Detection of user behavior deviation from defined user groups

Assignee

• International Business Machines Corporation · US

Inventors

• Matthew Elsner · Dunwoody, US
• Jian Lin · Alpharetta, US
• Ronald B. Williams · Austin, US
• Ilgen Banu Yuceer · London, GB

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06N20/00
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A machine learning-based technique for user behavior analysis that detects when users deviate from expected behavior. In this approach, a set of user groups are provided, preferably based on information provided from a user registry. A set of training data for each of the set of user groups is then obtained, preferably by collecting security events generated for a collection of the users over a given time period (e.g., a last thirty (30) days). A machine learning system is then trained using the set of training data to produce a model that includes a set of clusters in user behavior model, wherein a cluster is a learned user group that corresponds to a defined user group. Once the model is built, it is used to identify users that deviate from their expected group behavior. In particular, the system compares a current behavior of a user against the model and flags anomalous behavior. The user behavior analysis may be implemented in a security platform, such as a SIEM.