COMPUTING SECURITY MECHANISM

US 20130111586A1
Filed: 10/27/2011
Published: 05/02/2013
Est. Priority Date: 10/27/2011
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method comprising:

determining, using a processor, an identity currently logged-in to a computing system that provides access to a number of user applications;

while the identity remains logged-in to the computing system, monitoring, using a processor, interaction with multiple of the user applications accessible via the computing system;

comparing, using a processor, the monitored interaction with the multiple user applications to a system resource usage model corresponding to the identity determined to be logged-in to the computing system currently;

based on a result of comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system, determining, using a processor, that the monitored interaction with the multiple user applications is suspicious; and

as a consequence of determining that the monitored interaction with the multiple user applications is suspicious, invoking, using a processor, a security mechanism in connection with the computing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Interaction involving a computing system and/or applications accessible via the computing system is monitored. As a consequence of determining that the monitored interaction is suspicious, a security mechanism is invoked in connection with the computing system.

115 Citations

17 Claims

1. A computer-implemented method comprising:
- determining, using a processor, an identity currently logged-in to a computing system that provides access to a number of user applications;
  
  while the identity remains logged-in to the computing system, monitoring, using a processor, interaction with multiple of the user applications accessible via the computing system;
  
  comparing, using a processor, the monitored interaction with the multiple user applications to a system resource usage model corresponding to the identity determined to be logged-in to the computing system currently;
  
  based on a result of comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system, determining, using a processor, that the monitored interaction with the multiple user applications is suspicious; and
  
  as a consequence of determining that the monitored interaction with the multiple user applications is suspicious, invoking, using a processor, a security mechanism in connection with the computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1 wherein:
    - monitoring interaction with multiple of the user applications accessible via the computing system includes monitoring an order in which a user accesses the multiple user applications;
      
      comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system includes comparing the order in which the user accesses the multiple user applications to the system resource usage model; and
      
      determining that the monitored interaction with the multiple user applications is suspicious includes determining that the order in which the user accesses the multiple user applications is suspicious based on a result of comparing the order in which the user accesses the multiple user applications to the system resource usage model.
  - 3. The computer-implemented method of claim 2 wherein:
    - monitoring the order in which the user accesses the multiple user applications includes monitoring the order in which the user launches the multiple user applications;
      
      comparing the order in which the user accesses the multiple user applications to the system resource usage model includes comparing the order in which the user launches the multiple user applications to the system resource usage model; and
      
      determining that the order in which the user accesses the multiple user applications is suspicious includes determining that the order in which the user launches the multiple user applications is suspicious based on a result of comparing the order in which the user launches the multiple user applications to the system resource usage model.
  - 4. The computer-implemented method of claim 1 wherein:
    - monitoring interaction with multiple of the user applications accessible via the computing system includes identifying individual user applications accessed by a user;
      
      comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system includes comparing at least some of the individual user applications accessed by the user to the system resource usage model; and
      
      determining that the monitored interaction with the multiple user applications is suspicious includes determining that the user'"'"'s access of one or more of the individual user applications is suspicious based on a result of comparing at least some of the individual user applications accessed by the user to the system resource usage model.
  - 5. The computer-implemented method of claim 1 wherein:
    - monitoring interaction with multiple of the user applications accessible via the computing system includes monitoring accessing of files stored in computer memory storage by one or more of the multiple user applications;
      
      comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system includes comparing the accessing of files stored in computer memory storage by the one or more user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system; and
      
      determining that the monitored interaction with the multiple user applications is suspicious includes determining that the accessing of files stored in computer memory storage by the one or more user applications is suspicious based on a result of comparing the accessing of files stored in computer memory storage by the one or more user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system.
  - 6. The computer-implemented method of claim 1 further comprising monitoring copying, initiated by the computing system, of files stored in computer memory storage and accessible via the computing system, wherein:
    - comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system further comprises comparing the monitored copying of files initiated by the computing system to the system resource usage model corresponding to the identity determined to be logged-in to the computing system; and
      
      determining that the monitored interaction with the multiple user applications is suspicious further includes determining that the monitored interaction with the multiple user applications and the copying of files initiated by the computing system are suspicious based on a result of comparing the monitored copying of files initiated by the computing system to the system resource usage model corresponding to the identity determined to be logged-in to the computing system.
  - 7. The computer-implemented method of claim 1 wherein:
    - monitoring interaction with multiple of the user applications accessible via the computing system includes monitoring, for a particular user application that provides multiple different input sequences for executing the same operation, input sequences input by a user to execute the operation within the particular user application;
      
      comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system includes comparing the monitored input sequences input by the user to execute the operation within the particular user application to the system resource usage model corresponding to the identity determined to be logged-in to the computing system; and
      
      determining that the monitored interaction with the multiple user applications is suspicious includes determining that the monitored input sequences input by the user to execute the operation within the particular user application are suspicious based on a result of comparing the monitored input sequences input by the user to execute the operation within the particular user application to the system resource usage model corresponding to the identity determined to be logged-in to the computing system.
  - 8. The computer-implemented method of claim 1 further comprising monitoring accessing, by the computing system, of file servers accessible via the computing system, wherein:
    - comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system further comprises comparing the monitored accessing of files servers accessible via the computing system to the system resource usage model corresponding to the identity determined to be logged-in to the computing system; and
      
      determining that the monitored interaction with the multiple user applications is suspicious further includes determining that the monitored interaction with the multiple user applications and the accessing of file servers accessible via the computing system are suspicious based on a result of comparing the monitored accessing of file servers accessible via the computing system to the system resource usage model corresponding to the identity determined to be logged-in to the computing system.
  - 9. The computer-implemented method of claim 1 wherein invoking a security mechanism in connection with the computing system includes logging the identity out of the computing system.
  - 10. The computer-implemented method of claim 1 wherein invoking a security mechanism in connection with the computing system includes requesting authentication information before enabling continued access via the computing system.
  - 11. The computer-implemented method of claim 1 wherein:
    - determining that the monitored interaction with the multiple user applications is suspicious includes determining that the monitored interaction with the multiple user applications corresponds to a particular level of suspicion from among multiple different levels of suspicion based on a result of comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system; and
      
      invoking a security mechanism in connection with the computing system as a consequence of determining that the monitored interaction with the multiple user applications is suspicious includes logging the identity out of the computing system as a consequence of determining that the monitored interaction with the multiple user applications corresponds to the particular level of suspicion.
  - 12. The computer-implemented method of claim 1 wherein:
    - determining that the monitored interaction with the multiple user applications is suspicious includes determining that the monitored interaction with the multiple user applications corresponds to a particular level of suspicion from among multiple different levels of suspicion based on a result of comparing the monitored interaction with the multiple user applications to the system resource usage model corresponding to the identity determined to be logged-in to the computing system; and
      
      invoking a security mechanism in connection with the computing system as a consequence of determining that the monitored interaction with the multiple user applications is suspicious includes restricting some but not all access via the computing system.
  - 13. The computer-implemented method of claim 1 wherein:
    - the computing system provides access to multiple resources available over a communications network to which the computing system is coupled communicatively; and
      
      invoking a security mechanism in connection with the computing system includes alerting a mechanism that monitors activity within the communications network to the determination that the monitored interaction with the multiple user applications is suspicious.
  - 14. The computer-implemented method of claim 1 further comprising, responsive to having determined the identity currently logged-in to the computing system, identifying, from among multiple different system resource usage models, a particular system resource usage model as corresponding to the identity determined to be logged-in to the computing system currently, wherein comparing the monitored interaction with the multiple user applications to a system resource usage model includes comparing the monitored interaction with the multiple user applications to the particular system resource usage model identified.
  - 15. The computer-implemented method of claim 1 wherein monitoring interaction with multiple user applications accessible via the computing system includes monitoring interaction with user applications hosted by remote computing systems.

16. A computer-readable storage medium storing instructions that, when executed by a computing system, cause the computing system to:
- receive authentication information for an identity;
  
  store the received authentication information for the identity;
  
  allow the identity to log-in to a first session with the computing system;
  
  while the identity remains logged-in to the first session with the computing system, monitor user interaction with multiple user applications accessible via the computing system;
  
  based on monitoring user interaction with the multiple user applications, develop a user application usage model for the identity;
  
  cause the identity to be logged-out from the computing system;
  
  after causing the identity to be logged-out from the computing system, receive a request to log-in the identity to a second session with the computing system, the request including a portion of the authentication information for the identity;
  
  responsive to receiving the request to log-in the identity to a second session with the computing system, compare the authentication information received with the log-in request to the stored authentication information for the identity;
  
  based on results of comparing the authentication information received with the log-in request to the stored authentication information for the identity, allow the identity to log-in to a second session with the computing system;
  
  while the identity remains logged-in to the second session with the computing system, monitor user interaction with multiple user applications accessible via the computing system;
  
  compare the monitored user interaction with the multiple user applications from the second session to the user application usage model developed for the identity;
  
  based on a result of comparing the monitored user interaction with the multiple user applications from the second session to the user application usage model developed for the identity, determine that the monitored user interaction with the multiple user applications from the second session is suspicious; and
  
  as a consequence of determining that the monitored user interaction with the multiple user applications from the second session is suspicious, invoke a security mechanism in connection with the computing system.

17. A computer-readable storage medium storing instructions that, when executed by a computing system, cause the computing system to:
- monitor, at one or more unannounced intervals and transparently to any end user of a computing device, interaction that involves the computing device and user applications that are accessible via the computing device;
  
  determine that the monitored interaction is suspicious; and
  
  as a consequence of having determined that the monitored interaction is suspicious, invoke a security mechanism in connection with the computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Jackson, Warren

Application Number

US13/282,827
Publication Number

US 20130111586A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

H04L 63/08   for authentication of entit...

COMPUTING SECURITY MECHANISM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

115 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

COMPUTING SECURITY MECHANISM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others