System and Method of Fraud and Misuse Detection Using Event Logs

US 20070073519A1
Filed: 05/26/2006
Published: 03/29/2007
Est. Priority Date: 05/31/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting fraud or misuse in a computer environment, comprising:

accessing user identifiers that are associated with computer users;

accessing modeled data that corresponds to at least one of fraud detection information and misuse detection information;

accessing application layer data and data corresponding to at least one of transactions and activities that are associated with the computer users;

extracting the application layer data and the data corresponding to at least one of transactions and activities that are associated with the computer users events;

normalizing the extracted data to produce records;

correlating the normalized data and the user identifiers to produce correlated information;

analyzing the correlated information and the modeled data;

determining whether the correlated information corresponds to at least one of the fraud detection information and misuse detection information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for detecting fraud and/or misuse in a computer environment through tracking users activities at the application layer for known users. Application layer data and other data are normalized and records are created. The normalized data is correlated to user identities to produce correlated information that is analyzed against modeling information. The modeling information is generated using rules, algorithms, and/or database queries to define fraud scenarios and misuse scenarios. Reports and/or alerts may be generated if fraud and/or misuse are detected.

150 Citations

28 Claims

1. A method of detecting fraud or misuse in a computer environment, comprising:
- accessing user identifiers that are associated with computer users;
  
  accessing modeled data that corresponds to at least one of fraud detection information and misuse detection information;
  
  accessing application layer data and data corresponding to at least one of transactions and activities that are associated with the computer users;
  
  extracting the application layer data and the data corresponding to at least one of transactions and activities that are associated with the computer users events;
  
  normalizing the extracted data to produce records;
  
  correlating the normalized data and the user identifiers to produce correlated information;
  
  analyzing the correlated information and the modeled data;
  
  determining whether the correlated information corresponds to at least one of the fraud detection information and misuse detection information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, wherein accessing the user identifiers includes accessing at least one of an electronic mail address, a password, a user id, a database identifier, a telephone number, a session identifier, a Transmission Control Protocol/Internet Protocol address, Media Access Control address and single sign-on identifier.
  - 3. The method according to claim 1, wherein accessing the application layer data and the data corresponding to at least one of transactions and activities that are associated with the computer users includes accessing data stores or capturing data that is communicated via protocols and message sets.
  - 4. The method according to claim 1, wherein the computer users include computer users that are associated with pre-stored user identifiers.
  - 5. The method according to claim 1, wherein extracting data includes extracting data using Extensible Markup Language (XML) templates.
  - 6. The method according to claim 1, wherein normalizing the extracted events includes placing source identifiers into the records.
  - 7. The method according to claim 6, wherein placing source identifiers into the records includes placing into the records at least one of date information, time information, a source network address, a destination network address, text that is associated with the data and transaction codes.
  - 8. The method according to claim 1, wherein correlating the extracted events to the user identifiers includes placing the user identifiers into the normalized records.
  - 9. The method according to claim 1, further comprising analyzing the correlated information for user specific fraud detection information based on at least one of the computer users identity, a pre-defined role associated with each computer user, and a pre-defined relationship for each computer user.
  - 10. The method according to claim 1, further comprising generating an alert if the correlated information corresponds to at least one of the fraud detection information and misuse detection information.
  - 11. The method according to claim 10, wherein the alert is generated in substantially real-time.
  - 12. The method according to claim 1, wherein accessing the application layer data and the data corresponding to at least one of transactions and activities that are associated with the computer users includes communicating with at least one of virtual private network devices, third party applications, in-house applications, web servers, middle ware, single sign on servers, databases, e-mail servers, print servers, fax servers, and phone systems.
  - 13. The method according to claim 1, wherein accessing the application layer data and the data corresponding to at least one of transactions and activities that are associated with the computer users includes accessing a local hard drive, a network hard drive, or receiving the data via a file transfer protocol.
  - 14. The method according to claim 1, wherein accessing modeled data that corresponds to fraud detection information includes at least one of (1) accessing a specific type of record in at least one of a healthcare environment, financial service environment and a mortgage environment and (2) monitoring for a volume of transactions over a specified time period of time.

15. A system for detecting fraud or misuse in a computer environment, comprising:
- a user identifier module that includes user identifiers associated with computer users;
  
  a modeled data providing module that includes data corresponding to at least one of fraud detection information and misuse detection information;
  
  a data capturing module that is adapted to capture application layer data and data corresponding to at least one of transactions and activities that are associated with the computer users;
  
  a parsing engine that extracts the application layer data and the data corresponding to at least one of transactions and activities that are associated with the computer users events;
  
  a normalizing module that is configured to normalize the extracted data to produce records;
  
  a correlating module that is adapted to correlate the normalized data and the user identifiers to produce correlated information;
  
  an analyzing module that analyzes the correlated information and the modeled data;
  
  a determining module that determines whether the correlated information corresponds to at least one of the fraud detection information and misuse detection information.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The system according to claim 15, wherein the user identifier module includes at least one of an electronic mail address, a password, a user id, a database identifier, a telephone number, a session identifier, a Transmission Control Protocol/Internet Protocol address, Media Access Control address and single sign-on identifier.
  - 17. The system according to claim 15, wherein the data capturing module accesses data stores or captures data that is communicated via protocols and message sets.
  - 18. The system according to claim 15, wherein the computer users include computer users that are associated with pre-stored user identifiers.
  - 19. The system according to claim 15, wherein the parsing engine extracts data using Extensible Markup Language (XML) templates.
  - 20. The system according to claim 15, wherein the normalizing module includes placing source identifiers into the records.
  - 21. The system according to claim 20, wherein the source identifiers include at least one of date information, time information, a source network address, a destination network address, text that is associated with the data and transaction codes and wherein the source identifiers may be correlated to the application layer data and the data corresponding to at least one of transactions and activities that are associated with the computer users.
  - 22. The system according to claim 15, wherein the correlating module is configured to place the user identifiers into the normalized records.
  - 23. The system according to claim 15, further comprising a user specific analyzing module the correlates information for user specific fraud detection information based on at least one of the computer users identity, a pre-defined role associated with each computer user, and a pre-defined relationship for each computer user.
  - 24. The system according to claim 15, further comprising an alert generating module that generates an alert if the correlated information corresponds to at least one of the fraud detection information and misuse detection information.
  - 25. The system according to claim 24, wherein the alert is generated in substantially real-time.
  - 26. The system according to claim 15, wherein the data capturing module communicates with at least one of virtual private network devices, third party applications, in-house applications, web servers, single sign on servers, databases, e-mail servers, print servers, fax servers, and phone systems.
  - 27. The system according to claim 15, wherein the data capturing module accesses a local hard drive, a network hard drive, or receiving the data via a file transfer protocol.
  - 28. The system according to claim 15, wherein the modeled data providing module generates a signal when a specific type of record is accessed in at least one of a healthcare environment, financial service environment and a mortgage environment or when a threshold value is attained, wherein the threshold value is defined by a volume of transactions over a specified time period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kurt Long
Original Assignee
Kurt Long
Inventors
Long, Kurt

Application Number

US11/420,645
Publication Number

US 20070073519A1
Time in Patent Office

Days
Field of Search
US Class Current

702/185
CPC Class Codes

G06F 11/3636 by tracing the execution of...

G06F 21/552 involving long-term monitor...

System and Method of Fraud and Misuse Detection Using Event Logs

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

150 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method of Fraud and Misuse Detection Using Event Logs

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links