Microsoft Corporation
Anomaly scoring using collaborative filtering

Abstract:

A machine learning model is trained using tuples that identify an actor, a resource, and a rating based on a normalized count of the actor's attempts to access the resource. Actors may be users, groups, IP addresses, or otherwise defined. Resources may be storage, virtual machines, APIs, or otherwise defined. A risk assessor code feeds an actor-resource pair to the trained model, which computes a recommendation score using collaborative filtering. The risk assessor inverts the recommendation score to obtain a risk measurement; a low recommendation score corresponds to a high risk, and vice versa. The risk assessor code or other code takes cybersecurity action based on the recommendation score. Code may accept a risk R, or aid mitigation of the risk R, where R denotes a risk that the scored pair represents an unauthorized attempt by the pair actor to access the pair resource.