| 摘要 |
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for generating activity signatures and detecting activity replays. In one aspect, a method includes accessing activity data first and second activity sequences; generating a first activity sequence signature from the first activity sequence, and generating, for each second activity sequence, a respective second activity sequence signature from the second activity sequence; for each second activity sequence, determining a similarity measure that is a measure of similarity of the first activity sequence to the second activity sequence from the signatures; for each second activity sequence having a similarity measure that meets a threshold, determining that a security violation occurred during the second user session of the second activity sequence; and for each second activity sequence having a similarity measure that does not meet the threshold, determining that a security violation did not occur during the second user session. |
| 主权项 |
1. A method performed by data processing apparatus, the method comprising:
accessing, by a data processing apparatus, activity data describing:
a first activity sequence for a first user session, the first activity sequence being a first sequence of activities that were observed during the first user session, each activity in the first activity sequence being at a respective ordinal position in the sequence;a plurality of second activity sequences, wherein each second activity sequence is for a respective second user session that is a different session from the first user session and being a second sequence of activities that were observed during the second user session, each activity in the second activity sequence being at a respective ordinal position in the sequence; generating, by the data processing apparatus, a first activity sequence signature from the first activity sequence; generating, by the data processing apparatus and for each second activity sequence, a respective second activity sequence signature from the second activity sequence; for each second activity sequence, determining, by the data processing apparatus and from the first activity sequence signature and the second activity sequence signature of the second activity sequence, a similarity measure that is a measure of similarity of the first activity sequence to the second activity sequence; for each second activity sequence having a similarity measure that meets a threshold, determining by the data processing apparatus that a security violation occurred durin the second user session of the second activity sequence; and for each second activity sequence having a similarity measure that does not meet the threshold, determining by the data processing apparatus that a security violation did not occur during the second user session of the second activity sequence; wherein generating each activity sequence signature comprises:
generating, for the activity sequence, activity sequence subsequences, each subsequence being a proper subset of the activities in the activity sequence;generating, for each activity sequence subsequence, an activity sequence signature from the proper subset of activities in the activity sequence subsequence. |
