US 12,105,719 B2
Malicious activity detection system capable of efficiently processing data accessed from databases and generating alerts for display in interactive user interfaces
Craig Saperstein, New York, NY (US); Eric Schwartz, New York, NY (US); and Hongjai Cho, Jersey City, NJ (US)
Assigned to Palantir Technologies Inc., Denver, CO (US)
Filed by Palantir Technologies Inc., Denver, CO (US)
Filed on May 18, 2021, as Appl. No. 17/323,284.
Application 17/323,284 is a continuation of application No. 16/421,300, filed on May 23, 2019, granted, now 11,048,706.
Application 16/421,300 is a continuation of application No. 15/866,099, filed on Jan. 9, 2018, granted, now 10,346,410, issued on Jul. 9, 2019.
Application 15/866,099 is a continuation of application No. 15/336,078, filed on Oct. 27, 2016, granted, now 9,898,509, issued on Feb. 20, 2018.
Application 15/336,078 is a continuation of application No. 15/017,324, filed on Feb. 5, 2016, granted, now 9,485,265, issued on Nov. 1, 2016.
Claims priority of provisional application 62/211,520, filed on Aug. 28, 2015.
Prior Publication US 2021/0342356 A1, Nov. 4, 2021
Int. Cl. H04L 29/00 (2006.01); G06F 16/23 (2019.01); G06F 16/2453 (2019.01); G06F 16/2455 (2019.01); G06F 16/2457 (2019.01); G06F 16/248 (2019.01); G06F 16/9535 (2019.01); G06Q 20/40 (2012.01); G06Q 40/12 (2023.01); H04L 9/40 (2022.01)
CPC G06F 16/24575 (2019.01) [G06F 16/2365 (2019.01); G06F 16/24544 (2019.01); G06F 16/2456 (2019.01); G06F 16/248 (2019.01); G06F 16/9535 (2019.01); G06Q 20/4016 (2013.01); G06Q 40/12 (2013.12); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/20 (2013.01); H04L 2463/102 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A computing system comprising:
a database storing first data;
a computer processor; and
a computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to:
select a behavior outlier rule;
cluster a portion of the first data into a first cluster based on a statistical measure;
apply the behavior outlier rule to the first cluster to identify a first outlier and a second outlier;
generate a first alert for the first outlier and a second alert for the second outlier;
receive an indication of one or more user actions taken with respect to at least one of the first alert or the second alert;
in response to receiving the indication of one or more user actions taken with respect to the at least one of the first alert or the second alert:
identify a percentage of outliers of the first cluster that are actioned; and
determine that the percentage is different from a threshold; and
in response to determining that the percentage is different from the threshold, modify the behavior outlier rule based on the one or more user actions such that a modified behavior outlier rule is applied to future clusters.