Network access anomaly detection via graph embedding

Assignee

• MICROSOFT TECHNOLOGY LICENSING, LLC · US

Inventors

• Anna Swanson Bertiger · Seattle, US
• Alexander Donald Modell · Chichester, GB
• Jonathan K. Larson · Bremerton, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2463/082
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Disclosed is a scalable, graph-based approach to detecting anomalous accesses to resources in a computer network. Access events are represented as edges between resource nodes and accessing nodes (e.g., corresponding to users) in a bipartite graph, from which vector representations of the nodes that reflect the connections can be computed by graph embedding. For an access event of interest, an anomaly score may be computed based on dissimilarities, in terms of their embedding distances, between the associated accessing node and other accessing nodes that have accessed the same resource, and/or between the associated resource node and other resource nodes that have been accessed by the same accessing node.