MALICIOUS ACTIVITY DETECTION BASED ON CHANGES IN A SECURITY GRAPH

Abstract

Systems, methods, and techniques are directed to detecting potential anomalous activity based on changes in a security graph. In an example, a security system receives a first snapshot of a graph representative of a tenant account of a network-based system corresponding to a first timestamp. The security system receives a second snapshot of the graph corresponding to a second timestamp. The security system determines a first change in the graph based on the first and second snapshots and a second change related to the first change. The security system detects a potential anomaly based on the first and second changes. Responsive to detecting a potential anomaly, the security system causes a mitigation step to be performed with respect to the tenant account. In a further example, the security system determines relationships between a sequence of changes satisfies a cumulative anomaly criterion.

CPC Classifications