We present a method to detect departures from business-justified workflows among support agents. Our goal is to assist auditors in identifying agent actions that cannot be explained by the activity within their surrounding context, where normal activity patterns are established from historical data. We apply our method to help audit millions of actions of over three thousand support agents. We collect logs from the tools used by support agents and construct a bipartite graph of Actions and Entities representing all the actions of the agents, as well as background information about entities. From this graph, we sample subgraphs rooted on security-significant actions taken by the agents. Each subgraph captures the relevant context of the root action in terms of other actions, entities and their relationships. We then prioritize the rooted-subgraphs for auditor review using feed-forward and graph neural networks, as well as nearest neighbors techniques. To alleviate the issue of scarce labeling data, we use contrastive learning and domain-specific data augmentations. Expert auditors label the top ranked subgraphs as ``worth auditing" or ``not worth auditing" based on the company's business policies. This system finds subgraphs that are worth auditing with high enough precision to be used in production.

翻译：我们提出了一种检测支持代理偏离业务合理工作流程的方法。我们的目标是协助审计人员识别那些无法通过其周围上下文活动解释的代理行为，其中正常活动模式是基于历史数据建立的。我们将该方法应用于帮助审计超过三千名支持代理的数百万次操作。我们收集支持代理使用工具的日志，构建一个表示所有代理操作的"操作-实体"二分图，以及实体的背景信息。从该图中，我们对代理执行的安全关键操作进行根节点子图采样。每个子图通过其他操作、实体及其关系来捕捉根节点操作的相关上下文。随后，我们使用前馈神经网络、图神经网络以及最近邻技术，对这些根节点子图进行审计优先级排序。为缓解标注数据稀缺的问题，我们采用对比学习和领域特定的数据增强技术。专家审计员根据公司业务政策将排名靠前的子图标注为"值得审计"或"不值得审计"。该系统能以足够高的精确度发现值得审计的子图，满足生产环境部署要求。