Checkout system executable code monitoring, and user account compromise determination system

US 10,102,369 B2
Filed: 08/12/2016
Issued: 10/16/2018
Est. Priority Date: 08/19/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method for centrally monitoring execution of disparate computing devices for compromise via aggregation of machine data, the computing devices utilizing sensitive information, and the method being performed by one or more computer systems, wherein the computer systems are configured to access one or more electronic data sources in response to requests received from an interactive user interface, the method comprising:

obtaining checkout system data associated with a plurality of checkout systems, wherein the checkout system data identifies processes executing in memory of each checkout system, and user account access information indicating user account access attempts to the checkout systems;

wherein the plurality of checkout systems execute respective agents associated with monitoring, at least, processes executing in memory of the checkout systems, wherein monitored information is aggregated from the plurality of agents, and wherein a process represents code executing in an operating system of a checkout system;

determining that the checkout system data identifies a first process, executing in memory of one or more compromised checkout systems, that is not known to be valid, wherein the first process represents code executing in operating systems of the one or more checkout systems;

determining, using the user account access information, anomalous user behavior of a first user account, wherein determining anomalous user behavior comprises determining a speed score indicative of a measure that a single user could not travel fast enough between different locations in a period of time to access the first user account from the different locations and a location score that measures risk associated with geographic locations from which the first user account was used;

generating user interface data describing the first process and the determined anomalous user behavior of the first user account; and

providing at least a portion of the generated user interface data for presentation on a user device,wherein the computer systems are configured to generate time-sensitive notifications associated with compromised checkout systems and anomalous user behavior for transmission to a reviewing user.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for a checkout system executable code monitoring, and user account compromise determination system. The system monitors executable code initiating and executing on checkout systems, including determining hashes of the executable code. The system determines whether the executable code is malicious based on the hash, and associated information of the executable code. Additionally, the system monitors user access to checkout systems, and determines user accounts associated with being compromised. User interfaces are generated describing checkout systems associated with a risk of being compromised, and are configured for user interaction, which cause generation of updated user interfaces and access to electronic data stores to determine information relevant to the user interaction.

453 Citations

20 Claims

1. A computerized method for centrally monitoring execution of disparate computing devices for compromise via aggregation of machine data, the computing devices utilizing sensitive information, and the method being performed by one or more computer systems, wherein the computer systems are configured to access one or more electronic data sources in response to requests received from an interactive user interface, the method comprising:
- obtaining checkout system data associated with a plurality of checkout systems, wherein the checkout system data identifies processes executing in memory of each checkout system, and user account access information indicating user account access attempts to the checkout systems;
  
  wherein the plurality of checkout systems execute respective agents associated with monitoring, at least, processes executing in memory of the checkout systems, wherein monitored information is aggregated from the plurality of agents, and wherein a process represents code executing in an operating system of a checkout system;
  
  determining that the checkout system data identifies a first process, executing in memory of one or more compromised checkout systems, that is not known to be valid, wherein the first process represents code executing in operating systems of the one or more checkout systems;
  
  determining, using the user account access information, anomalous user behavior of a first user account, wherein determining anomalous user behavior comprises determining a speed score indicative of a measure that a single user could not travel fast enough between different locations in a period of time to access the first user account from the different locations and a location score that measures risk associated with geographic locations from which the first user account was used;
  
  generating user interface data describing the first process and the determined anomalous user behavior of the first user account; and
  
  providing at least a portion of the generated user interface data for presentation on a user device,wherein the computer systems are configured to generate time-sensitive notifications associated with compromised checkout systems and anomalous user behavior for transmission to a reviewing user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein determining that the first process is not known to be valid comprises:
    - obtaining information describing a plurality of processes known to be valid, wherein a process known to be valid identifies that the process is not malicious;
      
      comparing information describing the first process to the obtained information describing a plurality of processes known to be valid; and
      
      determining that the obtained information does not describe the first process.
  - 3. The method of claim 2, wherein comparing information describing the first process to the obtained information describing a plurality of processes known to be valid comprises one or more of:
    - comparing a name associated with the first process to respective names associated with the plurality of processes known to be valid, orcomparing a file location, on a checkout system executing the first process in memory, of executable code associated with the first process to respective file locations, on checkout systems, of executable code associated with the plurality of processes known to be valid, orcomparing a cryptographic hash of executable code associated with the first process to respective cryptographic hashes of executable code associated with the plurality of processes known to be valid.
  - 4. The method of claim 1, wherein determining anomalous user behavior of a first user account comprises at least one of:
    - determining that the first user account accessed a particular checkout system with privileged access rights, ordetermining that the first user account accessed greater than a threshold number of checkout systems with privileged access rights, ordetermining, using historical information indicating geographical regions the first user account is associated with, that the first user account accessed a particular checkout system that is not included in the geographical regions indicated in the historical information.
  - 5. The method of claim 4, further comprising:
    - generating an alert associated with the determined anomalous user behavior of the first user account, wherein the alert identifies one of the determinations that comprise determining user behavior of the first user account.
  - 6. The method of claim 1, wherein a portion of the generated user interface data includes information describing the first process and/or information describing the anomalous user behavior of the first user account.
  - 7. The method of claim 1, further comprising:
    - receiving, from the user device, a selection of the first process;
      
      obtaining information identifying checkout systems that execute the first process in memory; and
      
      providing, for presentation on the user device in the interactive user interface, user interface data comprising a user selectable portion that identifies a number of checkout systems which execute the first process in memory, and upon a user selection of the selectable portion, the user interface data is configured to present an identification of each checkout system that executes the first process in memory.
  - 8. The method of claim 1, wherein the user interface data describing the determined anomalous user behavior of the first account includes an identification of a particular checkout system associated with the anomalous user behavior, and wherein the method further comprises:
    - receiving, from the user device, a selection of the particular checkout system;
      
      obtaining information identifying a second process, executing on the particular checkout system, that is not known to be valid; and
      
      providing, for presentation on the user device, user interface data identifying the second process.
  - 9. The method of claim 1, wherein a particular process not known to be valid fraudulently copies sensitive information associated with transactions at a checkout system executing the particular process, and wherein the particular process relays the information to one or more outside systems.
  - 10. The method of claim 1,wherein for a time-sensitive notification associated with compromised checkout systems, the presented user interface data is configured to present summary information associated with user accounts utilized to access the compromised checkout systems,and wherein for a time-sensitive notification associated with anomalous user behavior, the presented user interface data is configured to present summary information associated with accesses to checkout systems by associated user accounts,thereby enabling the reviewing user to correlate between checkout systems and user accounts, and centrally monitor attacks on the checkout systems.

11. A system comprising:
- agents executing on a plurality of checkout systems, the agents monitoring, at least, processes executing in memory of the checkout systems, and the agents generating information from the checkout systems for centralized compromise monitoring via one or more computers, wherein a process represents code executing in an operating system of a checkout system, and wherein one or more of the processes executing in memory of the checkout systems utilize sensitive information; and
  
  one or more computers that aggregate information obtained from the agents to monitor for indications of checkout systems being compromised, the one or more computers executing instructions stored in one or more storage devices that are operable to cause the one or more computers to perform operations comprising;
  
  obtaining checkout system data from a plurality of checkout systems, wherein the checkout system data identifies processes executing in memory of each checkout system, and user account access information indicating user account access attempts to the checkout systems;
  
  determining that the checkout system data identifies a first process, executing in memory of one or more compromised checkout systems, that is not known to be valid, wherein the first process represents code executing in operating systems of the one or more checkout systems;
  
  determining, using the user account access information, anomalous user behavior of a first user account, wherein determining anomalous user behavior comprises determining a speed score indicative of a measure that a single user could not travel fast enough between different locations in a period of time to access the first user account from the different locations and a location score that measures risk associated with geographic locations from which the first user account was used;
  
  generating user interface data describing the first process and the determined anomalous user behavior of the first user account; and
  
  providing at least a portion of the generated user interface data for presentation on a user device,wherein the computer systems are configured to generate time-sensitive notifications associated with compromised checkout systems and anomalous user behavior for transmission to a reviewing user.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein determining that the first process is not known to be valid comprises:
    - obtaining information describing a plurality of processes known to be valid, wherein a process known to be valid identifies that the process is not malicious;
      
      comparing information describing the first process to the obtained information describing a plurality of processes known to be valid; and
      
      determining that the obtained information does not describe the first process.
  - 13. The system of claim 12, wherein comparing information describing the first process to the obtained information describing a plurality of processes known to be valid comprises one or more of:
    - comparing a name associated with the first process to respective names associated with the plurality of processes known to be valid, orcomparing a file location, on a checkout system executing the first process in memory, of executable code associated with the first process to respective file locations, on checkout systems, of executable code associated with the plurality of processes known to be valid, orcomparing a cryptographic hash of executable code associated with the first process to respective cryptographic hashes of executable code associated with the plurality of processes known to be valid.
  - 14. The system of claim 11, wherein determining anomalous user behavior of a first user account comprises at least one of:
    - determining that the first user account accessed a particular checkout system with privileged access rights, ordetermining that the first user account accessed greater than a threshold number of checkout systems with privileged access rights, ordetermining, using historical information indicating geographical regions the first user account is associated with, that the first user account accessed a particular checkout system that is not included in the geographical regions indicated in the historical information.
  - 15. The system of claim 14, further comprising:
    - generating an alert associated with the determined anomalous user behavior of the first user account, wherein the alert identifies one of the determinations that comprise determining user behavior of the first user account.
  - 16. The system of claim 11, wherein a portion of the generated user interface data includes information describing the first process and/or information describing the anomalous user behavior of the first user account.
  - 17. The system of claim 11, further comprising:
    - receiving, from the user device, a selection of the first process;
      
      obtaining information identifying checkout systems that execute the first process in memory; and
      
      providing, for presentation on the user device, user interface data comprising a user selectable portion that identifies a number of checkout systems which execute the first process in memory, and upon a user selection of the selectable portion, the user interface data is configured to present an identification of each checkout system that executes the first process in memory.
  - 18. The system of claim 11, wherein the user interface data describing the determined anomalous user behavior of the first account includes an identification of a particular checkout system associated with the anomalous user behavior, and wherein the method further comprises:
    - receiving, from the user device, a selection of the particular checkout system;
      
      obtaining information identifying a second process, executing on the particular checkout system, that is not known to be valid; and
      
      providing, for presentation on the user device, user interface data identifying the second process.
  - 19. The system of claim 11,wherein for a time-sensitive notification associated with compromised checkout systems, the presented user interface data is configured to present summary information associated with user accounts utilized to access the compromised checkout systems,and wherein for a time-sensitive notification associated with anomalous user behavior, the presented user interface data is configured to present summary information associated with accesses to checkout systems by associated user accounts,thereby enabling the reviewing user to correlate between checkout systems and user accounts, and centrally monitor attacks on the checkout systems.

20. A method performed by one or more processors comprising:
- receiving, from a system, a document for presentation describing a plurality of processes executing on a plurality of checkout systems that are not known to be valid, and one or more user accounts determined, by the system, to be associated with anomalous user behavior, wherein anomalous user behavior comprises a speed score indicative of a measure that a single user could not travel fast enough between different locations in a period of time to access a respective user account from the different locations and a location score that measures risk associated with geographic locations from which the respective user account was used,wherein the plurality of checkout systems execute respective agents associated with monitoring, at least, processes executing on the checkout systems, wherein a process represents code executing in an operating system of a checkout system, and wherein monitored information is aggregated from the plurality of agents;
  
  providing the document for presentation, wherein presentation includes presenting summary data describing the plurality of processes and summary data describing the anomalous user behavior indicating alerts, generated by the system, associated with respective types of anomalous user behavior, and wherein the presentation is responsive to user input and enables presentation of correlations between the summary information associated with checkout systems and the summary information associated with user accounts;
  
  receiving, user input from a user, a selection of a portion of data included in the presentation; and
  
  providing, for presentation, information associated with the selected portion of data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Healy, Adam, Jackson, Benjamin, Pham, Khoa, Paul, Sanjay, Liu, Zhi Qiang
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/235,551
Publication Number

US 20170053115A1
Time in Patent Office

795 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06Q 20/18   involving self-service term...

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/4016   involving fraud or risk lev...

H04L 9/3236   using cryptographic hash fu...

Checkout system executable code monitoring, and user account compromise determination system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

453 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Checkout system executable code monitoring, and user account compromise determination system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

453 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links