System and method for detecting fraud and misuse of protected data by an authorized user using event logs

US 10,360,399 B2
Filed: 03/12/2018
Issued: 07/23/2019
Est. Priority Date: 05/31/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting improper access of protected data by an authorized user, the method comprising:

extracting event data from an event log file including information associated with an attempt to access protected data, the extracting being performed by a computer system configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by a processor to oversee authorized user activity across a plurality of applications across one or more computer environments for determining the attempt to access the protected data is fraudulent or indicative of probable misuse, wherein the authorized user has a plurality of different associated user identifiers;

normalizing the event data based on a predefined format;

processing the normalized event data to determine at least one of the plurality of different associated authorized user identifiers is linked to the attempt to access the protected data;

processing the normalized event data and the at least one of the plurality of different associated authorized user identifiers to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system, the rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined time interval, or accesses by a specific authorized user;

storing normalized event data that is incapable of being associated with a known user in a list separate from normalized event data having the at least one of the plurality of different associated authorized user identifiers;

generating a notification, based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and

generating additional data for the rule associated with the event data based on the notification,wherein the monitoring system continuously processes the normalized event data according to a predefined schedule, and the event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transactions and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A hit is stored if the event has occurred and a notification can be provided if the event has occurred. A compilation of hits related to the rule can be provided.

21 Citations

20 Claims

1. A method of detecting improper access of protected data by an authorized user, the method comprising:
- extracting event data from an event log file including information associated with an attempt to access protected data, the extracting being performed by a computer system configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by a processor to oversee authorized user activity across a plurality of applications across one or more computer environments for determining the attempt to access the protected data is fraudulent or indicative of probable misuse, wherein the authorized user has a plurality of different associated user identifiers;
  
  normalizing the event data based on a predefined format;
  
  processing the normalized event data to determine at least one of the plurality of different associated authorized user identifiers is linked to the attempt to access the protected data;
  
  processing the normalized event data and the at least one of the plurality of different associated authorized user identifiers to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system, the rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined time interval, or accesses by a specific authorized user;
  
  storing normalized event data that is incapable of being associated with a known user in a list separate from normalized event data having the at least one of the plurality of different associated authorized user identifiers;
  
  generating a notification, based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and
  
  generating additional data for the rule associated with the event data based on the notification,wherein the monitoring system continuously processes the normalized event data according to a predefined schedule, and the event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the monitoring system initiates preventive action responsive to the generated notification.
  - 3. The method of claim 2, wherein the preventive action comprises suspending access of the specific user.
  - 4. The method of claim 1, wherein the predefined format comprises an extensible markup language (XML) format.
  - 5. The method of claim 1, further comprising causing one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system.
  - 6. The method of claim 1, further comprising:
    - obtaining role information of the authorized user,wherein the at least one rule applied by the monitoring system is based on a user'"'"'s specific role.
  - 7. The method of claim 1, wherein the specific user is a sales person and the at least one rule applied by the monitoring system of accesses by the specific user comprises the specific user accessing information of clients unrelated to clients of the specific user.
  - 8. The method of claim 1, wherein the rule comprises at least one criterion related to accesses in excess of a specific volume and accesses during a pre-determined time interval.

9. An apparatus comprising:
- a processor; and
  
  at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the processor, cause the apparatus to;
  
  extract event data from an event log file including information associated with an attempt to access protected data, the apparatus being configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by the processor to oversee authorized user activity across a plurality of applications across one or more computer environments for determining the attempt to access the protected data is fraudulent or indicative of probable misuse;
  
  normalize the event data based on a predefined format;
  
  process the normalized event data to determine an identifier linked with the attempt to access the protected data, the identifier being one of a plurality of different identifiers indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data;
  
  process the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system, the rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined time interval, or accesses by a specific authorized user;
  
  store normalized event data that is incapable of being associated with a known identifier in a list separate from normalized event data having the identifier;
  
  generate a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and
  
  generate additional data for the rule associated with the event data based on the notification,whereinthe monitoring system is configured to continuously process the normalized event data according to a predefined schedule, andthe event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the monitoring system is configured to initiate preventive action responsive to the generated notification.
  - 11. The method of claim 10, wherein the preventive action comprises suspending access of the specific user.
  - 12. The method of claim 9, wherein the predefined format comprises an extensible markup language (XML) format.
  - 13. The method of claim 9, wherein the monitoring system is further configured to cause one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system.
  - 14. The method of claim 9, wherein the computer program code is further configured to:
    - obtain role information of the authorized user,wherein the at least one rule applied by the monitoring system is based on a user'"'"'s specific role.
  - 15. The method of claim 9, wherein the specific user is a sales person and the at least one rule applied by the monitoring system of accesses by the specific user comprises the specific user accessing information of clients unrelated to clients of the specific user.
  - 16. The method of claim 9, wherein the rule comprises at least one criterion related to accesses in excess of a specific volume and accesses during a pre-determined time interval.

17. A non-transitory computer-readable storage medium carrying computer-readable instructions which, when executed by a processor, cause an apparatus to:
- extract event data from an event log file including information associated with an attempt to access protected data, the apparatus being configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by the processor to oversee authorized user activity across a plurality of applications across one or more computer environments for determining the attempt to access the protected data is fraudulent or indicative of probable misuse;
  
  normalize the event data based on a predefined format;
  
  process the normalized event data to determine an identifier linked with the attempt to access the protected data, the identifier being one of a plurality of different identifiers indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data;
  
  process the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system, the rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined time interval, or accesses by a specific authorized user;
  
  store normalized event data that is incapable of being associated with a known identifier in a list separate from normalized event data having the identifier;
  
  generate a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and
  
  generate additional data for the rule associated with the event data based on the notification,whereinthe monitoring system is configured to continuously process the normalized event data according to a predefined schedule, andthe event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the monitoring system is configured to initiate preventive action responsive to the generated notification.
  - 19. The method of claim 17, wherein the monitoring system is further configured to cause one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system.
  - 20. The method of claim 17, wherein the specific user is a sales person and the at least one rule applied by the monitoring system of accesses by the specific user comprises the specific user accessing information of clients unrelated to clients of the specific user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fairwarning IP LLC
Original Assignee
Fairwarning IP LLC
Inventors
Long, Kurt James
Primary Examiner(s)
Wright, Bryan F

Application Number

US15/918,758
Publication Number

US 20180204021A1
Time in Patent Office

498 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

G06Q 10/06   Resources, workflows, human...

G06Q 10/0635   Risk analysis of enterprise...

Y02A 90/10   Information and communicati...

System and method for detecting fraud and misuse of protected data by an authorized user using event logs

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting fraud and misuse of protected data by an authorized user using event logs

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links