Detecting anomalies in work practice data by combining multiple domains of information

摘要

One embodiment of the present invention provides a system for multi-domain clustering. During operation, the system collects domain data for at least two domains associated with users, wherein a domain is a source of data describing observable activities of a user. Next, the system estimates a probability distribution for a domain associated with the user. The system also estimates a probability distribution for a second domain associated with the user. Then, the system analyzes the domain data with a multi-domain probability model that includes variables for two or more domains to determine a probability distribution of each domain associated with the probability model and to assign users to clusters associated with user roles.

主权项

1. A computer-executable method for multi-domain clustering, comprising:
receiving, by a computing device, from one or more computing devices over a network, domain data for at least two domains associated with users, wherein a domain is a source type describing observable activities of a plurality of users, and wherein a respective user is associated with a respective user role in an organization; determining a hyperparameter value for a respective prior distribution of a probability distributing associated with a domain; estimating a probability distribution for generating a multi-domain probability model; generating a multi-domain probability model that includes variables for two or more domains, based on the hyperparameter value and the estimated probability distribution; analyzing the domain data with the generated multi-domain probability model to assign a first user to a plurality of cluster indices associated with the first user's corresponding user role; and determining that an activity being performed by a second user is anomalous, based on a comparison between one or more of the second user's cluster indices to one or more of the first user's plurality of cluster indices.