Methods and systems for detecting abnormal user activity

1. A method for detecting abnormal user activity, the method executable on a server, the server being connected to a plurality of client devices via a communication network, each client device of the plurality of client devices being associated with a respective user, the method comprising:

• tracking, by the server, during a first time period, user activity associated with a plurality of application services performed on a first client device, the user activity including user interactions with the plurality of application services, the tracking comprising receiving, at the server, an indication of a respective user interaction with a respective application service, and associating a score, a timestamp and a status with the indication of the user interaction,wherein each application service of the plurality of application services is associated with a respective first predetermined threshold, and wherein the plurality of application services is associated with a single second predetermined threshold; and
  
  each respective first predetermined threshold associated with each application service of the plurality of application services is a respective first average score, the respective first average score having been determined based on the scores associated with each past user interaction on the respective application service on each client device of the plurality of client devices by the respective user;
  
  determining, by the server, that user activity associated with a first application service of the plurality of application services exceeds a respective first predetermined threshold of the user activity during the first time period,the determining comprising adding each score associated with each user interaction of the user activity associated with the first application service during the first time period and comparing a total score to the respective first average score; and
  
  the user activity exceeding the respective first predetermined threshold being indicative of a potentially abnormal user activity on the first application service associated with the first client device;
  
  in response to determining that the user activity associated with the first application service exceeds the respective first predetermined threshold, tracking, during a second time period, by the server, user activity associated with the plurality of application services on the first client device, the tracking comprising tracking a content of the user interactions with the plurality of application services;
  
  determining, by the server, that the user activity exceeds the single second predetermined threshold of user activity during the second time period, the single second predetermined threshold having been determined based on past user activity associated with the plurality of application services and performed on each client device of the plurality of client devices,the user activity exceeding the single second predetermined threshold being indicative of an abnormal user activity associated with the first client device;
  
  in response to determining that the user activity exceeds the second predetermined threshold, triggering, by the server, a user challenge procedure on the first client device, the user challenge procedure for authenticating the user of the first client device, the user challenge procedure being based on the user activity with the first application service during the first time period performed on the first client device.