CPC G06F 21/552 (2013.01) [G06F 21/34 (2013.01); G06F 21/577 (2013.01); G06F 2221/034 (2013.01)] | 20 Claims |
1. A computing system, comprising:
at least one memory that stores program code; and
a processing system, comprising one or more processors, configured to receive the program code from the at least one memory and, in response to at least receiving the program code, to:
receive activity log information corresponding to state change actions taken in a services platform for a workload identity of a service principal that is executed in the services platform, where the state change actions
take place during an associated authentication to the workload identity, and
involve workload identity credentials in an identity service of the services platform;
generate, for state change actions in a sequence combination of state change actions, probability values indicative of a likelihood that a particular state change action in the sequence combination of state change actions occurs after a state change action in the sequence combination of state change actions immediately preceding the particular state change action;
generate an anomaly score, via an action model, for the sequence combination of the state change actions by aggregating the probability values;
determine an anomalous state change has occurred based at least on satisfaction of a threshold condition associated with the anomaly score; and
perform a remedial action against the anomalous state change and within the services platform.
|