TRANSACTION-BASED INTRUSION DETECTION

US 20130133066A1
Filed: 11/22/2011
Published: 05/23/2013
Est. Priority Date: 11/22/2011
Status: Active Grant

First Claim

Patent Images

1. An intrusion detection system comprising one or more processors, and a memory with instructions which when executed by the one or more processors cause the one or more processors to perform a plurality of operations comprising:

receiving transaction information related to one or more current transactions between a client entity and a resource server;

accessing a database storing a plurality of transaction groups, wherein the transaction groups are formed based on a plurality of past transactions between a plurality of client entities and the resource server;

analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups; and

based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for intrusion detection. The systems and methods may include receiving transaction information related to one or more current transactions between a client entity and a resource server, accessing a database storing a plurality of transaction groups, analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups, and based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server. The transaction groups may be formed based on a plurality of past transactions between a plurality of client entities and the resource server. Identity information of a user associated with the one or more current transactions may also be received along with the transaction information. The user may be associated with at least one of the plurality of transaction groups.

27 Citations

View as Search Results

31 Claims

1. An intrusion detection system comprising one or more processors, and a memory with instructions which when executed by the one or more processors cause the one or more processors to perform a plurality of operations comprising:
- receiving transaction information related to one or more current transactions between a client entity and a resource server;
  
  accessing a database storing a plurality of transaction groups, wherein the transaction groups are formed based on a plurality of past transactions between a plurality of client entities and the resource server;
  
  analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups; and
  
  based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the operations further include:
    - receiving identity information of a user associated with the one or more current transactions.
  - 3. The system of claim 2, wherein the user is further associated with at least one of the plurality of transaction groups.
  - 4. The system of claim 3, wherein said analyzing includes comparing the received transaction information with information related to the at least one of the plurality of transaction groups, andwherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is different than at least a part of the information related to the at least one of the plurality of transaction groups.
  - 5. The system of claim 3, wherein said analyzing includes comparing the received transaction information with information related to one or more of the plurality of transaction groups excluding the at least one of the plurality of transaction groups, andwherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is similar to at least a part of the information related to a transaction group other than the at least one of the plurality of transaction groups.
  - 6. The system of claim 1, wherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said analyzing, the received transaction information is different than information related to all of the plurality of transaction groups.
  - 7. The system of claim 2, wherein the operations further include, based on a determination that the intrusion act has occurred at the resource server, one or more of:
    - modifying access privileges of the user for accessing one or more of the plurality of client entities, the resource server, or a combination thereof,notifying an administrative entity about the intrusion act, orrecording the received transaction information, the identity information, or both, in a list of intrusion acts.
  - 8. The system of claim 3, wherein the operations further include dynamically updating the plurality of transaction groups based at least on the received transaction information.
  - 9. The system of claim 8, wherein said dynamically updating includes disassociating the user from the at least one of the plurality of transaction groups, associating the user with one or more transaction groups other than the at least one of the plurality of transaction groups, or both.
  - 10. The system of claim 1, wherein the one or more current transactions include at least one of banking transactions, cloud computing transactions, or web application transactions.
  - 11. The system of claim 1, wherein the transaction groups are formed based on a fuzzy clustering technique.

12. A computer-implemented method for intrusion detection, the method executed by one or more processors configured to perform a plurality of operations, the operations comprising:
- receiving transaction information related to one or more current transactions between a client entity and a resource server;
  
  accessing a database storing a plurality of transaction groups, wherein the transaction groups are formed based on a plurality of past transactions between a plurality of client entities and the resource server;
  
  analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups; and
  
  based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the operations further include:
    - receiving identity information of a user associated with the one or more current transactions.
  - 14. The method of claim 13, wherein the user is further associated with at least one of the plurality of transaction groups.
  - 15. The method of claim 14, wherein said analyzing includes comparing the received transaction information with information related to the at least one of the plurality of transaction groups, andwherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is different than at least a part of the information related to the at least one of the plurality of transaction groups.
  - 16. The method of claim 14, wherein said analyzing includes comparing the received transaction information with information related to one or more of the plurality of transaction groups excluding the at least one of the plurality of transaction groups, andwherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is similar to at least a part of the information related to a transaction group other than the at least one of the plurality of transaction groups.
  - 17. The method of claim 12, wherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said analyzing, the received transaction information is different than information related to all of the plurality of transaction groups.
  - 18. The method of claim 13, wherein the operations further include, based on a determination that the intrusion act has occurred at the resource server, one or more of:
    - modifying access privileges of the user for accessing one or more of the plurality of client entities, the resource server, or a combination thereof,notifying an administrative entity about the intrusion act, orrecording the received transaction information, the identity information, or both, in a list of intrusion acts.
  - 19. The method of claim 14, wherein the operations further include dynamically updating the plurality of transaction groups based at least on the received transaction information.
  - 20. The method of claim 19, wherein said dynamically updating includes disassociating the user from the at least one of the plurality of transaction groups, associating the user with one or more transaction groups other than the at least one of the plurality of transaction groups, or both.
  - 21. The method of claim 12, wherein the one or more current transactions include at least one of banking transactions, cloud computing transactions, or web application transactions.
  - 22. The method of claim 12, wherein the transaction groups are formed based on a fuzzy clustering technique.

23. A non-transitory computer-readable medium comprising computer-readable instructions, the computer-readable instructions when executed by one or more processors, causes the one or more processors to carry out a plurality of operations comprising:
- receiving transaction information related to one or more current transactions between a client entity and a resource server;
  
  accessing a database storing a plurality of transaction groups, wherein the transaction groups are formed based on a plurality of past transactions between a plurality of client entities and the resource server;
  
  analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups; and
  
  based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The computer-readable medium of claim 23, wherein the operations further include:
    - receiving identity information of a user associated with the one or more current transactions.
  - 25. The computer-readable medium of claim 24, wherein the user is further associated with at least one of the plurality of transaction groups.
  - 26. The computer-readable medium of claim 25, wherein said analyzing includes comparing the received transaction information with information related to the at least one of the plurality of transaction groups, andwherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is different than at least a part of the information related to the at least one of the plurality of transaction groups.
  - 27. The computer-readable medium of claim 25, wherein said analyzing includes comparing the received transaction information with information related to one or more of the plurality of transaction groups excluding the at least one of the plurality of transaction groups, andwherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is similar to at least a part of the information related to a transaction group other than the at least one of the plurality of transaction groups.
  - 28. The computer-readable medium of claim 23, wherein said determining includes determining that the intrusion act has occurred at the resource server, if, based on said analyzing, the received transaction information is different than information related to all of the plurality of transaction groups.
  - 29. The computer-readable medium of claim 24, wherein the operations further include, based on a determination that the intrusion act has occurred at the resource server, one or more of:
    - modifying access privileges of the user for accessing one or more of the plurality of client entities, the resource server, or a combination thereof,notifying an administrative entity about the intrusion act, orrecording the received transaction information, the identity information, or both, in a list of intrusion acts.
  - 30. The computer-readable medium of claim 23, wherein the one or more current transactions include at least one of banking transactions, cloud computing transactions, or web application transactions.
  - 31. The computer-readable medium of claim 23, wherein the transaction groups are formed based on a fuzzy clustering technique.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Natarajan, Ramesh, Brown, Timothy Gordon, Gates, Carrie Elaine

Granted Patent

US 8,776,228 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06Q 20/4016   involving fraud or risk lev...

H04L 63/1408   by monitoring network traff...

Y10S 707/99933   Query processing, i.e. sear...

TRANSACTION-BASED INTRUSION DETECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

TRANSACTION-BASED INTRUSION DETECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links