US 12,437,192 B1
Artificial intelligence system for anomalous activity detection using static and dynamic covariates
Matei Stefan Neagu, Iasi (RO); Daniel Voinea, Iasi (RO); Constantin Haralambie Ionescu, Bucharest (RO); and Cristina Simionescu, Zalau (RO)
Assigned to Amazon Technologies, Inc., Seattle, WA (US)
Filed by Amazon Technologies, Inc., Seattle, WA (US)
Filed on Dec. 7, 2020, as Appl. No. 17/114,107.
Int. Cl. G06N 3/08 (2023.01); G06F 9/54 (2006.01); G06F 11/34 (2006.01); G06F 18/214 (2023.01); G06F 21/55 (2013.01); G06N 3/044 (2023.01)
CPC G06N 3/08 (2013.01) [G06F 9/542 (2013.01); G06F 11/3438 (2013.01); G06F 18/214 (2023.01); G06F 21/552 (2013.01); G06N 3/044 (2023.01)] 20 Claims
OG exemplary drawing
 
1. A system, comprising:
one or more computing devices;
wherein the one or more computing devices include instructions that upon execution on or across the one or more computing devices cause the one or more computing devices to:
identify a plurality of sources of event records of an application execution environment, wherein a particular event record provides an indication of (a) a user who took an action that resulted in generation of the particular event record and (b) an event identifier;
extract, using the plurality of sources, respective event sequences corresponding to individual users of the application execution environment;
determine, corresponding to individual users corresponding to respective event sequences which have been extracted from the plurality of sources, a respective set of static user attributes, including an indication of a user role with respect to the application execution environment;
prepare a training data set comprising at least (a) the respective event sequences, (b) the respective sets of static user attributes and (c) one or more dynamic attributes associated with individual events of the respective event sequences, wherein a first dynamic attribute pertaining to a particular event of a particular event sequence indicates an elapsed time between the particular event and a preceding event of the particular event sequence;
train, using the training data set, one or more machine learning models to provide, as output, at least a probabilistic prediction of a next event of an input event sequence corresponding to an individual user of the application execution environment, wherein said training comprises providing at least a portion of the training data set to the one or more machine learning models;
determine, using trained versions of the one or more machine learning models, respective anomaly scores corresponding to a plurality of actions of a first user of the application execution environment, wherein the plurality of actions is not represented in the training data set; and
initiate an anomaly response action based at least in part on a result of applying an aggregation algorithm to the respective anomaly scores, wherein the anomaly response action comprises barring further access by the first user.