US 12,438,898 B2
Method, apparatus, system, and non-transitory computer readable medium for detecting anomalous user access behaviors
Rajneesh Kumar, Detroit, MI (US); William Walker, Denver, CO (US); and Bashar Abouseido, Phoenix, AZ (US)
Assigned to Charles Schwab & Co., Inc, San Francisco, CA (US)
Filed by Charles Schwab & Co., Inc, San Francisco, CA (US)
Filed on Apr. 20, 2023, as Appl. No. 18/304,245.
Prior Publication US 2024/0356945 A1, Oct. 24, 2024
Int. Cl. H04L 9/40 (2022.01); G06N 20/00 (2019.01)
CPC H04L 63/1425 (2013.01) [G06N 20/00 (2019.01); H04L 63/20 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A server for detecting anomalies associated with users accessing a network, the server comprising:
a memory storing computer readable instructions; and
processing circuitry configured to execute the computer readable instructions to cause the server to,
receive a dataset including static data and dynamic data, the static data including location data of resources associated with the network and user data, the dynamic data including user access events,
detect, with a plurality of unsupervised machine learning (ML) models, an anomaly associated with a user accessing the network based on the static data and the dynamic data, the user having a risk score specific to that user,
determine whether the detected anomaly is critical or not critical based on one or more first defined thresholds,
in response to determining the detected anomaly is critical, generate and transmit a first security alert specific to the detected anomaly to a security operation center (SOC),
in response to determining the detected anomaly is not critical, increase the risk score specific to the user and determine whether the increased risk score exceeds a second defined threshold, and
in response to the increased risk score exceeding the second defined threshold, generate and transmit a second security alert specific to the user to the SOC.