Abstract: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.

Abstract: The present disclosure describes a system, method, and computer program for determining the cybersecurity risk associated with a first-time access event in a computer network. In response to receiving an alert that a user has accessed a network entity for the first time, a user behavior analytics system uses a factorization machine to determine the affinity between the accessing user and the accessed entity. The affinity measure is based on the accessing user's historical access patterns in the network, as wells as context data for both the accessing user and the accessed entity. The affinity score for an access event may be used to filter first-time access alerts or weight first-time access alerts in performing a risk assessment of the accessing user's network activity. The result is that many false-positive first-time access alerts are suppressed and not factored (or not factored heavily) into cybersecurity risk assessments.

Abstract: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.

Abstract: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.