User behavior analyzer
First Claim
1. An anomaly detection computing system, the system comprising:
- an account data store configured to store at least one state machine graph, wherein individual state machine graphs are generated based, at least in part, on recorded sequences of electronic messages received from client computing devices during participation in an interactive video game application, the state machine graph defining a sequence of states and transitions between each state, wherein each state is representative of a type of electronic message;
a server computing system including one or more processors and in electronic communication with a data store, the server computing system configured to execute the interactive video game application and communicatively couple with a plurality of client computing devices, the server computing system comprises computer readable instructions that when executed configure the server computing system to;
receive a plurality of electronic messages from a plurality of client computing devices communicatively coupled to the server during runtime execution of the interactive video game application, wherein each electronic message of the plurality of electronic messages is a defined type of message communicated by a client computing device during participation in the interactive video game application;
group the plurality of electronic messages into one or more sets of electronic messages;
construct a first sequence of electronic messages for a first set of electronic messages of the one or more sets of electronic messages, wherein the first set of electronic messages are received from a first client computing device;
compare the first sequence of electronic messages to a sequence of states of a state machine graph of the one or more state machine graphs, wherein each state machine graph is configured to model a different type of client behavior within the interactive video game application;
generate an anomaly score based at least in part on the differences between characteristics of the first sequence and characteristics of the defined sequence of the state machine graph; and
in response to determination that the anomaly score exceeds an anomaly detection threshold, generate an output designating the constructed sequence as abnormal relative to the defined client behavior.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method is shown for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to the one or more servers. Messages are received at a server from one or more client devices communicatively coupled to the server. The plurality of messages are grouped into subsets of messages using a learn module of the server. Each subset of messages is associated with a unique client identifier, and all messages within a subset are associated with the same unique client identifier. Each message within a subset of messages is identified as belonging to a defined type of message. Sequences of the defined types of messages within each of said subsets of messages are recorded using the learn module. Time intervals between the defined types of messages are measured using the learn module. The recorded sequences of defined types of messages and the measured time intervals between the defined types of messages are designated as constituting normal client behavior.
-
Citations
20 Claims
-
1. An anomaly detection computing system, the system comprising:
-
an account data store configured to store at least one state machine graph, wherein individual state machine graphs are generated based, at least in part, on recorded sequences of electronic messages received from client computing devices during participation in an interactive video game application, the state machine graph defining a sequence of states and transitions between each state, wherein each state is representative of a type of electronic message; a server computing system including one or more processors and in electronic communication with a data store, the server computing system configured to execute the interactive video game application and communicatively couple with a plurality of client computing devices, the server computing system comprises computer readable instructions that when executed configure the server computing system to; receive a plurality of electronic messages from a plurality of client computing devices communicatively coupled to the server during runtime execution of the interactive video game application, wherein each electronic message of the plurality of electronic messages is a defined type of message communicated by a client computing device during participation in the interactive video game application; group the plurality of electronic messages into one or more sets of electronic messages; construct a first sequence of electronic messages for a first set of electronic messages of the one or more sets of electronic messages, wherein the first set of electronic messages are received from a first client computing device; compare the first sequence of electronic messages to a sequence of states of a state machine graph of the one or more state machine graphs, wherein each state machine graph is configured to model a different type of client behavior within the interactive video game application; generate an anomaly score based at least in part on the differences between characteristics of the first sequence and characteristics of the defined sequence of the state machine graph; and in response to determination that the anomaly score exceeds an anomaly detection threshold, generate an output designating the constructed sequence as abnormal relative to the defined client behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to the one or more servers, the method comprising:
-
receiving a plurality of electronic messages from a plurality of client computing devices communicatively coupled to the server during runtime execution of an interactive video game application, wherein each electronic message of the plurality of electronic messages is a defined type of message communicated by a client computing device during participation in the interactive video game application; grouping the plurality of electronic messages into one or more sets of electronic messages; constructing a first sequence of electronic messages for a first set of electronic messages of the one or more sets of electronic messages, wherein the first set of electronic messages are received from a first client computing device; comparing the first sequence of electronic messages to a state machine graph, the state machine graph defining a sequence of states and transitions between each state, wherein each state is representative of a type of message, wherein the state machine graph is configured to model a defined type of client behavior within the interactive video game application; generating an anomaly score based at least in part on the differences between characteristics of the first sequence and characteristics of the defined sequence of the state machine graph; and in response to determination that the anomaly score exceeds an anomaly detection threshold, generating an output designating the constructed sequence as abnormal relative to the defined client behavior. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable medium comprising computer-executable instructions for anomaly detection that, when executed by a server computing system, causes the server computing system to:
-
receive a plurality of electronic messages from a plurality of client computing devices communicatively coupled to the server computing system during runtime execution of an interactive video game application, wherein each electronic message of the plurality of electronic messages is a defined type of message communicated by a client computing device during participation in the interactive video game application; group the plurality of electronic messages into one or more sets of electronic messages; construct a first sequence of electronic messages for a first set of electronic messages of the one or more sets of electronic messages, wherein the first set of electronic messages are received from a first client computing device; compare the first sequence of electronic messages to a state machine graph, the state machine graph defining a sequence of states and transitions between each state, wherein each state is representative of a type of message, wherein the state machine graph is configured to model a defined type of client behavior within the interactive video game application; generate an anomaly score based at least in part on the differences between characteristics of the first sequence and characteristics of the defined sequence of the state machine graph; and in response to determination that the anomaly score exceeds an anomaly detection threshold, generate an output designating the constructed sequence as abnormal relative to the defined client behavior. - View Dependent Claims (18, 19, 20)
-
Specification