Method and apparatus for detection and notification of unauthorized access attempts in a distributed data processing system
First Claim
Patent Images
1. A method for identifying unauthorized attempts to access a data processing system, the method comprising the computer implemented steps of:
- recording data in a file each time an attempt to access the data processing system has failed;
monitoring said file used to contain said data on failed attempts to access the data processing system; and
responsive to said file containing said data on failed attempts to access the data processing system, analyzing said data to identify candidates for unauthorized access attempts.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for identifying unauthorized attempts to access a data processing system. A file used to contain data on failed attempts to access the data processing system is monitored. Responsive to the file containing data on failed attempts to access the data processing system, the data is analyzed to identify candidates for unauthorized access attempts.
38 Citations
39 Claims
-
1. A method for identifying unauthorized attempts to access a data processing system, the method comprising the computer implemented steps of:
-
recording data in a file each time an attempt to access the data processing system has failed;
monitoring said file used to contain said data on failed attempts to access the data processing system; and
responsive to said file containing said data on failed attempts to access the data processing system, analyzing said data to identify candidates for unauthorized access attempts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
identifying hosts from which failed access attempts occurred;
identifying user identifications for the failed access attempts;
determining whether a successful access attempts have occurred for the user identifications for the hosts; and
responsive to an absence of a successful access attempt for a user identification from a host, placing the host in a list.
-
-
6. The method of claim 1, wherein the step of analyzing the data to identify candidates for unauthorized access attempts comprises:
-
identifying user identifications (user IDs) for the failed access attempts;
identifying a number of failed access attempts for each user ID;
determining, for each user ID, whether a number of failed access attempts for a user ID is greater than a threshold; and
responsive to the number being greater than the threshold, placing the user ID in a list.
-
-
7. The method of claim 1, wherein the step of monitoring occurs in response to an event.
-
8. The method of claim 1, wherein the method is performed in the data processing system.
-
9. The method of claim 1, wherein the method is performed at another data processing system remote to the data processing system.
-
10. A method for identifying unauthorized attempts to access a data processing system, the method comprising the computer implemented steps of:
-
responsive to a periodic event, monitoring a file used to contain data on failed attempts to access the data processing system; and
responsive to the file containing data on failed attempts to access the data processing system, analyzing the data to identify candidates for unauthorized access attempts.
-
-
11. A method for identifying unauthorized attempts to access a data processing system, the method comprising the computer implemented steps of:
-
responsive to a request to check for unauthorized attempts, monitoring a file used to contain data on failed attempts to access the data processing system; and
responsive to the file containing data on failed attempts to access the data processing system, analyzing the data to identify candidates for unauthorized access attempts.
-
-
12. A method for identifying unauthorized access attempts to a data processing system, the method comprising the computer implemented steps of:
-
recording data in a file each time an attempt to access the data processing system has failed;
monitoring said file used to contain said data on failed attempts to access the data processing system;
responsive to said file containing said data on failed attempts to access the data processing system, analyzing said data to identify user IDs and hosts from which failed authorized attempts occurred; and
responsive to a user ID having an absence of a successful access attempt, placing the user ID and an associated host in a notification file. - View Dependent Claims (13, 14)
sending the notification file to a destination.
-
-
14. The method of claim 13, wherein the destination is identified by an email address.
-
15. A method for identifying unauthorized access attempts to a data processing system, the method comprising the computer implemented steps of:
-
periodically checking a file for data for a presence of failed attempts to access the data processing system within the file;
responsive to the file containing data on failed attempts to access the data processing system;
analyzing the data to identify user IDs and hosts from which failed authorized attempts occurred; and
responsive to a user ID having an absence of a successful access attempt, placing the user ID and an associated host in a notification file. - View Dependent Claims (16, 17)
responsive to the presence of data within the file, storing the data for analysis; and
removing the data from the file.
-
-
17. The method of claim 16, wherein the step of removing the data comprises replacing the file with a new file, which is empty.
-
18. A distributed data processing system comprising:
-
a network;
a plurality of clients connected to the network;
a server connected to the network, wherein the server stores a set of data for unsuccessful access attempts, checks for a presence of unsuccessful access attempts in response to a periodic event, analyzes the set of data to identify candidates for unauthorized access attempts, and responsive to an identification of a candidate for unauthorized access, sends a notification containing information about the candidate. - View Dependent Claims (19)
-
-
20. A data processing system for identifying unauthorized attempts to access a data processing system, the data processing system comprising:
-
recording means for recording data in a file each time an attempt to access the data processing system has failed;
monitoring means for monitoring said file used to contain said data on failed attempts to access the data processing system; and
analyzing means, responsive to the file containing said data on failed attempts to access the data processing system, for analyzing the data to identify candidates for unauthorized access attempts. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
generating means for generating a list of candidates of unauthorized access attempts; and
sending means for sending the list to a destination.
-
-
22. The data processing system of claim 21, wherein the destination is identified in an email address.
-
23. The data processing system of claim 21, wherein the destination is a data processing system for an information systems administrator.
-
24. The data processing system of claim 20, wherein the means of analyzing the data to identify candidates for unauthorized access attempts comprises:
-
first identifying means for identifying hosts from which failed access attempts occurred;
second identifying means for identifying user identifications for the failed access attempts;
determining means for determining whether a successful access attempts have occurred for the user identifications for the hosts; and
placing means, responsive to an absence of a successful access attempt for a user identification from a host, for placing the host in a list.
-
-
25. The data processing system of claim 20, wherein the means of analyzing the data to identify candidates for unauthorized access attempts comprises:
-
first identifying means for identifying user identifications (user IDs) for the failed access attempts;
second identifying means for identifying a number of failed access attempts for each user ID;
determining means for determining, for each user ID, whether a number of failed access attempts for a user ID is greater than a threshold; and
placing means, responsive to the number being greater than the threshold, for placing the user ID in a list.
-
-
26. The data processing system of claim 20, wherein the monitoring means occurs in response to an event.
-
27. The data processing system of claim 20, wherein the method is performed in the data processing system.
-
28. The data processing system of claim 20, wherein the method is performed at another data processing system remote to the data processing system.
-
29. A data processing system for identifying unauthorized attempts to access a data processing system, the data processing system comprising:
-
monitoring means for monitoring, responsive to a periodic event, a file used to contain data on failed attempts to access the data processing system; and
analyzing means, responsive to the file containing data on failed attempts to access the data processing system, for analyzing the data to identify candidates for unauthorized access attempts.
-
-
30. A data processing system for identifying unauthorized attempts to access a data processing system, the data processing system comprising:
-
monitoring means for monitoring, responsive to a request to check for unauthorized attempts, a file used to contain data on failed attempts to access the data processing system; and
analyzing means, responsive to the file containing data on failed attempts to access the data processing system, for analyzing the data to identify candidates for unauthorized access attempts.
-
-
31. A data processing system for identifying unauthorized access attempts to a data processing system, the data processing system comprising:
-
recording means for recording data in a file each time an attempt to access the data processing system has failed;
monitoring means for monitoring said file used to contain said data on failed attempts to access the data processing system;
analyzing means, responsive to said file containing said data on failed attempts to access the data processing system, for analyzing said data to identify user IDs and hosts from which failed authorized attempts occurred; and
placing means, responsive to a user ID having an absence of a successful access attempt, for placing the user ID and an associated host in a file. - View Dependent Claims (32, 33)
sending means for sending the notification file to a destination.
-
-
33. The data processing system of claim 32, wherein the destination is identified by an email address.
-
34. A data processing system for identifying unauthorized access attempts to a data processing system, the data processing system comprising:
-
monitoring means for periodically checking a file for data for a presence of failed access attempts within the file;
analyzing means, responsive to the file containing data on failed access attempts, for analyzing the data to identify user IDs and hosts from which failed authorized attempts occurred; and
placing means, responsive to a user ID having an absence of a successful access attempt, for placing the user ID and an associated host in a file. - View Dependent Claims (35, 36)
storing means, responsive to a presence of data within the file, for storing the data for analysis; and
removing means for removing the data from the file.
-
-
36. The data processing system of claim 35, wherein the means of removing the data comprises replacing the file with a new file, which is empty.
-
37. A computer program product in a computer readable medium for identifying unauthorized attempts to access a data processing system, the computer program product comprising:
-
first instructions for recording data in a file each time an attempt to access the data processing system has failed;
second instructions for monitoring said file used to contain said data on failed attempts to access the data processing system; and
third instructions, responsive to said file containing said data on failed attempts to access the data processing system, for analyzing the data to identify candidates for unauthorized access attempts.
-
-
38. A computer program product in a computer readable medium for identifying unauthorized access attempts to a data processing system, the computer program product comprising:
-
first instructions for recording data in a file each time an attempt to access the data processing system has failed;
second instructions for monitoring said file used to contain said data on failed attempts to access the data processing system;
third instructions, responsive to said file containing said data on failed attempts to access the data processing system, for analyzing said data to identify user IDs and hosts from which failed authorized attempts occurred; and
fourth instructions, responsive to a user ID having an absence of a successful access attempt, for placing the user ID and an associated host in a file.
-
-
39. A distributed data processing system comprising:
-
a network;
a plurality of clients connected to the network;
a server connected to the network, wherein the server stores a set of data for unsuccessful access attempts, checks for a presence of unsuccessful access attempts in response to a request to check for unauthorized attempts, analyzes the set of data to identify candidates for unauthorized access attempts, and responsive to an identification of a candidate for unauthorized access, sends a notification containing information about the candidate.
-
Specification