US Patent 11593502 Detecting behavioral anomalies in user-data access logs

A method by one or more computing devices for detecting application user anomalies in audit logs of database operations performed on one or more databases. The method includes obtaining a first audit log of database operations, wherein the first audit log indicates (1) which application users of an application caused which of the database operations to be performed and (2) which functions of the application caused which of the database operations to be performed, generating, for each of the application users indicated in the first audit log, a profile of that application user that indicates which of the functions that application user is expected to touch, and detecting an anomaly in response to a determination that a second audit log indicates that an application user touched a function that is not one of the functions indicated in the profile of the application user.