Detecting suspicious file prospecting activity from patterns of user activity
US10037425B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Aug 26, 2015 |
| Grant date | Jul 31, 2018 |
| Priority date | — |
| Expiry date | Mar 29, 2036 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/033
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Suspicious file prospecting activity is detected based on patterns of file system access. A user's file system access is monitored over a specific time period. A sequence of the file accesses (e.g., represented as path names) made by the user during the time period is recorded. Distances between the recorded file accesses are determined, for example as edit distances. A distance sequence is recorded, comprising a record of the determined distances. The distance sequence is reduced to one or more baseline statistics describing the pattern of the user's access of the file system during the given period of time. At least one subsequent anomaly in the user's access of the file system is detected, by comparing at least one subsequently calculated statistic representing at least one subsequent pattern of the user's file system access to the at least one baseline statistic.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.