USER BEHAVIOR ANALYZER

US 20130111019A1
Filed: 10/26/2012
Published: 05/02/2013
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to said one or more servers, the method comprising:

receiving a plurality of messages at a server from one or more client devices communicatively coupled to the server;

grouping the plurality of messages into subsets of messages using a learn module of said server, with each subset of messages associated with a unique client identifier and with all messages within a subset being associated with the same unique client identifier;

identifying each message within a subset of messages as belonging to a defined type of message;

recording sequences of said defined types of messages within each of said subsets of messages using said learn module;

measuring time intervals between said defined types of messages using said learn module;

designating the recorded sequences of defined types of messages and the measured time intervals between said defined types of messages as constituting normal client behavior;

constructing a sequence of defined types of messages received from a client device using a detect module of said server;

comparing the constructed sequence of defined types of messages to a corresponding sequence of messages recorded by said learn module and designated as normal client behavior;

calculating any differences between the constructed sequence and the corresponding recorded sequence; and

designating a constructed sequence that differs from the corresponding recorded sequence by more than a predetermined value or range of values as abnormal client behavior.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is shown for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to the one or more servers. Messages are received at a server from one or more client devices communicatively coupled to the server. The plurality of messages are grouped into subsets of messages using a learn module of the server. Each subset of messages is associated with a unique client identifier, and all messages within a subset are associated with the same unique client identifier. Each message within a subset of messages is identified as belonging to a defined type of message. Sequences of the defined types of messages within each of said subsets of messages are recorded using the learn module. Time intervals between the defined types of messages are measured using the learn module. The recorded sequences of defined types of messages and the measured time intervals between the defined types of messages are designated as constituting normal client behavior.

50 Citations

View as Search Results

20 Claims

1. A method for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to said one or more servers, the method comprising:
- receiving a plurality of messages at a server from one or more client devices communicatively coupled to the server;
  
  grouping the plurality of messages into subsets of messages using a learn module of said server, with each subset of messages associated with a unique client identifier and with all messages within a subset being associated with the same unique client identifier;
  
  identifying each message within a subset of messages as belonging to a defined type of message;
  
  recording sequences of said defined types of messages within each of said subsets of messages using said learn module;
  
  measuring time intervals between said defined types of messages using said learn module;
  
  designating the recorded sequences of defined types of messages and the measured time intervals between said defined types of messages as constituting normal client behavior;
  
  constructing a sequence of defined types of messages received from a client device using a detect module of said server;
  
  comparing the constructed sequence of defined types of messages to a corresponding sequence of messages recorded by said learn module and designated as normal client behavior;
  
  calculating any differences between the constructed sequence and the corresponding recorded sequence; and
  
  designating a constructed sequence that differs from the corresponding recorded sequence by more than a predetermined value or range of values as abnormal client behavior.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, further including:
    - determining a range for the number of defined types of messages recorded in a recorded sequence of messages.
  - 3. The method according to claim 1, further including:
    - transforming measured time intervals between defined types of messages in the recorded sequences of defined types of messages using Fourier analysis to calculate an average expected frequency of each of the recorded sequences of defined types of messages.
  - 4. The method according to claim 1, wherein:
    - each defined type of message corresponds to a unique client behavior, and wherein the recording of a sequence of defined types of client behaviors by said learn module begins after a predetermined number of said defined types of client behaviors have been received by the server.
  - 5. The method according to claim 1, wherein:
    - the learn module analyzes a plurality of recorded sequences of defined types of messages and determines an average expectation of a particular type of message occurring in a recorded sequence based on a plurality of occurrences of the particular type of message in the plurality of recorded sequences.
  - 6. The method according to claim 5, wherein:
    - the learn module further determines an average expectation of a second particular type of message occurring next to a first particular type of message in a recorded sequence of messages based on a plurality of occurrences of the first and second particular types of messages occurring next to each other in the plurality of recorded sequences.

7. A method for classifying client behavior, the method comprising:
- receiving a plurality of messages from a client device;
  
  grouping the plurality of messages into subsets of messages;
  
  associating all messages within a subset with the same unique client identifier;
  
  identifying each message within a subset of messages as belonging to a defined type of message;
  
  recording sequences of said defined types of messages within each of said subsets of messages;
  
  measuring time intervals between said defined types of messages; and
  
  designating the recorded sequences of defined types of messages and the measured time intervals between said defined types of messages as constituting normal client behavior.
- View Dependent Claims (8)
- - 8. The method according to claim 7, further including:
    - constructing a sequence of defined types of messages received from a client device;
      
      comparing the constructed sequence of defined types of messages to a corresponding sequence of recorded messages designated as normal client behavior;
      
      calculating any differences between the constructed sequence and the corresponding recorded sequence; and
      
      designating a constructed sequence that differs from the corresponding recorded sequence by more than a predetermined value or range of values as unusual client behavior.

9. An apparatus for identifying abnormal communications between a client and a game server, the apparatus comprising:
- a processing module configured to receive a plurality of messages from a client device;
  
  a processing module configured to group the plurality of messages into subsets of messages and associate all messages within a subset with the same unique client identifier;
  
  a processing module configured to identify each message within a subset of messages as belonging to a defined type of message;
  
  a processing module configured to record sequences of said defined types of messages within each of said subsets of messages; and
  
  a processing module configured to measure time intervals between said defined types of messages, and designate the recorded sequences of defined types of messages and the measured time intervals between said defined types of messages as constituting normal client behavior.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus according to claim 9, further comprising:
    - a processing module configured to construct a sequence of defined types of messages received from a client device;
      
      a processing module configured to compare the constructed sequence of defined types of messages to a corresponding sequence of recorded messages designated as normal client behavior;
      
      a processing module configured to calculate any differences between the constructed sequence and the corresponding recorded sequence; and
      
      a processing module configured to designate a constructed sequence that differs from the corresponding recorded sequence by more than a predetermined value or range of values as unusual client behavior.
  - 11. The apparatus according to claim 9, further comprising:
    - a processing module configured to determine a range for the number of defined types of messages recorded in a recorded sequence of messages
  - 12. The apparatus according to claim 9, further comprising:
    - a processing module configured to transform measured time intervals between defined types of messages in the recorded sequences of defined types of messages using Fourier analysis to calculate an average expected frequency of each of the recorded sequences of defined types of messages.
  - 13. The apparatus according to claim 9, wherein:
    - each defined type of message corresponds to a unique client behavior, and wherein the recording of a sequence of defined types of client behaviors by said learn module begins after a predetermined number of said defined types of client behaviors have been received by the server.
  - 14. The apparatus according to claim 9, wherein:
    - the learn module analyzes a plurality of recorded sequences of defined types of messages and determines an average expectation of a particular type of message occurring in a recorded sequence based on a plurality of occurrences of the particular type of message in the plurality of recorded sequences.
  - 15. The apparatus according to claim 14, wherein:
    - the learn module further determines an average expectation of a second particular type of message occurring next to a first particular type of message in a recorded sequence of messages based on a plurality of occurrences of the first and second particular types of messages occurring next to each other in the plurality of recorded sequences.

16. A non-transitory computer-readable medium for use with a computer and encoded with program code, that when executed by a computer, causes the computer to:
- receive a plurality of messages from a client device;
  
  group the plurality of messages into subsets of messages;
  
  associate all messages within a subset with the same unique client identifier;
  
  identify each message within a subset of messages as belonging to a defined type of message;
  
  record sequences of said defined types of messages within each of said subsets of messages;
  
  measure time intervals between said defined types of messages; and
  
  designate the recorded sequences of defined types of messages and the measured time intervals between said defined types of messages as constituting normal client behavior.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable medium according to claim 16, further comprising code, that when executed by a computer, causes the computer to:
    - construct a sequence of defined types of messages received from a client device;
      
      compare the constructed sequence of defined types of messages to a corresponding sequence of recorded messages designated as normal client behavior;
      
      calculate any differences between the constructed sequence and the corresponding recorded sequence; and
      
      designate a constructed sequence that differs from the corresponding recorded sequence by more than a predetermined value or range of values as unusual client behavior.
  - 18. The computer-readable medium according to claim 16, further comprising code, that when executed by a computer, causes the computer to:
    - determine a range for the number of defined types of messages recorded in a recorded sequence of messages.
  - 19. The computer-readable medium according to claim 16, further comprising code, that when executed by a computer, causes the computer to:
    - transform measured time intervals between defined types of messages in the recorded sequences of defined types of messages using Fourier analysis to calculate an average expected frequency of each of the recorded sequences of defined types of messages.
  - 20. The computer-readable medium according to claim 16, further comprising code, that when executed by a computer, causes the computer to:
    - record a sequence of defined types of client behaviors after a predetermined number of said defined types of client behaviors have been received from a client device by a server;
      
      analyze a plurality of recorded sequences of defined types of messages and determine an average expectation of a particular type of message occurring in a recorded sequence based on a plurality of occurrences of the particular type of message in the plurality of recorded sequences; and
      
      determine an average expectation of a second particular type of message occurring next to a first particular type of message in a recorded sequence of messages based on a plurality of occurrences of the first and second particular types of messages occurring next to each other in the plurality of recorded sequences.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronic Arts Incorporated
Original Assignee
Electronic Arts Incorporated
Inventors
Tjew, Andrew, Chan, Wilson

Granted Patent

US 9,529,777 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 11/3447   Performance evaluation by m...

G06F 11/3672   Test management

G06F 21/00   Security arrangements for p...

G06F 9/541   via adapters, e.g. between ...

G06N 20/00   Machine learning

G06Q 10/06   Resources, workflows, human...

G06Q 10/0631   Resource planning, allocati...

H04L 41/14   Network analysis or design

H04L 43/045   for graphical visualisation...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 65/1076   Screening of IP real time c...

H04L 67/01   Protocols

USER BEHAVIOR ANALYZER

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USER BEHAVIOR ANALYZER

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links