System, method, and computer program for detection of anomalous user network activity based on multiple data sources

Assignee

• Exabeam, Inc. · US

Inventors

• Derek Lin · San Mateo, US
• Qiaona Hu · Emerald Hills, US
• Domingo Mihovilovic · Menlo Park, US
• Sylvain Gil · San Francisco, US
• Barry Steiman · San Ramon, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06N5/04
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.