What technology area does this patent fall under?

Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jul 18 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Feature-agnostic behavior profile based anomaly detection

US11706234B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11706234-B2
Application number	US-202117316465-A
Country	US
Kind code	B2
Filing date	May 10, 2021
Priority date	May 19, 2017
Publication date	Jul 18, 2023
Grant date	Jul 18, 2023

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Techniques for user behavior anomaly detection. At least one low-variance characteristic is compared to an expected result for the corresponding low-variance characteristics to determine if the low-variance characteristic(s) is/are within a pre-selected range of the expected results. A security response action is taken in response to the low-variance characteristic not being within the first pre-selected range of the expected results. At least one high-variance characteristic is compared to an expected result for the corresponding high-variance characteristics to determine if the high-variance characteristic(s) is/are within a pre-selected range of the expected results. A security response action is taken in response to the high-variance characteristic not being within the first pre-selected range of the expected results. Access is provided if the low-variance and the high-variance characteristics are within the respective expected ranges.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: receiving, with one or more hardware processors, application log data for a cloud-based software service that provides access for at least two organizations having different corresponding users, wherein the software service comprises at least a user application executing in a software operating system; analyzing, with the one or more hardware processors, the application log data to extract interaction characteristics corresponding to an entity in an organization, wherein the entity is either a resource or a user; grouping the extracted interaction characteristics into a first set of baseline low-variance interaction characteristics with one or more hardware processors; training one or more statistical models with the one or more hardware processors utilizing the first set of baseline low-variance interaction characteristics and the second set of other interaction characteristics to evaluate in-app behavior of a first entity corresponding to the organization; providing a baseline behavior profile for the first entity based on the one or more statistical models from the first set of baseline low-variance interaction characteristics, wherein the baseline behavior profile comprises a user baseline behavior median (BBM), a user behavior variance median absolute deviation (MAD), and a user abnormal behavior median of abnormality (MoA); and generating an anomaly score based on the baseline behavior profile, the second set of other interaction characteristics and interaction characteristics with the software service by a second entity corresponding to the organization with one or more hardware processors. 2. The method of claim 1 wherein the BBM, the MAD and the MoA provide a distribution of historical behavior for the entity and a relative deviation is calculated to determine the anomaly score. 3. The method of claim 1 wherein the baseline low-variance interaction characteristics comprise a lowest M dimensions that represent no more than a pre selected percentage of total variance. 4. The method of claim 1 wherein the second set of other interaction characteristics comprise a top N dimensions that represent pre-selected percentage of total variance. 5. The method of claim 1 wherein the cloud-based software service comprises at least a multitenant database environment in which the multitenant database environment provides each of multiple organizations with a dedicated share of a software instance including one or more of organization-specific data, user management, organization-specific functionality, configuration, customizations, non-functional properties and associated applications. 6. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, are configurable to cause the one or more processors to: receive application log data for a cloud-based software service that provides access for at least two organizations having different corresponding users, wherein the software service comprises at least a user application executing in a software operating system; analyze the application log data to extract interaction characteristics corresponding to an entity in an organization, wherein the entity is either a resource or a user; group the extracted interaction characteristics into a first set of baseline low-variance interaction characteristics and a second set of other interaction characteristics; train one or more statistical models utilizing the first set of baseline low-variance interaction characteristics and the second set of other interaction characteristics to evaluate in app behavior of a first entity corresponding to the organization; generate an anomaly score based on the baseline behavior profile, the second set of other interaction characteristics and interaction characteristics with the software service by a second entity corresponding to the organization, wherein the baseline behavior profile comprises a user baseline behavior median (BBM), a user behavior variance median absolute deviation (MAD), and a user abnormal behavior median of abnormality (MoA). 7. The non-transitory computer-readable medium of claim 6 wherein the BBM, the MAD and the MoA provide a distribution of historical behavior for the entity and a relative deviation is calculated to determine the anomaly score. 8. The non-transitory computer-readable medium of claim 6 wherein the baseline low-variance interaction characteristics comprise a lowest M dimensions that represent no more than a pre-selected percentage of total variance. 9. The non-transitory computer-readable medium of claim 6 wherein the second set of other interaction characteristics comprise a top N dimensions that represent pre-selected percentage of total variance. 10. The non-transitory computer-readable medium of claim 6 wherein the cloud-based software service comprises at least a multitenant database environment in which the multitenant database environment provides each of multiple organizations with a dedicated share of a software instance including one or more of organization-specific data, user management, organization-specific functionality, configuration, customizations, non-functional properties and associated applications. 11. A system comprising: a memory device; one or more hardware processors coupled with the memory device, the one or more hardware processors configurable to receive application log data for a cloud-based software service that provides access for at least two organizations having different corresponding users, wherein the software service comprises at least a user application executing in a software operating system, to analyze the application log data to extract interaction characteristics corresponding to an entity in an organization, wherein the entity is either a resource or a user, to group the extracted interaction characteristics into a first set of baseline low-variance interaction characteristics and a second set of other interaction characteristics to train one or more statistical models utilizing the first set of baseline low-variance interaction characteristics and the second set of other interaction characteristics to evaluate in-app behavior of a first entity corresponding to the organization, and to generate an anomaly score based on the baseline behavior profile, the second set of other interaction characteristics and interaction characteristics with the software service by a second entity corresponding to the organization, wherein the baseline behavior profile comprises a user baseline behavior median (BBM), a user behavior variance median absolute deviation (MAD), and a user abnormal behavior median of abnormality (MoA). 12. The system of claim 11 wherein the BBM, the MAD and the MoA provide a distribution of historical behavior for the entity and a relative deviation is calculated to determine the anomaly score. 13. The system of claim 11 wherein the baseline low-variance interaction characteristics comprise a lowest M dimensions that represent no more than a pre selected percentage of total variance. 14. The system of claim 11 wherein the second set of other interaction characteristics comprise a top N dimensions that represent pre-selected percentage of total variance. 15. The system of claim 11 wherein the cloud-based software comprises at least a multitenant database environment in which the multitenant database environment provides each of multiple organizations with a dedicated share of a software instance including one or more of organization-specific data, user management, organization-specific functionalit

Assignees

Salesforce Inc

Inventors

Classifications

H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
G06F16/2237
Vectors, bitmaps or matrices · CPC title
G06F16/2365
Ensuring data consistency and integrity · CPC title
H04L41/142
using statistical or mathematical methods · CPC title
H04L41/145
involving simulating, designing, planning or modelling of a network · CPC title

Patent family

Related publications grouped by family.

View patent family 64272673

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11706234B2 cover?: Techniques for user behavior anomaly detection. At least one low-variance characteristic is compared to an expected result for the corresponding low-variance characteristics to determine if the low-variance characteristic(s) is/are within a pre-selected range of the expected results. A security response action is taken in response to the low-variance characteristic not being within the first pr…
Who is the assignee on this patent?: Salesforce Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jul 18 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).