Method and apparatus for detection and notification of unauthorized access attempts in a distributed data processing system

US 6,748,540 B1
Filed: 06/17/1999
Issued: 06/08/2004
Est. Priority Date: 06/17/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for identifying unauthorized attempts to access a data processing system, the method comprising the computer implemented steps of:

recording data in a file each time an attempt to access the data processing system has failed;

monitoring said file used to contain said data on failed attempts to access the data processing system; and

responsive to said file containing said data on failed attempts to access the data processing system, analyzing said data to identify candidates for unauthorized access attempts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for identifying unauthorized attempts to access a data processing system. A file used to contain data on failed attempts to access the data processing system is monitored. Responsive to the file containing data on failed attempts to access the data processing system, the data is analyzed to identify candidates for unauthorized access attempts.

38 Citations

View as Search Results

39 Claims

1. A method for identifying unauthorized attempts to access a data processing system, the method comprising the computer implemented steps of:
- recording data in a file each time an attempt to access the data processing system has failed;
  
  monitoring said file used to contain said data on failed attempts to access the data processing system; and
  
  responsive to said file containing said data on failed attempts to access the data processing system, analyzing said data to identify candidates for unauthorized access attempts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - generating a list of candidates of unauthorized access attempts; and
      
      sending the list to a destination.
  - 3. The method of claim 2, wherein the destination is identified in an email address.
  - 4. The method of claim 2, wherein the destination is a data processing system for an information systems administrator.
  - 5. The method of claim 1, wherein the step of analyzing the data to identify candidates for unauthorized access attempts comprises:
6. The method of claim 1, wherein the step of analyzing the data to identify candidates for unauthorized access attempts comprises:
- identifying user identifications (user IDs) for the failed access attempts;
  
  identifying a number of failed access attempts for each user ID;
  
  determining, for each user ID, whether a number of failed access attempts for a user ID is greater than a threshold; and
  
  responsive to the number being greater than the threshold, placing the user ID in a list.
7. The method of claim 1, wherein the step of monitoring occurs in response to an event.
8. The method of claim 1, wherein the method is performed in the data processing system.
9. The method of claim 1, wherein the method is performed at another data processing system remote to the data processing system.

10. A method for identifying unauthorized attempts to access a data processing system, the method comprising the computer implemented steps of:
- responsive to a periodic event, monitoring a file used to contain data on failed attempts to access the data processing system; and
  
  responsive to the file containing data on failed attempts to access the data processing system, analyzing the data to identify candidates for unauthorized access attempts.

11. A method for identifying unauthorized attempts to access a data processing system, the method comprising the computer implemented steps of:
- responsive to a request to check for unauthorized attempts, monitoring a file used to contain data on failed attempts to access the data processing system; and
  
  responsive to the file containing data on failed attempts to access the data processing system, analyzing the data to identify candidates for unauthorized access attempts.

12. A method for identifying unauthorized access attempts to a data processing system, the method comprising the computer implemented steps of:
- recording data in a file each time an attempt to access the data processing system has failed;
  
  monitoring said file used to contain said data on failed attempts to access the data processing system;
  
  responsive to said file containing said data on failed attempts to access the data processing system, analyzing said data to identify user IDs and hosts from which failed authorized attempts occurred; and
  
  responsive to a user ID having an absence of a successful access attempt, placing the user ID and an associated host in a notification file.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12 further comprising:
14. The method of claim 13, wherein the destination is identified by an email address.

15. A method for identifying unauthorized access attempts to a data processing system, the method comprising the computer implemented steps of:
- periodically checking a file for data for a presence of failed attempts to access the data processing system within the file;
  
  responsive to the file containing data on failed attempts to access the data processing system;
  
  analyzing the data to identify user IDs and hosts from which failed authorized attempts occurred; and
  
  responsive to a user ID having an absence of a successful access attempt, placing the user ID and an associated host in a notification file.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 further comprising:
17. The method of claim 16, wherein the step of removing the data comprises replacing the file with a new file, which is empty.

18. A distributed data processing system comprising:
- a network;
  
  a plurality of clients connected to the network;
  
  a server connected to the network, wherein the server stores a set of data for unsuccessful access attempts, checks for a presence of unsuccessful access attempts in response to a periodic event, analyzes the set of data to identify candidates for unauthorized access attempts, and responsive to an identification of a candidate for unauthorized access, sends a notification containing information about the candidate.
- View Dependent Claims (19)
- - 19. The distributed data processing system of claim 18, wherein the set of data is a first set of data that includes a user ID and wherein the server stores a second set of data for access attempts that includes a user ID for each successful access attempt and compares the user ID associated with an unsuccessful attempt with user IDs in the second set of data to whether a successful access attempt has ever occurred using the user ID.

20. A data processing system for identifying unauthorized attempts to access a data processing system, the data processing system comprising:
- recording means for recording data in a file each time an attempt to access the data processing system has failed;
  
  monitoring means for monitoring said file used to contain said data on failed attempts to access the data processing system; and
  
  analyzing means, responsive to the file containing said data on failed attempts to access the data processing system, for analyzing the data to identify candidates for unauthorized access attempts.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The data processing system of claim 20 further comprising:
22. The data processing system of claim 21, wherein the destination is identified in an email address.
23. The data processing system of claim 21, wherein the destination is a data processing system for an information systems administrator.
24. The data processing system of claim 20, wherein the means of analyzing the data to identify candidates for unauthorized access attempts comprises:
- first identifying means for identifying hosts from which failed access attempts occurred;
  
  second identifying means for identifying user identifications for the failed access attempts;
  
  determining means for determining whether a successful access attempts have occurred for the user identifications for the hosts; and
  
  placing means, responsive to an absence of a successful access attempt for a user identification from a host, for placing the host in a list.
25. The data processing system of claim 20, wherein the means of analyzing the data to identify candidates for unauthorized access attempts comprises:
- first identifying means for identifying user identifications (user IDs) for the failed access attempts;
  
  second identifying means for identifying a number of failed access attempts for each user ID;
  
  determining means for determining, for each user ID, whether a number of failed access attempts for a user ID is greater than a threshold; and
  
  placing means, responsive to the number being greater than the threshold, for placing the user ID in a list.
26. The data processing system of claim 20, wherein the monitoring means occurs in response to an event.
27. The data processing system of claim 20, wherein the method is performed in the data processing system.
28. The data processing system of claim 20, wherein the method is performed at another data processing system remote to the data processing system.

29. A data processing system for identifying unauthorized attempts to access a data processing system, the data processing system comprising:
- monitoring means for monitoring, responsive to a periodic event, a file used to contain data on failed attempts to access the data processing system; and
  
  analyzing means, responsive to the file containing data on failed attempts to access the data processing system, for analyzing the data to identify candidates for unauthorized access attempts.

30. A data processing system for identifying unauthorized attempts to access a data processing system, the data processing system comprising:
- monitoring means for monitoring, responsive to a request to check for unauthorized attempts, a file used to contain data on failed attempts to access the data processing system; and
  
  analyzing means, responsive to the file containing data on failed attempts to access the data processing system, for analyzing the data to identify candidates for unauthorized access attempts.

31. A data processing system for identifying unauthorized access attempts to a data processing system, the data processing system comprising:
- recording means for recording data in a file each time an attempt to access the data processing system has failed;
  
  monitoring means for monitoring said file used to contain said data on failed attempts to access the data processing system;
  
  analyzing means, responsive to said file containing said data on failed attempts to access the data processing system, for analyzing said data to identify user IDs and hosts from which failed authorized attempts occurred; and
  
  placing means, responsive to a user ID having an absence of a successful access attempt, for placing the user ID and an associated host in a file.
- View Dependent Claims (32, 33)
- - 32. The data processing system of claim 31, further comprising:
33. The data processing system of claim 32, wherein the destination is identified by an email address.

34. A data processing system for identifying unauthorized access attempts to a data processing system, the data processing system comprising:
- monitoring means for periodically checking a file for data for a presence of failed access attempts within the file;
  
  analyzing means, responsive to the file containing data on failed access attempts, for analyzing the data to identify user IDs and hosts from which failed authorized attempts occurred; and
  
  placing means, responsive to a user ID having an absence of a successful access attempt, for placing the user ID and an associated host in a file.
- View Dependent Claims (35, 36)
- - 35. The data processing system of claim 34, further comprising:
36. The data processing system of claim 35, wherein the means of removing the data comprises replacing the file with a new file, which is empty.

37. A computer program product in a computer readable medium for identifying unauthorized attempts to access a data processing system, the computer program product comprising:
- first instructions for recording data in a file each time an attempt to access the data processing system has failed;
  
  second instructions for monitoring said file used to contain said data on failed attempts to access the data processing system; and
  
  third instructions, responsive to said file containing said data on failed attempts to access the data processing system, for analyzing the data to identify candidates for unauthorized access attempts.

38. A computer program product in a computer readable medium for identifying unauthorized access attempts to a data processing system, the computer program product comprising:
- first instructions for recording data in a file each time an attempt to access the data processing system has failed;
  
  second instructions for monitoring said file used to contain said data on failed attempts to access the data processing system;
  
  third instructions, responsive to said file containing said data on failed attempts to access the data processing system, for analyzing said data to identify user IDs and hosts from which failed authorized attempts occurred; and
  
  fourth instructions, responsive to a user ID having an absence of a successful access attempt, for placing the user ID and an associated host in a file.

39. A distributed data processing system comprising:
- a network;
  
  a plurality of clients connected to the network;
  
  a server connected to the network, wherein the server stores a set of data for unsuccessful access attempts, checks for a presence of unsuccessful access attempts in response to a request to check for unauthorized attempts, analyzes the set of data to identify candidates for unauthorized access attempts, and responsive to an identification of a candidate for unauthorized access, sends a notification containing information about the candidate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Patel, Maulin Ishwarbhai, Canestaro, Christopher Lawrence, Hamilton, Rick A. II, Langford, John Steven
Primary Examiner(s)
Darrow, Justin T.

Application Number

US09/335,291
Time in Patent Office

1,818 Days
Field of Search

713/194, 713/200, 713/201, 709/224, 709/225, 707/9
US Class Current

726/26
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/10 for controlling access to d...

Method and apparatus for detection and notification of unauthorized access attempts in a distributed data processing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detection and notification of unauthorized access attempts in a distributed data processing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links