Processing

Please wait...

Settings

Settings

Goto Application

1. WO2017019735 - CLASSIFYING USER BEHAVIOR AS ANOMALOUS

Publication Number WO/2017/019735
Publication Date 02.02.2017
International Application No. PCT/US2016/044198
International Filing Date 27.07.2016
IPC
G06F 21/31 2013.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
30Authentication, i.e. establishing the identity or authorisation of security principals
31User authentication
G06F 21/55 2013.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
55Detecting local intrusion or implementing counter-measures
H04L 29/06 2006.01
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
29Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/-H04L27/136
02Communication control; Communication processing
06characterised by a protocol
CPC
G06F 16/285
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
16Information retrieval; Database structures therefor; File system structures therefor
20of structured data, e.g. relational data
28Databases characterised by their database models, e.g. relational or object models
284Relational databases
285Clustering or classification
G06F 21/316
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
30Authentication, i.e. establishing the identity or authorisation of security principals
31User authentication
316by observing the pattern of computer usage, e.g. typical user behaviour
G06F 21/552
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
55Detecting local intrusion or implementing counter-measures
552involving long-term monitoring or reporting
G06N 20/00
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
NCOMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS
20Machine learning
H04L 63/1425
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
63Network architectures or network communication protocols for network security
14for detecting or protecting against malicious traffic
1408by monitoring network traffic
1425Traffic logging, e.g. anomaly detection
Applicants
  • PIVOTAL SOFTWARE, INC. [US]/[US]
Inventors
  • YU, Jin
  • RADHAKRISHNAN, Regunathan
  • KONDAVEETI, Anirudh
Agents
  • SHEPHERD, Michael P.
  • TROESCH, Hans R.
Priority Data
14/810,32827.07.2015US
Publication Language English (EN)
Filing Language English (EN)
Designated States
Title
(EN) CLASSIFYING USER BEHAVIOR AS ANOMALOUS
(FR) CLASSIFICATION DE COMPORTEMENT D'UTILISATEUR COMME ANORMAL
Abstract
(EN)
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for classifying user behavior as anomalous. One of the methods includes obtaining user behavior data representing behavior of a user in a subject system. An initial model is generated from training data, the initial model having first characteristic features of the training data. A resampling model is generated from the training data and from multiple instances of the first representation for a test time period. A difference between the initial model and the resampling model is computed. The user behavior in the test time period is classified as anomalous based on the difference between the initial model and the resampling model.
(FR)
L'invention concerne des procédés, des systèmes, et un appareil, contenant des programmes informatiques encodés sur un support de stockage informatique, pour classifier un comportement d'utilisateur comme anormal. Un des procédés consiste à obtenir des données de comportement d'utilisateur représentant le comportement d'un utilisateur dans un système sujet. Un modèle initial est produit à partir de données d'apprentissage, le modèle initial ayant des premières fonctionnalités caractéristiques des données d'apprentissage. Un modèle de rééchantillonnage est produit à partir des données d'apprentissage et de multiples instances de la première représentation pour une période temporelle de test. Une différence entre le modèle initial et le modèle de rééchantillonnage est calculée. Le comportement de l'utilisateur dans la période temporelle de test est classifié comme anormal en fonction de la différence entre le modèle initial et le modèle de rééchantillonnage.
Latest bibliographic data on file with the International Bureau