1. Field of the Invention
The disclosure relates generally to an improved data processing system, and, in particular, to processing information related to user behavior. Still more particularly the present disclosure relates to a method and apparatus for detecting abnormal behavior of users.
2. Description of the Related Art
Today there are many types of attacks on computing resources. Computer users carrying out such attacks may include visitors, customers, workers, and other types of computer users. Additionally, malware and other types of computer programs may carry out attacks on the computing resources. For example, malware may take control of a user's credentials to execute an attack on computing resources that the user has access to. In the context of detecting these attacks, there is interest in identifying when behavior of a user is indicative of an attack.
Current approaches to identify attacks match monitored behavior with suspicious patterns of behavior. These current approaches match the monitored behavior to fixed rules and statistics that are known to identify attacks. For example, identifying a number of failed login attempts before success as indicative of a password-guessing attack. Because the current approaches are restricted to identifying known patterns of attacks, they will not detect attacks which do not fit the known patterns.
Current statistical methods also exist for detecting suspicious behavior based on detecting deviations from a standard for frequency of user actions. For example, a statistical method for detecting suspicious behavior might include generating alerts based on identifying a computer user who downloads more than 5× the standard frequency of document downloads from an online repository as a possible attack. The number of alerts raised by such statistical methods may be large. Further, some number of these alerts may be for legitimate uses. A legitimate use identified in an alert is a false positive. When too many false positives are received, the alerts that are legitimate may be ignored or missed.
Therefore, it would be desirable to have a method, apparatus, and computer program product that takes into account at least some of the issues discussed above.