	US 11,818,145 B2
	Characterizing user behavior in a computer system by automated learning of intention embedded in a system-generated event graph
Xiaorui Pan, San Jose, CA (US); Xiaokui Shu, Ossining, NY (US); Dhilung Hang Kirat, White Plains, NY (US); Jiyong Jang, White Plains, NY (US); and Marc Philippe Stoecklin, White Plains, NY (US)
Assigned to International Business Machines Corporation, Armonk, NY (US)
Filed by International Business Machines Corporation, Armonk, NY (US)
Filed on Dec. 9, 2019, as Appl. No. 16/706,926.
Prior Publication US 2021/0176260 A1, Jun. 10, 2021
Int. Cl. H04L 9/40 (2022.01); G06N 3/04 (2023.01); G06N 3/08 (2023.01)

CPC H04L 63/1416 (2013.01) [G06N 3/04 (2013.01); G06N 3/08 (2013.01)]

21 Claims

1. A method to detect anomalous behavior in a computing system, comprising:

receiving a semi-directed temporal graph derived from system-generated events;

deriving from the semi-directed temporal graph one or more process-centric subgraphs, wherein a process-centric subgraph comprises one or more system-generated events associated with a given process;

identifying from the one or more process-centric subgraphs one or more atomic operations, wherein an atomic operation comprises a set of system-generated events common to more than one process-centric subgraph;

modifying the semi-directed temporal graph by replacing edges in the semi-directed temporal graph with the one or more identified atomic operations while leaving nodes in the semi-directed temporal graph unchanged; and

training a machine learning model using the modified semi-directed temporal graph.