Method and system for recommending domain-specific content based on recent user activity within a software application
US-10949432-B1 · Mar 16, 2021 · US
Data driven computer user emulation
US12307273B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12307273-B2 |
| Application number | US-202117398358-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 10, 2021 |
| Priority date | Aug 11, 2020 |
| Publication date | May 20, 2025 |
| Grant date | May 20, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Whether testing intrusion detection systems, conducting training exercises, or creating data sets to be used by the broader cybersecurity community, realistic user behavior is a desirable component of a cyber-range. Existing methods either rely on network level data or replay recorded user actions to approximate real users in a network. Probabilistic models can be fit to actual user data (sequences of application usage) collected from endpoints. Once trained to the user's behavioral data, these models can generate novel sequences of actions from the same distribution as the training data. These sequences of actions can be fed to emulator software via configuration files, which replicate those behaviors on end devices. The models are platform agnostic and can generate behavior data for any emulation software package. In some embodiments a latent variable is added to faithfully capture and leverage time-of-day trends.
First claim
Opening claim text (preview).
The invention claimed is: 1. A data processing apparatus, having memory encoding instructions that, when executed by the data processing apparatus, cause the data processing apparatus to perform operations comprising: receiving computer-user activity data, wherein the computer-user activity data expresses attributes of user behavior including one or more of activity order, duration, and time of day, wherein the activity order comprises an order in which a user switches focus from one application to another, modeling user behavior observed in the received computer-user activity data with a time-aware user behavior probabilistic model, and generating new user behavior based on the modeled user behavior by generating new sequences similar to inputs with regard to one or more of the activity order, the duration, or the time of day; and additional instructions that, when executed by one or more processors of a computer system communicatively coupled with the data processing apparatus, cause the one or more processors to perform operations comprising: driving the computer system, using the generated user behavior, to emulate a real user using the computer system. 2. The data processing apparatus of claim 1 , wherein the received computer-user activity data comprises: a timestamped sequence of active applications sampled periodically at a frequency, and timestamped metadata indicative of at least one of a user being idle, a user quitting an application, and a user opening a new tab. 3. The data processing apparatus of claim 1 , wherein the operations comprise producing the time-aware user behavior probabilistic model by performing data preprocessing, and applying a stochastic model, and wherein the stochastic model comprises one or more of a Markov model, a hidden Markov model, and a Random Surfer model. 4. The data processing apparatus of claim 1 , wherein the inputs with regard to the time of day comprise one or more times of day at which each application is used. 5. A data processing apparatus, having memory encoding instructions that, when executed by the data processing apparatus, cause the data processing apparatus to perform operations comprising: receiving computer-user activity data, wherein the computer-user activity data expresses attributes of user behavior including one or more of activity order, duration, and time of day, wherein the activity order comprises an order in which a user switches focus from one application to another, modeling user behavior observed in the received computer-user activity data with a time-aware user behavior probabilistic model, and generating new user behavior based on the modeled user behavior by generating new sequences similar to inputs with regard to one or more of the activity order, the duration, or the time of day, wherein the inputs with regard to duration comprise a distribution of consecutive subsequence lengths for each application; and additional instructions that, when executed by one or more processors of a computer system communicatively coupled with the data processing apparatus, cause the one or more processors to perform operations comprising: driving the computer system, using the generated user behavior, to emulate a real user using the computer system. 6. The data processing apparatus of claim 5 , wherein the distribution of consecutive subsequence lengths for each application comprises uninterrupted time spent in each application. 7. A data processing apparatus, having memory encoding instructions that, when executed by the data processing apparatus, cause the data processing apparatus to perform operations comprising: receiving computer-user activity data, wherein the computer-user activity data expresses attributes of user behavior including one or more of activity order, duration, and time of day, wherein the activity order comprises an order in which a user switches focus from one application to another, modeling user behavior observed in the received computer-user activity data with a time-aware user behavior probabilistic model, generating new user behavior based on the modeled user behavior, and refining the modeling of user behavior to ensure that a distribution of generated behavior is indistinguishable from that of a real user; and additional instructions that, when executed by one or more processors of a computer system communicatively coupled with the data processing apparatus, cause the one or more processors to perform operations comprising: driving the computer system, using the generated user behavior, to emulate a real user using the computer system. 8. The data processing apparatus of claim 7 , wherein the operation of generating new user behavior comprises producing one or more configuration files, and the operation of driving the computer system using the generated user behavior comprises running one or more user emulators corresponding to respective configuration files. 9. The data processing apparatus of claim 8 , wherein the operation of running each user emulator comprises logging information for monitoring the status of the user emulator. 10. The data processing apparatus of claim 8 , wherein the operation of running each user emulator comprises receiving instructions for activating or de-activating the user emulator. 11. The data processing apparatus of claim 9 , wherein the operation of logging information and receiving instructions are carried out as out-of-band traffic. 12. A system comprising: a data processing apparatus; a computer system communicatively coupled with the data processing apparatus; of claim 7 . 13. The system of claim 12 wherein the computer system comprises the data processing apparatus. 14. A method for computer user behavior emulation, the method being encoded as instructions in memory that, when executed by one or more data processing apparatuses of a computer system, cause the one or more data processing apparatuses to perform steps comprising: receiving a computer-user activity data, wherein the collected computer-user activity data expresses attributes of user behavior including one or more of activity order, duration, and time of day, wherein the activity order comprises an order in which a user switches from one application to another; modeling user behavior observed in the collected computer-user activity data by using a generative user-behavior model; generating a new user behavior based on the modeled user behavior by generating new sequences similar to inputs with regard to one or more of the activity order, the duration, or the time of day; and driving the computer system, using the generated new user behavior to emulate a real user using the computer system. 15. The method of claim 14 , wherein the collecting computer-user activity data includes collecting: a timestamped sequence of active applications sampled periodically at a frequency, and timestamped metadata indicating at least one of a user is idle, a user quit an application, and a user opens a new tab. 16. The method of claim 14 including producing the generative user-behavior model by processing the computer-user activity data, applying a stochastic model to the computer-user activity data, and wherein the stochastic model comprises one or more of a Markov model, a hidden Markov model, and a Random Surfer model. 17. The method of claim 14 , wherein the inputs with regard to the time of day comprise one or more times of day at which each application is used. 18. A method for computer user behavior emulation, the method being encoded as instructions in memor
Assignees
Inventors
Classifications
Probabilistic graphical models, e.g. probabilistic networks · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Machine learning · CPC title
Timestamp · CPC title
- G06F9/455Primary
Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12307273B2 cover?
- Whether testing intrusion detection systems, conducting training exercises, or creating data sets to be used by the broader cybersecurity community, realistic user behavior is a desirable component of a cyber-range. Existing methods either rely on network level data or replay recorded user actions to approximate real users in a network. Probabilistic models can be fit to actual user data (seque…
- Who is the assignee on this patent?
- Ut Battelle Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/455. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 20 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).