Checkout system executable code monitoring, and user account compromise determination system
First Claim
1. A computerized method for centrally monitoring execution of disparate computing devices for compromise via aggregation of machine data, the computing devices utilizing sensitive information, and the method being performed by one or more computer systems, wherein the computer systems are configured to access one or more electronic data sources in response to requests received from an interactive user interface, the method comprising:
- obtaining checkout system data associated with a plurality of checkout systems, wherein the checkout system data identifies processes executing in memory of each checkout system, and user account access information indicating user account access attempts to the checkout systems;
wherein the plurality of checkout systems execute respective agents associated with monitoring, at least, processes executing in memory of the checkout systems, wherein monitored information is aggregated from the plurality of agents, and wherein a process represents code executing in an operating system of a checkout system;
determining that the checkout system data identifies a first process, executing in memory of one or more compromised checkout systems, that is not known to be valid, wherein the first process represents code executing in operating systems of the one or more checkout systems;
determining, using the user account access information, anomalous user behavior of a first user account, wherein determining anomalous user behavior comprises determining a speed score indicative of a measure that a single user could not travel fast enough between different locations in a period of time to access the first user account from the different locations and a location score that measures risk associated with geographic locations from which the first user account was used;
generating user interface data describing the first process and the determined anomalous user behavior of the first user account; and
providing at least a portion of the generated user interface data for presentation on a user device,wherein the computer systems are configured to generate time-sensitive notifications associated with compromised checkout systems and anomalous user behavior for transmission to a reviewing user.
9 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for a checkout system executable code monitoring, and user account compromise determination system. The system monitors executable code initiating and executing on checkout systems, including determining hashes of the executable code. The system determines whether the executable code is malicious based on the hash, and associated information of the executable code. Additionally, the system monitors user access to checkout systems, and determines user accounts associated with being compromised. User interfaces are generated describing checkout systems associated with a risk of being compromised, and are configured for user interaction, which cause generation of updated user interfaces and access to electronic data stores to determine information relevant to the user interaction.
453 Citations
20 Claims
-
1. A computerized method for centrally monitoring execution of disparate computing devices for compromise via aggregation of machine data, the computing devices utilizing sensitive information, and the method being performed by one or more computer systems, wherein the computer systems are configured to access one or more electronic data sources in response to requests received from an interactive user interface, the method comprising:
-
obtaining checkout system data associated with a plurality of checkout systems, wherein the checkout system data identifies processes executing in memory of each checkout system, and user account access information indicating user account access attempts to the checkout systems; wherein the plurality of checkout systems execute respective agents associated with monitoring, at least, processes executing in memory of the checkout systems, wherein monitored information is aggregated from the plurality of agents, and wherein a process represents code executing in an operating system of a checkout system; determining that the checkout system data identifies a first process, executing in memory of one or more compromised checkout systems, that is not known to be valid, wherein the first process represents code executing in operating systems of the one or more checkout systems; determining, using the user account access information, anomalous user behavior of a first user account, wherein determining anomalous user behavior comprises determining a speed score indicative of a measure that a single user could not travel fast enough between different locations in a period of time to access the first user account from the different locations and a location score that measures risk associated with geographic locations from which the first user account was used; generating user interface data describing the first process and the determined anomalous user behavior of the first user account; and providing at least a portion of the generated user interface data for presentation on a user device, wherein the computer systems are configured to generate time-sensitive notifications associated with compromised checkout systems and anomalous user behavior for transmission to a reviewing user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
agents executing on a plurality of checkout systems, the agents monitoring, at least, processes executing in memory of the checkout systems, and the agents generating information from the checkout systems for centralized compromise monitoring via one or more computers, wherein a process represents code executing in an operating system of a checkout system, and wherein one or more of the processes executing in memory of the checkout systems utilize sensitive information; and one or more computers that aggregate information obtained from the agents to monitor for indications of checkout systems being compromised, the one or more computers executing instructions stored in one or more storage devices that are operable to cause the one or more computers to perform operations comprising; obtaining checkout system data from a plurality of checkout systems, wherein the checkout system data identifies processes executing in memory of each checkout system, and user account access information indicating user account access attempts to the checkout systems; determining that the checkout system data identifies a first process, executing in memory of one or more compromised checkout systems, that is not known to be valid, wherein the first process represents code executing in operating systems of the one or more checkout systems; determining, using the user account access information, anomalous user behavior of a first user account, wherein determining anomalous user behavior comprises determining a speed score indicative of a measure that a single user could not travel fast enough between different locations in a period of time to access the first user account from the different locations and a location score that measures risk associated with geographic locations from which the first user account was used; generating user interface data describing the first process and the determined anomalous user behavior of the first user account; and providing at least a portion of the generated user interface data for presentation on a user device, wherein the computer systems are configured to generate time-sensitive notifications associated with compromised checkout systems and anomalous user behavior for transmission to a reviewing user. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method performed by one or more processors comprising:
-
receiving, from a system, a document for presentation describing a plurality of processes executing on a plurality of checkout systems that are not known to be valid, and one or more user accounts determined, by the system, to be associated with anomalous user behavior, wherein anomalous user behavior comprises a speed score indicative of a measure that a single user could not travel fast enough between different locations in a period of time to access a respective user account from the different locations and a location score that measures risk associated with geographic locations from which the respective user account was used, wherein the plurality of checkout systems execute respective agents associated with monitoring, at least, processes executing on the checkout systems, wherein a process represents code executing in an operating system of a checkout system, and wherein monitored information is aggregated from the plurality of agents; providing the document for presentation, wherein presentation includes presenting summary data describing the plurality of processes and summary data describing the anomalous user behavior indicating alerts, generated by the system, associated with respective types of anomalous user behavior, and wherein the presentation is responsive to user input and enables presentation of correlations between the summary information associated with checkout systems and the summary information associated with user accounts; receiving, user input from a user, a selection of a portion of data included in the presentation; and providing, for presentation, information associated with the selected portion of data.
-
Specification