TECHNIQUES FOR FRAUD MONITORING AND DETECTION USING APPLICATION FINGERPRINTING

US 20090089869A1
Filed: 10/29/2008
Published: 04/02/2009
Est. Priority Date: 04/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting anomalous data submitted to a software application, the method comprising:

receiving first data submitted via an input field of the software application,generating a first application fingerprint based on the first data, wherein the first application fingerprint is associated with one or more first contexts, and wherein the one or more first contexts represent contexts in which the first data was submitted;

comparing the first application fingerprint with at least one second application fingerprint, wherein the at least one second application fingerprint is based on second data previously submitted via the input field, and wherein the at least one second application fingerprint is associated with one or more second contexts substantially similar to the one or more first contexts; and

calculating a risk score based on the comparison of the first application fingerprint with the at least one second application fingerprint, the risk score indicating a likelihood that the first data was submitted for a fraudulent or malicious purpose.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for fraud monitoring and detection using application fingerprinting. As used herein, an “application fingerprint” is a signature that uniquely identifies data submitted to a software application. In an embodiment, a plurality of historical application fingerprints are stored for data previously submitted to a software application. Each historical application fingerprint is associated with one or more contexts in which its corresponding data was submitted. When new (i.e., additional) data is subsequently submitted to the application, a new application fingerprint is generated based on the new data, and the new application fingerprint is associated with one or more contexts in which the new data was submitted. The new application fingerprint is then compared with one or more historical application fingerprints that share the same, or substantially similar, context(s). Based on this comparison, a risk score is generated indicating a likelihood that the new data was submitted for a fraudulent/malicious purpose.

Citations

21 Claims

1. A method for detecting anomalous data submitted to a software application, the method comprising:
- receiving first data submitted via an input field of the software application,generating a first application fingerprint based on the first data, wherein the first application fingerprint is associated with one or more first contexts, and wherein the one or more first contexts represent contexts in which the first data was submitted;
  
  comparing the first application fingerprint with at least one second application fingerprint, wherein the at least one second application fingerprint is based on second data previously submitted via the input field, and wherein the at least one second application fingerprint is associated with one or more second contexts substantially similar to the one or more first contexts; and
  
  calculating a risk score based on the comparison of the first application fingerprint with the at least one second application fingerprint, the risk score indicating a likelihood that the first data was submitted for a fraudulent or malicious purpose.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the first application fingerprint is based on one or more of:
    - data size of the first data, data type of the first data, and data content of the first data.
  - 3. The method of claim 1, wherein the one or more first contexts associated with the first application fingerprint are configurable.
  - 4. The method of claim 1, wherein the one or more first contexts include one or more of:
    - a user context identifying a user that submitted the first data, a device context identifying a device used to submit the first data, a location context identifying a location from which the first data was submitted, and a workflow context identifying a workflow of the software application that was being performed when the first data was submitted.
  - 5. The method of claim 1, wherein the step of calculating the risk score is further based on one or more third contexts representing contexts in which the first data was submitted, wherein the one or more third contexts are distinct from the one or more first contexts.
  - 6. The method of claim 5, wherein the one or more third contexts include one or more of:
    - a user context identifying a user that submitted the first data, a device context identifying a device used to submit the first data, a location context identifying a location from which the first data was submitted, and a workflow context identifying a workflow of the software application that was being performed when the first data was submitted.
  - 7. The method of claim 6, wherein the one or more third contexts include the device context, and wherein the risk score is increased if the device context identifies a device that is unknown or on a device black list.
  - 8. The method of claim 6, wherein the one or more third contexts include the location context, and wherein the risk score is increased if the location context identifies a location that is unknown or on a location black list.
  - 9. The method of claim 1, wherein calculating the risk score based on the comparison of the first application fingerprint with the at least one second application fingerprint comprises:
    - calculating a degree of similarity between the first application fingerprint and the at least one second application fingerprint; and
      
      calculating the risk score based on the degree of similarity.
  - 10. The method of claim 1 further comprising:
    - comparing the first application fingerprint with at least one third application fingerprint, wherein the at least one third application fingerprint is a predefined application fingerprint based on third data that is known to be malicious or fraudulent; and
      
      updating the risk score based on the comparison of the first application fingerprint with the at least one third application fingerprint.
  - 11. The method of claim 10, wherein the third data comprises one or more SQL commands.
  - 12. The method of claim 1 further comprising:
    - if the risk score exceeds a predefined threshold, presenting an authentication interface to the user that submitted the first data.
  - 13. The method of claim 12, wherein presenting the authentication interface comprises:
    - determining interface selection criteria based on the risk score; and
      
      selecting the authentication interface from among a plurality of authentication interfaces based on the interface selection criteria.
  - 14. The method of claim 1 further comprising:
    - if the risk score exceeds a predefined threshold, generating an alert for an administrator of the software application.
  - 15. The method of claim 1, wherein the steps of receiving, generating, comparing, and calculating are performed during runtime of the software application.
  - 16. The method of claim 1, wherein the software application is a Web-based application.

17. A system for detecting anomalous data submitted to a software application, the system comprising:
- a storage component configured to store a plurality of historical fingerprints, each historical fingerprint being based on historical data submitted to the software application via an input field of the software application; and
  
  a processing component communicatively coupled with the storage component, the processing component being configured to;
  
  receive first data submitted via the input field;
  
  generate a first application fingerprint based on the first data, wherein the first application fingerprint is associated with one or more first contexts, and wherein the one or more first contexts represent contexts in which the first data was submitted;
  
  compare the first application fingerprint with at least one historical fingerprint in the plurality of historical fingerprints, wherein the at least one historical fingerprint is associated with one or more second contexts substantially similar to the one or more first contexts; and
  
  calculate a risk score based on the comparison of the first application fingerprint with the at least one historical fingerprint, the risk score indicating a likelihood that the first data was submitted for a fraudulent or malicious purpose.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the processing component is not configured to run the software application.
  - 19. The system of claim 17, wherein the storage component is further configured to store one or more access policies, each access policy comprising rules for calculating the risk score.
  - 20. The system of claim 19, wherein the one or more access policies are defined by a service provider of the software application.

21. A machine-readable medium for a computer system, the machine-readable medium having stored thereon a series of instructions which, when executed by a processing component of the computer system, cause the processing component to detect anomalous data submitted to a software application by:
- receiving first data submitted via an input field of the software application,generating a first application fingerprint based on the first data, wherein the first application fingerprint is associated with one or more first contexts, and wherein the one or more first contexts represent contexts in which the first data was submitted;
  
  comparing the first application fingerprint with at least one second application fingerprint, wherein the at least one second application fingerprint is based on second data previously submitted via the input field, and wherein the at least one second application fingerprint is associated with one or more second contexts substantially similar to the one or more first contexts; and
  
  calculating a risk score based on the comparison of the first application fingerprint with the at least one second application fingerprint, the risk score indicating a likelihood that the first data was submitted for a fraudulent or malicious purpose.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Varghese, Thomas Emmanual

Granted Patent

US 8,739,278 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6263   during internet communicati...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2129   Authenticate client device ...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/4014   Identity check for transact...

G06Q 20/4016   involving fraud or risk lev...

G07C 9/37   using biometric data, e.g. ...

G07F 7/1008   Active credit-cards provide...

G07F 7/1041   PIN input keyboard gets new...

G07F 7/1083   Counting of PIN attempts

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

H04L 63/205 : involving negotiation or de...

View All

TECHNIQUES FOR FRAUD MONITORING AND DETECTION USING APPLICATION FINGERPRINTING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR FRAUD MONITORING AND DETECTION USING APPLICATION FINGERPRINTING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links