Invented by Khanna; Sameer, Fortinet, Inc.

Insider threats are one of the toughest problems in cybersecurity. This new patent application offers a smart way to spot and explain insider threats by turning behavior data into images and matching them with text reports. Let’s break down how this works, why it matters, and what makes it new and powerful.

Background and Market Context

When we think about hacking or data leaks, most people imagine outsiders breaking in. But in many cases, the real danger is already inside. Employees, contractors, or trusted partners can misuse their access or make mistakes that put important data at risk. These are called “insider threats.”

Detecting insider threats is very hard. Insiders already have permission to use systems and know how things work. They can hide their actions or even use their normal work as a cover for bad behavior. According to recent studies, almost one in three confirmed breaches involve insiders. The cost to companies can be huge, often running into millions of dollars for each attack.

Companies try to protect themselves using firewalls, passwords, and security checks. But these tools are mostly designed to stop outside attacks. They don’t work as well for insiders who know how to avoid getting caught. Security teams need better ways to spot when someone inside is doing something suspicious or harmful. They also need to understand what happened, so they can respond quickly and fairly.

Another problem is that most insider threat detection tools are “black boxes.” They give alerts or scores, but they don’t explain why they flagged an employee’s behavior. This makes it hard for managers to decide what to do next. Was it a real threat, or just a mistake? Without clear explanations, it’s easy to make the wrong call.

There’s also a data challenge. Good threat detection systems need lots of real-world examples to learn from. But companies don’t want to share their private data or employee details. This makes it hard to build, test, and improve new solutions. Each company ends up with its own private tools, and it’s hard to compare which ones work best.

This patent application sits right at the heart of these challenges. It promises not just to spot insider threats, but to generate clear, easy-to-understand reports by combining images (that represent behavior) with plain text summaries. It also introduces smarter ways to train these systems, even when data is limited or imbalanced.

Scientific Rationale and Prior Art

For years, security systems have used logs and rules to try to spot bad behavior. If someone logs in from a new location, accesses sensitive files, or sends big amounts of data, the system can raise a flag. But these rules can be simple and easy to trick. More advanced systems use machine learning, which can find strange patterns in huge amounts of data. The problem is, machine learning models often need lots of labeled examples to work well. In the case of insider threats, there are few real-life examples, and they are all different.

Some recent research has tried using images to represent patterns in behavior. Imagine taking all the activity of an employee—logins, emails, file access—and turning that into a picture. Each pixel in the picture represents a different kind of action, and the brightness shows how often it happened. This makes it possible to use powerful computer vision tools to spot unusual patterns, just like how they spot cats or dogs in photos.

At the same time, another big trend in machine learning is using both images and text together. For example, the CLIP model from OpenAI learns to match images with their captions. This is called “contrastive learning.” The idea is simple: if an image and a sentence go together, their computer representations (called “encodings”) should be close together. If not, they should be far apart. This makes it possible to search for images using text, or to find captions for a photo.

Before this patent, some systems used either behavior images or text reports, but not both together in a way that generates clear, actionable reports. Most insider threat tools either show a risk score or a simple alert, not a natural language explanation tied to the actual behavior. Also, standard contrastive learning methods have trouble when there are many more common behaviors (like normal work) than rare ones (like stealing data). They can get confused and make mistakes, especially when the same report text shows up many times in the training data.

The creators of this patent saw these gaps. They realized that by encoding behavior as images and using smart ways to pair those images with text reports, they could make a system that not only detects threats, but also explains them in plain language. They also worked on new ways to train these systems, so they don’t get tripped up by imbalanced data.

Invention Description and Key Innovations

At its core, this invention is a smart system for turning complex behavior data into easy-to-understand reports. Here’s how it works, step by step:

First, the system collects behavior data from a network. This could include things like when users log in, what files they open, what websites they visit, or if they plug in USB devices. This data is turned into a “feature array,” where each spot in the array holds a certain kind of behavior. The array is then turned into a grayscale image—think of it as a map where brightness shows how much of something happened. By combining several of these grayscale images, the system can build a color image that holds even more information.

Next, the system has a collection of possible reports written in plain language. These reports might say things like, “No malicious behavior detected,” or “User uploaded files to an unauthorized site.”

Both the behavior images and the text reports are run through special encoders. The image encoder is like a pair of smart eyes—it looks at the picture and turns it into a string of numbers that captures what’s happening. The text encoder does the same for words, turning each report into its own string of numbers. These strings are called “encodings.”

Now comes the key trick. For any new behavior image, the system compares its encoding to the encodings of all the possible text reports. It looks for the text report whose encoding is closest to the image’s encoding. This is done using a simple math measure called “cosine similarity.” If two encodings point in the same direction, they are similar. The report with the highest similarity is picked as the explanation for the behavior image.

This means that the system doesn’t just say “something is wrong.” It picks the best matching plain-language report for what it sees in the behavior image. This makes it much easier for security teams to understand what’s happening and decide what to do.

The invention also tackles a big training problem. Normally, to teach the system, you need lots of examples of both normal and malicious behavior. But there are way more normal cases than bad ones, and sometimes the same report text can match many different images. If you train the system by just picking random batches, you can end up telling it that some good pairs are actually bad ones. This confuses the system and makes it less accurate.

To fix this, the inventors use two new tricks:

First, the “prune batch” method removes duplicate text reports from each training batch. This avoids telling the system that two good matches are actually bad. This makes training more accurate but can reduce the amount of data in each batch, which isn’t always ideal.

Second, the “class batch” method treats each report as a class. For each image, it compares the image to all possible reports, not just the ones in the batch. It uses class weights to make sure rare types of reports are still learned well. This keeps more training data and helps the system learn the right matches, even when some reports show up much more often than others.

Finally, this whole approach is built to be flexible. It can run on different hardware, from small appliances to big servers, and it can be updated as new types of insider threats appear. The system can also be trained with new data as it becomes available, making it easy to keep up with changing risks.

In summary, the key innovations of this invention are:

– Turning behavior data into images that capture many types of activities at once.
– Using both image and text encodings to match behavior with clear, plain-language reports.
– Training the system with smart batching methods that avoid common mistakes and handle imbalanced data.
– Providing an easy way for security teams to understand and act on insider threat alerts.

Conclusion

Insider threats are a growing risk that can cause great harm to organizations. Traditional tools often miss these threats or fail to explain their findings. This patent application introduces a new way to spot and report insider threats by combining image and text analysis. By turning behavior into pictures and matching them to clear reports, the system makes it easier to detect, understand, and respond to suspicious activity inside a network. Its smart training methods also help it learn better from limited data, making it both accurate and practical. For any company that wants to take insider threat detection to the next level, this invention offers a path that is both powerful and easy to use.

Click here https://ppubs.uspto.gov/pubwebapp/ and search 20250217481.