Methods and systems for detecting abnormal user activity
First Claim
1. A method for detecting abnormal user activity, the method executable on a server, the server being connected to a plurality of client devices via a communication network, each client device of the plurality of client devices being associated with a respective user, the method comprising:
- tracking, by the server, during a first time period, user activity associated with a plurality of application services performed on a first client device, the user activity including user interactions with the plurality of application services, the tracking comprising receiving, at the server, an indication of a respective user interaction with a respective application service, and associating a score, a timestamp and a status with the indication of the user interaction,wherein each application service of the plurality of application services is associated with a respective first predetermined threshold, and wherein the plurality of application services is associated with a single second predetermined threshold; and
each respective first predetermined threshold associated with each application service of the plurality of application services is a respective first average score, the respective first average score having been determined based on the scores associated with each past user interaction on the respective application service on each client device of the plurality of client devices by the respective user;
determining, by the server, that user activity associated with a first application service of the plurality of application services exceeds a respective first predetermined threshold of the user activity during the first time period,the determining comprising adding each score associated with each user interaction of the user activity associated with the first application service during the first time period and comparing a total score to the respective first average score; and
the user activity exceeding the respective first predetermined threshold being indicative of a potentially abnormal user activity on the first application service associated with the first client device;
in response to determining that the user activity associated with the first application service exceeds the respective first predetermined threshold, tracking, during a second time period, by the server, user activity associated with the plurality of application services on the first client device, the tracking comprising tracking a content of the user interactions with the plurality of application services;
determining, by the server, that the user activity exceeds the single second predetermined threshold of user activity during the second time period, the single second predetermined threshold having been determined based on past user activity associated with the plurality of application services and performed on each client device of the plurality of client devices,the user activity exceeding the single second predetermined threshold being indicative of an abnormal user activity associated with the first client device;
in response to determining that the user activity exceeds the second predetermined threshold, triggering, by the server, a user challenge procedure on the first client device, the user challenge procedure for authenticating the user of the first client device, the user challenge procedure being based on the user activity with the first application service during the first time period performed on the first client device.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for detecting abnormal user activity comprising: tracking, by the server, during a first time period, user activity associated with an application service, determining, by the server, that the user activity associated with the application service exceeds a respective first predetermined threshold of user activity during the first time period, in response to determining that the user activity exceeds the first predetermined threshold, tracking, during a second time period user activity associated with the application service, the tracking comprising tracking a content of the user interactions with the application service, determining that the user activity exceeds a second predetermined threshold of user activity during the second time period and in response to determining that the user activity exceeds the second predetermined threshold, triggering a user challenge procedure on a client device.
10 Citations
10 Claims
-
1. A method for detecting abnormal user activity, the method executable on a server, the server being connected to a plurality of client devices via a communication network, each client device of the plurality of client devices being associated with a respective user, the method comprising:
-
tracking, by the server, during a first time period, user activity associated with a plurality of application services performed on a first client device, the user activity including user interactions with the plurality of application services, the tracking comprising receiving, at the server, an indication of a respective user interaction with a respective application service, and associating a score, a timestamp and a status with the indication of the user interaction, wherein each application service of the plurality of application services is associated with a respective first predetermined threshold, and wherein the plurality of application services is associated with a single second predetermined threshold; and each respective first predetermined threshold associated with each application service of the plurality of application services is a respective first average score, the respective first average score having been determined based on the scores associated with each past user interaction on the respective application service on each client device of the plurality of client devices by the respective user; determining, by the server, that user activity associated with a first application service of the plurality of application services exceeds a respective first predetermined threshold of the user activity during the first time period, the determining comprising adding each score associated with each user interaction of the user activity associated with the first application service during the first time period and comparing a total score to the respective first average score; and the user activity exceeding the respective first predetermined threshold being indicative of a potentially abnormal user activity on the first application service associated with the first client device; in response to determining that the user activity associated with the first application service exceeds the respective first predetermined threshold, tracking, during a second time period, by the server, user activity associated with the plurality of application services on the first client device, the tracking comprising tracking a content of the user interactions with the plurality of application services; determining, by the server, that the user activity exceeds the single second predetermined threshold of user activity during the second time period, the single second predetermined threshold having been determined based on past user activity associated with the plurality of application services and performed on each client device of the plurality of client devices, the user activity exceeding the single second predetermined threshold being indicative of an abnormal user activity associated with the first client device; in response to determining that the user activity exceeds the second predetermined threshold, triggering, by the server, a user challenge procedure on the first client device, the user challenge procedure for authenticating the user of the first client device, the user challenge procedure being based on the user activity with the first application service during the first time period performed on the first client device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting abnormal user activity, the system being connected to a plurality of client devices via a communication network, each client device of the plurality of client devices being associated with a respective user, the system comprising:
-
a processor; a non-transitory computer-readable medium comprising instructions, the processor; upon executing the instructions, being configured to cause; tracking, by the system, during a first time period, user activity associated with a a plurality of application services performed on a first client device, the user activity including user interactions with the plurality of application services, the tracking comprising receiving, at the server, an indication of a respective user interaction with a respective application service, and associating a score, a timestamp and a status with the indication of the user interaction, wherein each application service of the plurality of application services is associated with a respective first predetermined threshold, and wherein the plurality of application services is associated with a single second predetermined threshold; and each respective first predetermined threshold associated with each application service of the plurality of application services is a respective first average score, the respective first average score having been determined based on the scores associated with each past user interaction on the respective application service on each client device of the plurality of client devices by the respective user; determining, by the system, that user activity associated with a first application service of the plurality of application services exceeds a respective first predetermined threshold of the user activity during the first time period, the determining comprising adding each score associated with each user interaction of the user activity associated with the first application service during the first time period and comparing a total score to the respective first average score; and the user activity exceeding the respective first predetermined threshold being indicative of a potentially abnormal user activity on the first application service associated with the first client device; in response to determining that the user activity exceeds the respective first predetermined threshold, tracking, during a second time period, by the system, user activity associated with the plurality of application services on the first client device, the tracking comprising tracking a content of the user interactions with the plurality of application services; determining, by the system, that the user activity exceeds the single second predetermined threshold of user activity during the second time period, the single second predetermined threshold having been determined based on past user activity associated with the plurality of application services and performed on each client device of the plurality of client devices, the user activity exceeding the second predetermined threshold being indicative of an abnormal user activity associated with the first client device; in response to determining that the user activity exceeds the second predetermined threshold, triggering, by the system, a user challenge procedure on the first client device, the user challenge procedure for authenticating the user of the first client device, the user challenge procedure being based on the user activity with the first application service during the first time period performed on the first client device. - View Dependent Claims (9, 10)
-
Specification