| CPC G06F 21/554 (2013.01) [G06F 21/316 (2013.01); H04L 67/535 (2022.05)] | 20 Claims |
|
1. A method, comprising:
determining, by a microprocessor, that a user has authenticated to a computer system using a plurality of authentication levels;
separately tracking, by the microprocessor, behavior of the user at each of the plurality of authentication levels to identify separate usage patterns of the user at each of the plurality of authentication levels;
identifying, by the microprocessor, anomalous behavior of the user based on one or more variations from the separate usage patterns of the user at, at least one of the plurality of authentication levels; and
taking, by the microprocessor, an action based on identifying the anomalous behavior of the user,
wherein the separate usage patterns of the user at each of the plurality of authentication levels comprises a plurality of separate usage patterns of the user at one or more of the plurality of authentication levels, and
wherein the plurality of separate usage patterns of the user at the one or more of the plurality of authentication levels are based on at least one of: whether the user logs in at a lower authentication level and then logs in at a higher authentication level at a later point in time, and whether the user first logs in at the higher authentication level.
|