Detection of fraudulent account usage in distributed computing systems

US 10,708,300 B2
Filed: 03/09/2017
Issued: 07/07/2020
Est. Priority Date: 10/28/2016
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computing device in a distributed computing system having a plurality of servers interconnected by a computer network to provide a computing service, the method comprising:

receiving, via the computer network, data representing a report indicating fraudulent account usage related to an account of the computing service, the account having associated one or more content items accessible to users of other accounts of the same computing service; and

in response to the received data representing the report indicating occurrence of fraudulent account usage of the account,disallowing access to any of the one or more content items associated with the account while maintaining the account as active such that the one or more content items are shown as present in the account but access by the users of the other accounts to view or download the one or more content items is disallowed, including;

receiving, from a user, an access request to access the disallowed one or more content items associated with the account; and

in response to receiving the access request,indicating, to the user, that the account is a valid account;

providing, to the user, a list of the one or more content items associated with the account; and

preventing any of the one or more content items in the list from being viewed or downloaded by the user;

collecting usage data related to the account or the content items associated with the account while the content items are shown as present in the account but the access to view or download the one or more content items in the account is disallowed;

developing a model representing an activity profile of accessing the account or the content items associated with the account based on, at least in part, the collected usage data while access to view or download the one or more content items is disallowed while the account is maintained as active; and

detecting and deactivating one or more additional accounts of the computing service that are related to the reported fraudulent account usage based on the developed model without scanning one or more content items in the one or more additional accounts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting fraudulent account usage without accessing user content associated with user accounts are disclosed herein. In one embodiment, a method includes receiving a report indicating fraudulent account usage related to an account of the computing service and in response to the received report, disallowing access to any content items associated with the account without disabling access to the account. While access to the content items is disallowed, collecting usage data related to the account or the content items and developing a model representing an activity profile of accessing the account or the content items. The method further includes detecting additional fraudulent account usage based on the developed model without scanning content items in the additional accounts.

Citations

19 Claims

1. A method performed by a computing device in a distributed computing system having a plurality of servers interconnected by a computer network to provide a computing service, the method comprising:
- receiving, via the computer network, data representing a report indicating fraudulent account usage related to an account of the computing service, the account having associated one or more content items accessible to users of other accounts of the same computing service; and
  
  in response to the received data representing the report indicating occurrence of fraudulent account usage of the account,disallowing access to any of the one or more content items associated with the account while maintaining the account as active such that the one or more content items are shown as present in the account but access by the users of the other accounts to view or download the one or more content items is disallowed, including;
  
  receiving, from a user, an access request to access the disallowed one or more content items associated with the account; and
  
  in response to receiving the access request,indicating, to the user, that the account is a valid account;
  
  providing, to the user, a list of the one or more content items associated with the account; and
  
  preventing any of the one or more content items in the list from being viewed or downloaded by the user;
  
  collecting usage data related to the account or the content items associated with the account while the content items are shown as present in the account but the access to view or download the one or more content items in the account is disallowed;
  
  developing a model representing an activity profile of accessing the account or the content items associated with the account based on, at least in part, the collected usage data while access to view or download the one or more content items is disallowed while the account is maintained as active; and
  
  detecting and deactivating one or more additional accounts of the computing service that are related to the reported fraudulent account usage based on the developed model without scanning one or more content items in the one or more additional accounts.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the collected usage data includes one or more of the following parameters:
    - an IP address of any user logging into the account;
      
      an IP address during creation of the account;
      
      one or more IP addresses of all users trying to access the content items before or after the access to any content in the account is disallowed;
      
      a device type or browser used for accessing the content items associated with the account;
      
      a device type or browser creating the content items or the account;
      
      an account name hosting the content items;
      
      one or more accounts that have accessed one or more of the content items;
      
      a folder structure of the account;
      
      a file structure in the account;
      
      a number of files, types of files, size of files, of the content items in the account;
      
      a percentage of account shared versus not shared;
      
      an embedded meta-data of the content;
      
      an age of the account;
      
      an age of the content uploaded or shared;
      
      oran indication of whether the content items are shared globally or shared explicitly with other accounts or users.
  - 3. The method of claim 2 wherein developing the model includes applying statistical analysis on the collected usage data to identify a probability of the account being associated with fraudulent account usage when the collected usage data contains one or more of the parameters.
  - 4. The method of claim 2 wherein:
    - developing the model includes applying statistical analysis on the collected usage data to identify a probability of the account being associated with fraudulent account usage when the collected usage data contains one or more of the parameters; and
      
      detecting the one or more additional accounts includes;
      
      assigning the same probability to one of the one or more additional accounts when collected usage data of the one of the one or more additional accounts also contains the one or more of the parameters;
      
      determining whether the assigned probability exceeds a threshold; and
      
      in response to determining that the assigned probability exceeds a threshold, indicating that the one of the additional accounts is likely associated with fraudulent account usage.
  - 5. The method of claim 4, further comprising:
    - disallowing access to any content items associated with the one of the one or more additional accounts without deactivating the one of the one or more additional accounts;
      
      collecting additional usage data related to the one of the one or more additional accounts or the one or more content items associated with the one of the one or more additional accounts while the access to the content items is disallowed; and
      
      updating the model based on the collected additional usage data related to the one of the one or more additional accounts or the one or more content items associated with the one of the one or more additional accounts while the access to the one or more content items is disallowed.
  - 6. The method of claim 1 wherein collecting the usage data includes collecting the usage data related to the account or the one or more content items associated with the account while the access to the one or more content items is disallowed until no more access request to access the disallowed content items is detected for a preset period of time.
  - 7. The method of claim 1 wherein detecting one or more additional accounts includes:
    - comparing a usage profile of the individual one or more additional accounts with the developed model; and
      
      in response to determining that the usage profile of one of the one or more additional accounts matches that of the developed model, indicating that the one of the one or more additional accounts is potentially related to fraudulent account usage.

8. A computing device in a distributed computing system having a plurality of servers interconnected by a computer network for providing a computing service to users, comprising:
- a processor and a memory operatively coupled to the processor, the memory containing instructions executable by the processor to cause the computing device to;
  
  receive, via the computer network, an indication that usage of an account of the computing service violates a usage restriction imposed by a provider of the computing service or a government entity, the account having one or more content items accessible to users of other accounts of the same computing service; and
  
  in response to the received indication,disallow access to any of the one or more content items associated with the account while maintaining the account as being a valid account of the computing service such that the one or more content items are shown as present in the account but access to view or download the one or more content items by the users of the other accounts is disallowed, including to;
  
  upon receiving, from a user, an access request to access the disallowed one or more content items associated with the account,indicate, to the user, that the account is a valid account;
  
  provide, to the user, a list of the one or more content items associated with the account; and
  
  prevent any of the one or more content items in the list from being viewed or downloaded by the user;
  
  collect usage data related to the account or the one or more content items associated with the account before and/or after disallowing access to the one or more content items associated with the account;
  
  determine that another account of the computing service also violates the same usage restriction imposed by the provider of the computing service or the government entity by comparing the collected usage data related to the account having access to the one or more content items disallowed and usage data related to the additional account; and
  
  deactivate the another account determined to violate the same usage restriction imposed by the provider of the computing service or the government entity.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The computing device of claim 8 wherein to receive the indication includes:
    - receive data representing a report from a user of the computing service, the report indicating that the usage of the account potentially violates the usage restriction imposed by the provider of the computing service or the government entity;
      
      in response to receiving the data representing the report,query an administrator regarding the usage of the account; and
      
      receive the indication from the administrator that the usage of the account indeed violates the usage restriction imposed by the provider of the computing service or the government entity.
  - 10. The computing device of claim 8 wherein the memory contains additional instructions executable by the processor to cause the computing device to:
    - receive a request to access the one or more content items associated with the account; and
      
      in response to receiving the request to access the one or more content items, provide only a list of the one or more content items without allowing access to view or download any of the one or more content items in the list.
  - 11. The computing device of claim 8 wherein the memory contains additional instructions executable by the processor to cause the computing device to:
    - receive, from another user, a request to access the one or more content items associated with the account; and
      
      in response to receiving the request to access the one or more content items, record, as a part of the collected usage data, at least one of an IP address, a device type, a browser, or an account name related to the another user requesting access to the one or more content items.
  - 12. The computing device of claim 8 wherein the memory contains additional instructions executable by the processor to cause the computing device to:
    - receive, from another user, a request to access the one or more content items associated with the account; and
      
      in response to receiving the request to access the one or more content items,provide, to the another user, only a list of the one or more content items without allowing access to view or download any of the one or more content items in the list; and
      
      record, as a part of the collected usage data, at least one of an IP address, a device type, a browser, or an account name related to the another user requesting access to the one or more content items.
  - 13. The computing device of claim 8 wherein the memory contains additional instructions executable by the processor to cause the computing device to:
    - in response to determining that the another account of the computing service also violates the same usage restriction imposed by the provider of the computing service or the government entity,collect additional usage data related to the additional account or any content items associated with the additional account before and/or after disallowing access to the one or more content items associated with the additional account; and
      
      determine one or more commonalities between the collected usage data related to the account and the additional account.
  - 14. The computing device of claim 8 wherein the memory contains additional instructions executable by the processor to cause the computing device to:
    - in response to determining that the another account of the computing service also violates the same usage restriction imposed by the provider of the computing service or the government entity,collect additional usage data related to the additional account or any content items associated with the additional account before and/or after disallowing access to the one or more content items associated with the additional account;
      
      determine one or more commonalities between the collected usage data related to the account and the additional account; and
      
      determine that a further account of the computing service also violates the same usage restriction imposed by the provider of the computing service or the government entity by identifying that usage data related to the further account also contains the determined one or more commonalities.
  - 15. The computing device of claim 14 wherein one or more commonalities include one or more of:
    - an IP address range from which the content items are uploaded;
      
      to whom the uploaded content items are shared with;
      
      when the content items are shared after being uploaded;
      
      ora device type of a device used to upload the content items.

16. A method performed by a computing device in a distributed computing system having a plurality of servers interconnected by a computer network to provide a computing service to users, the method comprising:
- receiving indications that usage of multiple accounts of the computing service violates a usage restriction imposed by a provider of the computing service or a government entity, the multiple accounts individually having a content item accessible to users of other accounts of the same computing service;
  
  in response to receiving the indications,continuing to present the multiple accounts as valid accounts of the computing service while preventing access to view or download any content items associated with the multiple accounts such that the content items are shown as present in the multiple accounts but cannot be viewed or downloaded by the users of the other accounts, including;
  
  receiving, from a user, an access request to access the disallowed one or more content items associated with one of the multiple accounts; and
  
  in response to receiving the access request,indicating, to the user, that the one of the multiple accounts is a valid account;
  
  providing, to the user, a list of the one or more content items associated with the one of the multiple accounts; and
  
  preventing any of the one or more content items in the list from being viewed or downloaded by the user;
  
  collecting usage data related to the multiple accounts or to the content items associated with the multiple accounts while the content items are shown as present in the multiple accounts but access to view or download the content items in the multiple accounts is disallowed;
  
  aggregating the collected usage data to identify a commonality of the multiple accounts;
  
  determining whether usage of an additional account of the computing service also has the identified commonality; and
  
  in response to determining that the usage of the additional account also has the commonality, indicating that the additional account also violates the usage restriction and deactivating the additional account without accessing any content items in the additional account.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16 wherein the collected usage data includes one or more of the following parameters:
    - an IP address of any user logging into the account;
      
      an IP address during creation of the account;
      
      one or more IP addresses of all users trying to access the content items before or after the access to any content in the account is disallowed;
      
      a device type or browser used for accessing the content items associated with the account;
      
      a device type or browser creating the content items or the account;
      
      an account name hosting the content items;
      
      one or more accounts that have accessed one or more of the content items;
      
      a folder structure of the account;
      
      a file structure in the account;
      
      a number of files, types of files, size of files, of the content items in the account;
      
      a percentage of account shared versus not shared;
      
      an embedded meta-data of the content;
      
      an age of the account;
      
      an age of the content uploaded or shared;
      
      oran indication of whether the content items are shared globally or shared explicitly with other accounts or users.
  - 18. The method of claim 16 wherein the commonality includes one or more of:
    - an IP address range from which the content items are uploaded;
      
      to whom the uploaded content items are shared with;
      
      when the content items are shared after being uploaded;
      
      ora device type of a device used to upload the content items.
  - 19. The method of claim 16 wherein collecting the usage data includes collecting the usage data related to the multiple accounts or to the content items associated with the multiple accounts while continuing to present the multiple accounts as valid accounts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Rodrigues, John
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Long, Edward X

Application Number

US15/454,568
Publication Number

US 20180124105A1
Time in Patent Office

1,216 Days
Field of Search

None
US Class Current
CPC Class Codes

G06Q 50/01   Social networking

G06Q 50/265   Personal security, identity...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04W 12/02   Protecting privacy or anony...

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/126   Anti-theft arrangements, e....

Detection of fraudulent account usage in distributed computing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of fraudulent account usage in distributed computing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links