22 | 2023-08-22 | Salesforce, Inc. | Detection of anomalous lateral movement in a computer network |
CN111104979B (en) * | 2019-12-18 | 2023-08-01 | 北京思维造物信息科技股份有限公司 | Method, device and equipment for generating user behavior value evaluation model |
US11489862B2 (en) | 2020-01-22 | 2022-11-01 | Forcepoint Llc | Anticipating future behavior using kill chains |
US11630901B2 (en) | 2020-02-03 | 2023-04-18 | Forcepoint Llc | External trigger induced behavioral analyses |
US11080109B1 (en) | 2020-02-27 | 2021-08-03 | Forcepoint Llc | Dynamically reweighting distributions of event observations |
US11836265B2 (en) | 2020-03-02 | 2023-12-05 | Forcepoint Llc | Type-dependent event deduplication |
US11429697B2 (en) | 2020-03-02 | 2022-08-30 | Forcepoint, LLC | Eventually consistent entity resolution |
US11080032B1 (en) | 2020-03-31 | 2021-08-03 | Forcepoint Llc | Containerized infrastructure for deployment of microservices |
US11568136B2 (en) | 2020-04-15 | 2023-01-31 | Forcepoint Llc | Automatically constructing lexicons from unlabeled datasets |
US11516206B2 (en) | 2020-05-01 | 2022-11-29 | Forcepoint Llc | Cybersecurity system having digital certificate reputation system |
US11544390B2 (en) | 2020-05-05 | 2023-01-03 | Forcepoint Llc | Method, system, and apparatus for probabilistic identification of encrypted files |
US11895158B2 (en) | 2020-05-19 | 2024-02-06 | Forcepoint Llc | Cybersecurity system having security policy visualization |
US11704387B2 (en) | 2020-08-28 | 2023-07-18 | Forcepoint Llc | Method and system for fuzzy matching and alias matching for streaming data sets |
US11190589B1 (en) | 2020-10-27 | 2021-11-30 | Forcepoint, LLC | System and method for efficient fingerprinting in cloud multitenant data loss prevention |
CN112953758A (en) * | 2021-01-26 | 2021-06-11 | 亚太卫星宽带通信(深圳)有限公司 | Passenger internet behavior and simulation test system and method |
CN113221104B (en) * | 2021-05-12 | 2023-07-28 | 北京百度网讯科技有限公司 | Detection method of abnormal behavior of user and training method of user behavior reconstruction model |
US20230023723A1 (en) * | 2021-07-26 | 2023-01-26 | Cisco Technology, Inc. | Transparent security and policy enforcement for low-code orchestration |
US11832119B2 (en) * | 2021-08-31 | 2023-11-28 | Verizon Patent And Licensing Inc. | Identification of anomalous telecommunication service |
US20230403289A1 (en) * | 2022-06-14 | 2023-12-14 | Microsoft Technology Licensing, Llc | Machine learning approach for solving the cold start problem in stateful models |
Family Cites Families (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6285999B1 (en) | 1997-01-10 | 2001-09-04 | The Board Of Trustees Of The Leland Stanford Junior University | Method for node ranking in a linked database |
JP2000148276A (en) * | 1998-11-05 | 2000-05-26 | Fujitsu Ltd | Device and method for monitoring security and securithy monitoring program recording medium |
US7096499B2 (en) * | 1999-05-11 | 2006-08-22 | Cylant, Inc. | Method and system for simplifying the structure of dynamic execution profiles |
JP2004309998A (en) * | 2003-02-18 | 2004-11-04 | Nec Corp | Probabilistic distribution estimation apparatus, abnormal behavior detection device, probabilistic distribution estimation method, and abnormal behavior detection method |
US20050203881A1 (en) * | 2004-03-09 | 2005-09-15 | Akio Sakamoto | Database user behavior monitor system and method |
US7533070B2 (en) | 2006-05-30 | 2009-05-12 | Honeywell International Inc. | Automatic fault classification for model-based process monitoring |
US8595834B2 (en) * | 2008-02-04 | 2013-11-26 | Samsung Electronics Co., Ltd | Detecting unauthorized use of computing devices based on behavioral patterns |
US8832119B2 (en) | 2008-06-12 | 2014-09-09 | Fuji Xerox Co., Ltd. | Systems and methods for organizing files in a graph-based layout |
US20090328215A1 (en) * | 2008-06-30 | 2009-12-31 | Microsoft Corporation | Semantic networks for intrusion detection |
US8769684B2 (en) | 2008-12-02 | 2014-07-01 | The Trustees Of Columbia University In The City Of New York | Methods, systems, and media for masquerade attack detection by monitoring computer user behavior |
JP2012053716A (en) * | 2010-09-01 | 2012-03-15 | Research Institute For Diversity Ltd | Method for creating thinking model, device for creating thinking model and program for creating thinking model |
US8838613B1 (en) * | 2011-02-18 | 2014-09-16 | Google Inc. | Identifying trends from micro-posts |
US9106687B1 (en) * | 2011-11-01 | 2015-08-11 | Symantec Corporation | Mechanism for profiling user and group accesses to content repository |
WO2013090910A2 (en) | 2011-12-15 | 2013-06-20 | Northeastern University | Real-time anomaly detection of crowd behavior using multi-sensor information |
AU2013272215B2 (en) * | 2012-03-22 | 2017-10-12 | Imperial Innovations Limited | Anomaly detection to identify coordinated group attacks in computer networks |
CN102750469B (en) * | 2012-05-18 | 2015-12-09 | 北京邮电大学 | A kind of safety detecting system based on open platform and detection method thereof |
CN103138986B (en) * | 2013-01-09 | 2016-08-03 | 天津大学 | A kind of website abnormal based on visual analysis accesses the detection method of behavior |
JP6047017B2 (en) * | 2013-01-11 | 2016-12-21 | キヤノン株式会社 | Pattern extraction apparatus and control method |
US9471789B2 (en) | 2013-02-19 | 2016-10-18 | The University Of Tulsa | Compliance method for a cyber-physical system |
US9264442B2 (en) | 2013-04-26 | 2016-02-16 | Palo Alto Research Center Incorporated | Detecting anomalies in work practice data by combining multiple domains of information |
JP6219621B2 (en) | 2013-07-02 | 2017-10-25 | セコム株式会社 | Communication verification device |
US9367809B2 (en) * | 2013-10-11 | 2016-06-14 | Accenture Global Services Limited | Contextual graph matching based anomaly detection |
EP2874073A1 (en) | 2013-11-18 | 2015-05-20 | Fujitsu Limited | System, apparatus, program and method for data aggregation |
CN103823883B (en) * | 2014-03-06 | 2015-06-10 | 焦点科技股份有限公司 | Analysis method and system for website user access path |
CN103853841A (en) * | 2014-03-19 | 2014-06-11 | 北京邮电大学 | Method for analyzing abnormal behavior of user in social networking site |
-
2015
- 2015-07-27 US US14/810,328 patent/US10430721B2/en active Active
-
2016
- 2016-07-27 JP JP2018525505A patent/JP6661768B2/en active Active
- 2016-07-27 WO PCT/US2016/044198 patent/WO2017019735A1/en unknown
- 2016-07-27 AU AU2016298250A patent/AU2016298250B2/en active Active
- 2016-07-27 EP EP16747974.0A patent/EP3329411B1/en active Active
- 2016-07-27 CN CN201680044384.4A patent/CN108140075B/en active Active
-
2019
- 2019-09-18 US US16/575,279 patent/US11436530B2/en active Active
- 2019-12-05 AU AU2019275615A patent/AU2019275615B2/en active Active
-
2022
- 2022-07-21 US US17/870,733 patent/US11727311B2/en active Active
-
2023
- 2023-08-15 US US18/450,263 patent/US20230394367A1/en active Pending
Also Published As
Publication number | Publication date |
---|---|
CN108140075A (en) | 2018-06-08 |
US10430721B2 (en) | 2019-10-01 |
AU2016298250A1 (en) | 2018-02-22 |
JP2018523885A (en) | 2018-08-23 |
US20200012968A1 (en) | 2020-01-09 |
WO2017019735A1 (en) | 2017-02-02 |
EP3329411A1 (en) | 2018-06-06 |
CN108140075B (en) | 2021-10-26 |
AU2019275615B2 (en) | 2021-05-20 |
AU2016298250B2 (en) | 2019-09-26 |
US11727311B2 (en) | 2023-08-15 |
JP6661768B2 (en) | 2020-03-11 |
AU2019275615A1 (en) | 2020-01-02 |
US20220366309A1 (en) | 2022-11-17 |
EP3329411B1 (en) | 2021-06-02 |
US11436530B2 (en) | 2022-09-06 |
US20170032274A1 (en) | 2017-02-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11727311B2 (en) | Classifying user behavior as anomalous | |
Huyen | Designing machine learning systems | |
JP6457693B1 (en) | Systems and techniques for predictive data analysis | |
US9747551B2 (en) | Determining and localizing anomalous network behavior | |
US8364613B1 (en) | Hosting predictive models | |
US8229864B1 (en) | Predictive model application programming interface | |
US9886247B2 (en) | Using an application programming interface (API) data structure in recommending an API composite | |
US20110252121A1 (en) | Recommendation ranking system with distrust | |
US10318540B1 (en) | Providing an explanation of a missing fact estimate | |
Southerton | Datafication | |
US10474670B1 (en) | Category predictions with browse node probabilities | |
Arora | Big data analytics: The underlying technologies used by organizations for value generation | |
Goin et al. | Identification of spikes in time series | |
CN113785317A (en) | Feedback mining using domain-specific modeling | |
Shyr et al. | Automated data analysis | |
Hogan | Data center | |
Dass et al. | Amelioration of big data analytics by employing big data tools and techniques | |
US20220138262A1 (en) | Techniques to generate and store graph models from structured and unstructured data in a cloud-based graph database system | |
Chen | Digital Ecosystem | |
Wen | Data sharing | |
Goniwada | Datafication Principles and Patterns | |
Gawali et al. | A Plagiarism Detector Based on MAS Scalable Framework for Research Effort Evaluation by Unsupervised Machine Learning–Hybrid Plagiarism Model | |
Zhao et al. | Data Mining and Measurements |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |