CPC H04L 67/141 (2013.01) [H04L 41/22 (2013.01); H04L 63/168 (2013.01); H04L 67/143 (2013.01)] | 20 Claims |
1. A system, comprising:
a non-transitory memory storing instructions; and
one or more hardware processors coupled to the non-transitory memory and configured to read the instructions from the non-transitory memory to cause the system to perform operations comprising:
accessing a session log comprising a recording of user interactions of a user during a session with an application instance in a computing environment;
cleansing the session log to remove a portion of content included in the session log;
generating, based on the cleansing, a cleansed session log;
converting the cleansed session log into a session vector representation using a finite dictionary built from a plurality of session logs associated with a plurality of users that have interacted with the computing environment;
generating a user model for the user using the session vector representation and a plurality of other session vector representations associated with the user, wherein the user model includes an average user vector that is a single vector calculated as an average of the plurality of other session vector representations associated with the user;
determining that a new session vector representation of a new session log of a new session does not satisfy a predetermined similarity threshold with the average user vector; and
performing, based on the determining that the new session vector representation does not satisfy the predetermined similarity threshold, a security action, wherein the performing the security action comprises:
determining a value of a distance between the new session vector representation and the average user vector;
evaluating, at least in part based on a comparison of the value of the distance with a predefined value, how far the new session vector representation is from the average user vector; and
selecting, based on a result of the evaluating, one type of security action from a plurality of types of security actions to perform.
|