User behavior analyzer

US 10,193,772 B1
Filed: 12/19/2016
Issued: 01/29/2019
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. An anomaly detection computing system, the system comprising:

an account data store configured to store at least one state machine graph, wherein individual state machine graphs are generated based, at least in part, on recorded sequences of electronic messages received from client computing devices during participation in an interactive video game application, the state machine graph defining a sequence of states and transitions between each state, wherein each state is representative of a type of electronic message;

a server computing system including one or more processors and in electronic communication with a data store, the server computing system configured to execute the interactive video game application and communicatively couple with a plurality of client computing devices, the server computing system comprises computer readable instructions that when executed configure the server computing system to;

receive a plurality of electronic messages from a plurality of client computing devices communicatively coupled to the server during runtime execution of the interactive video game application, wherein each electronic message of the plurality of electronic messages is a defined type of message communicated by a client computing device during participation in the interactive video game application;

group the plurality of electronic messages into one or more sets of electronic messages;

construct a first sequence of electronic messages for a first set of electronic messages of the one or more sets of electronic messages, wherein the first set of electronic messages are received from a first client computing device;

compare the first sequence of electronic messages to a sequence of states of a state machine graph of the one or more state machine graphs, wherein each state machine graph is configured to model a different type of client behavior within the interactive video game application;

generate an anomaly score based at least in part on the differences between characteristics of the first sequence and characteristics of the defined sequence of the state machine graph; and

in response to determination that the anomaly score exceeds an anomaly detection threshold, generate an output designating the constructed sequence as abnormal relative to the defined client behavior.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is shown for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to the one or more servers. Messages are received at a server from one or more client devices communicatively coupled to the server. The plurality of messages are grouped into subsets of messages using a learn module of the server. Each subset of messages is associated with a unique client identifier, and all messages within a subset are associated with the same unique client identifier. Each message within a subset of messages is identified as belonging to a defined type of message. Sequences of the defined types of messages within each of said subsets of messages are recorded using the learn module. Time intervals between the defined types of messages are measured using the learn module. The recorded sequences of defined types of messages and the measured time intervals between the defined types of messages are designated as constituting normal client behavior.

Citations

20 Claims

1. An anomaly detection computing system, the system comprising:
- an account data store configured to store at least one state machine graph, wherein individual state machine graphs are generated based, at least in part, on recorded sequences of electronic messages received from client computing devices during participation in an interactive video game application, the state machine graph defining a sequence of states and transitions between each state, wherein each state is representative of a type of electronic message;
  
  a server computing system including one or more processors and in electronic communication with a data store, the server computing system configured to execute the interactive video game application and communicatively couple with a plurality of client computing devices, the server computing system comprises computer readable instructions that when executed configure the server computing system to;
  
  receive a plurality of electronic messages from a plurality of client computing devices communicatively coupled to the server during runtime execution of the interactive video game application, wherein each electronic message of the plurality of electronic messages is a defined type of message communicated by a client computing device during participation in the interactive video game application;
  
  group the plurality of electronic messages into one or more sets of electronic messages;
  
  construct a first sequence of electronic messages for a first set of electronic messages of the one or more sets of electronic messages, wherein the first set of electronic messages are received from a first client computing device;
  
  compare the first sequence of electronic messages to a sequence of states of a state machine graph of the one or more state machine graphs, wherein each state machine graph is configured to model a different type of client behavior within the interactive video game application;
  
  generate an anomaly score based at least in part on the differences between characteristics of the first sequence and characteristics of the defined sequence of the state machine graph; and
  
  in response to determination that the anomaly score exceeds an anomaly detection threshold, generate an output designating the constructed sequence as abnormal relative to the defined client behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 further comprising computer readable instructions that when executed cause the server computing system to restrict access of the first client computing to the interactive computing application based on the determination that the anomaly score exceeds an anomaly detection threshold.
  - 3. The system of claim 1 further comprising computer readable instructions that when executed cause the server computing system to measure time intervals between the messages of the first sequence of messages.
  - 4. The system of claim 3 further comprising computer readable instructions that when executed cause the server computing system to transform the measured time intervals using Fourier analysis to calculate an average expected frequency of each message of the first sequence.
  - 5. The system of claim 1, wherein two or more of the states of the state machine graph are representative of the same type of message.
  - 6. The system of claim 1, wherein each message comprises data for a client interaction associated with the message.
  - 7. The system of claim 1 further comprising computer readable instructions that when executed cause the server computing system to assign a specific unique identifier to each message associated with a client computing device.
  - 8. The system of claim 1, wherein the defined client behavior is normal client behavior.
  - 9. The system of claim 1, wherein the interactive computing application is an interactive video game application and the messages are communicated by the client computing devices during participation in the interactive video game application.
  - 10. The system of claim 1, wherein each defined type of message corresponds to a unique client behavior.

11. A method for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to the one or more servers, the method comprising:
- receiving a plurality of electronic messages from a plurality of client computing devices communicatively coupled to the server during runtime execution of an interactive video game application, wherein each electronic message of the plurality of electronic messages is a defined type of message communicated by a client computing device during participation in the interactive video game application;
  
  grouping the plurality of electronic messages into one or more sets of electronic messages;
  
  constructing a first sequence of electronic messages for a first set of electronic messages of the one or more sets of electronic messages, wherein the first set of electronic messages are received from a first client computing device;
  
  comparing the first sequence of electronic messages to a state machine graph, the state machine graph defining a sequence of states and transitions between each state, wherein each state is representative of a type of message, wherein the state machine graph is configured to model a defined type of client behavior within the interactive video game application;
  
  generating an anomaly score based at least in part on the differences between characteristics of the first sequence and characteristics of the defined sequence of the state machine graph; and
  
  in response to determination that the anomaly score exceeds an anomaly detection threshold, generating an output designating the constructed sequence as abnormal relative to the defined client behavior.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11 further comprising restricting access of the first client computing to the interactive computing application based on the determination that the anomaly score exceeds an anomaly detection threshold.
  - 13. The method of claim 11 further comprising measuring time intervals between the messages of the first sequence of messages.
  - 14. The method of claim 13 further comprising transforming the measured time intervals using Fourier analysis to calculate an average expected frequency of each message of the first sequence.
  - 15. The method of claim 11, wherein the interactive computing application is an interactive video game application and the messages are communicated by the client computing devices during participation in the interactive video game application.
  - 16. The method of claim 11 further comprising computer readable instructions that when executed cause the server computing system to assign a specific unique identifier to each message associated with a client computing device.

17. A non-transitory computer readable medium comprising computer-executable instructions for anomaly detection that, when executed by a server computing system, causes the server computing system to:
- receive a plurality of electronic messages from a plurality of client computing devices communicatively coupled to the server computing system during runtime execution of an interactive video game application, wherein each electronic message of the plurality of electronic messages is a defined type of message communicated by a client computing device during participation in the interactive video game application;
  
  group the plurality of electronic messages into one or more sets of electronic messages;
  
  construct a first sequence of electronic messages for a first set of electronic messages of the one or more sets of electronic messages, wherein the first set of electronic messages are received from a first client computing device;
  
  compare the first sequence of electronic messages to a state machine graph, the state machine graph defining a sequence of states and transitions between each state, wherein each state is representative of a type of message, wherein the state machine graph is configured to model a defined type of client behavior within the interactive video game application;
  
  generate an anomaly score based at least in part on the differences between characteristics of the first sequence and characteristics of the defined sequence of the state machine graph; and
  
  in response to determination that the anomaly score exceeds an anomaly detection threshold, generate an output designating the constructed sequence as abnormal relative to the defined client behavior.
- View Dependent Claims (18, 19, 20)
- - 18. The computer readable medium of claim 17 further comprising computer readable instructions that when executed cause the server computing system to restrict access of the first client computing to the interactive computing application based on the determination that the anomaly score exceeds an anomaly detection threshold.
  - 19. The computer readable medium of claim 17 further comprising computer readable instructions that when executed cause the server computing system to measure time intervals between the messages of the first sequence of messages.
  - 20. The computer readable medium of claim 17, wherein the interactive computing application is an interactive video game application and the messages are communicated by the client computing devices during participation in the interactive video game application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronic Arts Incorporated
Original Assignee
Electronic Arts Incorporated
Inventors
Tjew, Andrew, Chan, Wilson
Primary Examiner(s)
Anyan, Barbara B

Application Number

US15/383,695
Time in Patent Office

771 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3447   Performance evaluation by m...

G06F 11/3672   Test management

G06F 21/00   Security arrangements for p...

G06F 9/541   via adapters, e.g. between ...

G06N 20/00   Machine learning

G06Q 10/06   Resources, workflows, human...

G06Q 10/0631   Resource planning, allocati...

H04L 41/14   Network analysis or design

H04L 43/045   for graphical visualisation...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 65/1076   Screening of IP real time c...

H04L 67/01   Protocols

User behavior analyzer

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

User behavior analyzer

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links