Activity model for detecting suspicious user activity
US-2016203316-A1 · Jul 14, 2016 · US
System and method for detecting anomalies including detection and removal of outliers associated with network traffic to cloud applications
US10326787B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10326787-B2 |
| Application number | US-201715433039-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 15, 2017 |
| Priority date | Feb 15, 2017 |
| Publication date | Jun 18, 2019 |
| Grant date | Jun 18, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An anomaly detection system is provided and includes a processor, a memory and a security application stored in the memory and including instructions. The instructions are for collecting behavior data corresponding to users of an organization accessing cloud applications. The behavior data includes parameters tracked over time for the users. The instructions are for: creating a first model based on the behavior data tracked for the users; creating a second model corresponding to a first user based on the parameters tracked for the users except the first user, where the second model excludes behavior data pertaining to the first user; scoring the second model based on the first model to generate a first score; determining whether the first user is an outlier based on the first score; and removing the behavior data corresponding to the first user from the first model if the first user is an outlier.
First claim
Opening claim text (preview).
What is claimed is: 1. An anomaly detection system comprising: a processor; a memory; and a security application stored in the memory and including instructions, which are executable by the processor and are configured to: collect behavior data corresponding to a plurality of users of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameter(s) tracked over time for the plurality of users, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider; create a first model for the organization based on the behavior data tracked for the plurality of users; create a second model corresponding to a first user of the plurality of users based on the one or more parameter(s) tracked for the plurality of users except the first user, wherein the second model excludes behavior data pertaining to the first user; score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following: determining a first cumulative distribution function based on the first model; determining a second cumulative distribution function based on the second model; and calculating the first score as a distance between the first cumulative distribution function and the second cumulative distribution function; determine whether the first user is an outlier based on the first score; remove the behavior data corresponding to the first user from the first model if the first user is determined to be an outlier; recreate the first model based on the behavior data tracked for the plurality of users except for the first user; detect an anomaly based on the recreated first model; and perform a countermeasure in response to detection of the anomaly. 2. The anomaly detection system of claim 1 , wherein the security application is configured to: collect scores for at least some of the plurality of users; and determine whether the first user is an outlier by comparing the first score to the scores for the at least some of the plurality of users. 3. The anomaly detection system of claim 1 , wherein the first model and the second model are histograms. 4. The anomaly detection system of claim 1 , wherein the security application is configured to: determine a baseline based on the behavior data of the plurality of users; determine a plurality of models, where each of the plurality of models is for a respective one of the plurality of users; score each of the plurality of models based on the baseline or the first model, wherein the plurality of models do not include the second model; determine a standard deviation and a mean based on the scores of the plurality of models; and determine whether the first user is an outlier based on the score of the second model, the standard deviation and the mean. 5. The anomaly detection system of claim 1 , wherein the security application is configured to calculate the first score as a distance based on a two sample Kolmogorov-Smirnov test. 6. The anomaly detection system of claim 1 , the security application is configured to: determine a plurality of models for a finite number of the plurality of users, wherein the plurality of models include the second model; score the plurality of models to generate a plurality of scores, wherein the plurality of scores includes the first score; detect a plurality of outliers including the first user based on the plurality of scores; determine whether a number of the plurality of outliers satisfies a predetermined amount; and adjust a threshold used to detect the plurality of outliers if the number of the plurality of outliers does not satisfy the predetermined amount. 7. The anomaly detection system of claim 1 , wherein the security application is configured to: determine a baseline based on the behavior data corresponding to the plurality of users; determine a risk value based on anomaly data associated with the detected anomaly including determining a probability that the anomaly is to occur based on the baseline; and perform the countermeasure based on the risk value. 8. The anomaly detection system of claim 1 , wherein: the security application collects the behavior data for the plurality of users by requesting logs from at least one of a proxy, a gateway and a firewall; and the logs include fields indicating access periods of the cloud applications, Internet protocol addresses of client computers of the plurality of users, usernames of the plurality of users, names of the cloud applications, volumes of data transferred between the client computers and machines of the cloud applications, a number of failed login attempts by each of the plurality of users, and numbers of transactions between the client computers and the machines of the cloud applications. 9. An anomaly detection system comprising: a processor; a memory; and a security application stored in the memory and including instructions, which are executable by the processor and are configured to: collect behavior data corresponding to a plurality of client computers of an organization accessing cloud applications via a distributed network, wherein the behavior data includes one or more parameters tracked over time for the plurality of client computers, and wherein the cloud applications are implemented on one or more server computer(s) of a service provider; create a first model for the organization based on the behavior data tracked for the plurality of client computers; create a second model corresponding to a first client computer of the plurality of client computers based on the one or more parameter(s) tracked for the plurality of client computers except the first client computer, wherein the second model excludes behavior data pertaining to the first client computer; score the second model based on the first model to generate a first score, wherein generating the first score is performed by at least performing the following: determining a first cumulative distribution function based on the first model; determining a second cumulative distribution function based on the second model; and calculating the first score as a distance between the first cumulative distribution function and the second cumulative distribution function; determine whether the first client computer is an outlier based on the first score; remove the behavior data corresponding to the first client computer from the first model if the first client computer is determined to be an outlier; recreate the first model based on the behavior data tracked for the plurality of client computers except for the first client computer; detect an anomaly based on the recreated first model and perform a countermeasure in response to detection of the anomaly. 10. The anomaly detection system of claim 9 , wherein the first model and the second model are histograms. 11. The anomaly detection system of claim 9 , wherein the security application is configured to: determine a baseline based on the behavior data of the plurality of client computers; determine a plurality of models, where each of the plurality of models is for a respective one of the plurality of client computers; score each of the plurality of models based on the baseline or the first model, wherein the plurality of models do not include the second model; determine a standard deviation and a mean based on the scores of the plurality of models; and determine whether the first client computer is an outlier based on the score of the second model, the standard deviation and the mean. 12. The anomaly de
Assignees
Inventors
Classifications
Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection · CPC title
based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Design optimisation, verification or simulation (optimisation, verification or simulation of circuit designs G06F30/30) · CPC title
involving long-term monitoring or reporting · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10326787B2 cover?
- An anomaly detection system is provided and includes a processor, a memory and a security application stored in the memory and including instructions. The instructions are for collecting behavior data corresponding to users of an organization accessing cloud applications. The behavior data includes parameters tracked over time for the users. The instructions are for: creating a first model base…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 18 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).