Account Compromise Detection

US 20120290712A1
Filed: 05/13/2011
Published: 11/15/2012
Est. Priority Date: 05/13/2011
Status: Abandoned Application

First Claim

Patent Images

1. A method implemented by one or more computing devices, the method comprising:

establishing a usage pattern for a user account of a service provider, the service provider configured to provide a plurality of web services for access via a network and the usage pattern describing interaction with one or more of the plurality of web services;

detecting a deviation in subsequent activity associated with the user account from the usage pattern; and

determining whether compromise of the user account is likely based at least in part on the detection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for account compromise detection are described. In one or more implementations, a usage pattern is established for a user account of a service provider, where the service provider is configured to provide a plurality of web services for access via a network and the usage pattern describes interaction with one or more of the plurality of web services. A deviation is detected in subsequent activity associated with the user account from the usage pattern and a determination is made as to whether compromise the user account is likely based at least in part on the detection.

Citations

20 Claims

1. A method implemented by one or more computing devices, the method comprising:
- establishing a usage pattern for a user account of a service provider, the service provider configured to provide a plurality of web services for access via a network and the usage pattern describing interaction with one or more of the plurality of web services;
  
  detecting a deviation in subsequent activity associated with the user account from the usage pattern; and
  
  determining whether compromise of the user account is likely based at least in part on the detection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as recited in claim 1, wherein the establishing of the usage pattern comprises tracking activity associated with the user account, the usage pattern indicating the web services that are accessed via the network.
  - 3. A method as recited in claim 1, wherein the usage pattern indicates one or more interfaces that are used to access respective said web services.
  - 4. A method as recited in claim 3, wherein the deviation in the subsequent activity comprises a transition to one or more said interfaces that are not described in the usage pattern.
  - 5. A method as recited in claim 1, wherein the deviation in the subsequent activity comprises an increase in volume of use of a respective said web service based on the usage pattern.
  - 6. A method as recited in claim 1, further comprising notifying a user associated with the user account that the user account has a likelihood of being compromised based at least in part on the detection.
  - 7. A method as recited in claim 1, wherein the deviation in the subsequent activity comprises a transition to one or more said web services that are not described in the usage pattern.
  - 8. A method as recited in claim 1, wherein the detecting of the deviation in the subsequent activity is performed by an account detection module.
  - 9. A method as recited in claim 1, further comprising:
    - determining that the deviation is not associated with compromise of the user account; and
      
      updating the usage pattern by adding data associated with the subsequent activity to the usage pattern.

10. A method implemented by one or more computing devices, the method comprising:
- monitoring activity associated with a user account of a service provider to establish a usage pattern for the user account, the service provider configured to provide a plurality of web services for access via a network, the usage pattern indicating one or more of the plurality of web services that are accessed via the network and one or more interfaces that are used to access respective said web services;
  
  comparing subsequent activity associated with the user account with the usage pattern;
  
  determining a deviation in the subsequent activity from the usage pattern, the deviation indicating an increase in frequency of use in one or more of the interfaces in comparison with the usage pattern; and
  
  determining whether compromise of the user account is likely based at least in part on the deviation.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. A method as recited in claim 10, wherein the monitoring of the activity associated with the user account is performed by a tracking module.
  - 12. A method as recited in claim 10, further comprising notifying the user that the user account has a likelihood of being compromised based on the deviation.
  - 13. A method as recited in claim 10, further comprising determining that the increase in frequency of use in the one or more of the interfaces is associated with a malicious entity that has compromised the user account.
  - 14. A method as recited in claim 10, further comprising:
    - determining that the deviation is not associated with the compromise of the user account; and
      
      adding data associated with the subsequent activity to the usage pattern to update the usage pattern.
  - 15. A method as recited in claim 10, wherein the determining of the deviation in the subsequent activity is based at least in part on criteria including at least one of a level of abuse of the one or more of the interfaces or a likelihood of a user transitioning to the one or more of the interfaces from one or more different interfaces that are described in the usage pattern.

16. A compromise detection module implemented at least in part by hardware, the compromise detection module configured to:
- compare an established usage pattern associated with a user account of a service provider to subsequent activity associated with the user account, the service provider configured to provide a plurality of web services for access via a network and the established usage pattern indicating one or more of the plurality of web services that are accessed via the network;
  
  detect, in the subsequent activity, an increase in volume of usage of one or more of said web services based on the established usage pattern;
  
  determine whether compromise of the user account is likely based at least in part on the detection.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A compromise detection module as recited in claim 16, wherein the subsequent activity includes an increase in frequency of usage of one or more interfaces that are used to access respective web services based on the established usage pattern.
  - 18. A compromise detection module as recited in claim 16, wherein the subsequent activity indicates use of one or more interfaces that are not described in the established usage pattern and are used to access the one or more of said web services.
  - 19. A compromise detection module as recited in claim 16, wherein the compromise detection module is further configured to present a notification to a user associated with the user account to notify the user that the user account has a likelihood of being compromised based on the detection.
  - 20. A compromise detection module as recited in claim 16, wherein the compromise detection module is further configured to:
    - determine that compromise of the user account is not likely, andcause the usage pattern to be updated by adding data associated with the subsequent activity to the established usage pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Walter, Jason D., Vitaldevara, Krishna, Rodrigues, John D.

Application Number

US13/107,129
Publication Number

US 20120290712A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Account Compromise Detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Account Compromise Detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links