Method and apparatus for monitoring a network data processing system

US 7,093,297 B2
Filed: 06/27/2002
Issued: 08/15/2006
Est. Priority Date: 06/27/2002
Status: Active Grant

First Claim

Patent Images

1. A method in a data processing system for identifying unauthorized users, the method comprising:

monitoring for user actions in an audit for an indication an unauthorized user logged into the data processing system with a valid user identifier and a valid password;

comparing a user action to selected activities to determine whether the user action is a selected user action;

responsive to the user action being the selected user action, initiating a process to analyze the selected user action, wherein the process determines whether the selected user action is from an unauthorized user; and

responsive to the selected being from an unauthorized user, initiating an action to handle an unauthorized access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and computer instructions for identifying unauthorized users. User actions are monitored in an audit for an indication an unauthorized user logged into the data processing system with a valid user identifier and a valid password. An action is initiated in response to an indication of an unauthorized user.

8 Citations

View as Search Results

24 Claims

1. A method in a data processing system for identifying unauthorized users, the method comprising:
- monitoring for user actions in an audit for an indication an unauthorized user logged into the data processing system with a valid user identifier and a valid password;
  
  comparing a user action to selected activities to determine whether the user action is a selected user action;
  
  responsive to the user action being the selected user action, initiating a process to analyze the selected user action, wherein the process determines whether the selected user action is from an unauthorized user; and
  
  responsive to the selected being from an unauthorized user, initiating an action to handle an unauthorized access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - initiating a program to monitor user actions for a series of selected user actions to authorize a user logged into the data processing system with a valid user identifier and a valid password; and
      
      determining whether to authorize the user as a trusted user, wherein the user is authorized as a trusted user if the series of selected user actions occur.
  - 3. The method of claim 2, wherein the program is a script.
  - 4. The method of claim 1 further comprising:
    - recording the user actions to form the audit.
  - 5. The method of claim 1 further comprising:
    - maintaining a configuration file, wherein the configuration file includes an identification of a program associated with the selected user action for use in analyzing the selected user action to determine whether the user is an authorized user logged into the data processing system with a valid user identifier and a valid password.
  - 6. The method of claim 1wherein the process is a script.
  - 7. The method of claim 1 further comprising:
    - analyzing a series of user actions to determine whether actions taken by a user are consistent with user actions by an authorized user, wherein user actions are stored in a history for the user.
  - 8. The method of claim 1 further comprising:
    - responsive to detecting an unauthorized user, logging off the unauthorized user; and
      
      responsive to detecting an unauthorized user, changing the password to a backup password.

9. A method in a data processing system for handling unauthorized access to a network data processing system, the method comprising:
- recording user actions for each user logged into the network data processing system, wherein an audit is formed;
  
  monitoring for a pattern of user actions indicating a user is an unauthorized user;
  
  analyzing the pattern of user actions to determine whether the user is unauthorized user, wherein the pattern of user actions is processed by a script; and
  
  initiating a security action if the user is identified as an unauthorized user.
- View Dependent Claims (10)
- - 10. The method of claim 9, wherein the security action includes at least one of suspending access by the user, sending an alert to a system administrator, and tracing the user.

11. A data processing system for identifying unauthorized users, the data processing system comprising:
- a bus system;
  
  a communications unit connected to the bus system;
  
  a memory connected to the bus system, wherein the memory includes a set of instructions; and
  
  a processing unit connected to the bus system, wherein the processing unit executes the set of instructions to monitor for user actions in an audit for an indication an unauthorized user logged into the data processing system with a valid user identifier and a valid password;
  
  compare a user action to selected activities to determine whether the user action is a selected user action;
  
  responsive to the user action being the selected user action, initiate a program to analyze the selected user action, wherein the process determines whether the selected user action is form an unauthorized user; and
  
  initiate an action to handle an unauthorized access in response to the selected action being from an unauthorized user, wherein an unauthorized user is logged off the system and the password is changed to a backup password.

12. A data processing system for handling unauthorized access to a network data processing system, the data processing system comprising:
- a bus system;
  
  a communications unit connected to the bus system;
  
  a memory connected to the bus system, wherein the memory includes a set of instructions; and
  
  a processing unit connected to the bus system, wherein the processing unit executes the set of instructions to record user actions for each user logged into the network data processing system in which an audit is formed;
  
  monitor for a pattern of user actions indicating a user is an unauthorized user;
  
  analyze the pattern of user actions to determine whether the user is an unauthorized user, wherein the pattern of user actions is processed by a script;
  
  initiate a security action if the user is identified as an unauthorized user, wherein an unauthorized user is logged off the system and a password for the user is changed to a backup password.

13. A data processing system for identifying unauthorized users, the data processing system comprising:
- monitoring means for monitoring for user actions in an audit for an indication an unauthorized user logged into the data processing system with a valid user identifier and a valid password;
  
  comparing means for comparing a user action to selected activities to determine whether the user action is a selected action;
  
  initiating means for initiating a process to analyze the selected user action in response to the user action being the selected user action, wherein the process determines whether the selected user action is from an unauthorized user; and
  
  initiating means, responsive to the selected action being from an unauthorized user, initiating an action to handle an unauthorized access.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The data processing system of claim 13, further comprising:
    - initiating a program to monitor user actions for a series of selected user actions to authorize a user logged into the data processing system with a valid user identifier and a valid password; and
      
      determining whether to authorize the user as a trusted user, wherein the user is authorized as a trusted authorized user if the series of selected user actions occur.
  - 15. The data processing system of claim 14, wherein the program is a script.
  - 16. The data processing system of claim 13 further comprising:
    - recording means for recording the user actions to form the audit.
  - 17. The data processing system of claim 13 further comprising:
    - maintaining means for maintaining a configuration file, wherein the configuration file includes an identification of a program associated with the selected user action for use in analyzing the selected user action to determine whether the user is an unauthorized user logged into the data processing system with a valid user identifier and a valid password.
  - 18. The data processing system of claim 13 wherein the process is a script.
  - 19. The data processing system of claim 13 further comprising:
    - analyzing a series of user actions to determine whether actions taken by a user are consistent with user actions by an authorized user, wherein user actions are stored in a history for the user.
  - 20. The data processing system of claim 13 further comprising:
    - logging means, responsive to detecting an unauthorized user, for logging off the unauthorized user; and
      
      changing means, responsive to detecting an unauthorized user, for changing the password to a backup password.

21. A data processing system for handling unauthorized access to a network data processing system, the data processing system comprising:
- recording means for recording user actions for each user logged into the network data processing system, wherein an audit is formed;
  
  monitoring means for monitoring for a pattern of user actions indicating a user is an unauthorized user;
  
  analyzing means for analyzing the pattern of user actions to determine whether the user is an unauthorized user, wherein the pattern of user actions is processed by a script; and
  
  initiating means for initiating a security action if the user is identified as an unauthorized user.
- View Dependent Claims (22)
- - 22. The data processing system of claim 21, wherein the security action includes at least one of suspending access by the user, sending an alert to a system administrator, and tracing the user.

23. A computer program product in a computer readable medium for identifying unauthorized users, the computer program product comprising:
- first instructions for monitoring for user actions in an audit for an indication an unauthorized user logged into the data processing system with a valid user identifier and a valid password;
  
  second instructions for comparing a user action to selected activities to determine whether the user action is a selected user action;
  
  third instructions, responsive to the user action being the selected user action, for initiating a process to analyze the selected user action, wherein the process determines whether the selected user action is from an unauthorized user; and
  
  fourth instructions, responsive to the selected action being from an unauthorized user, for initiating an action to handle an unauthorized access.

24. A computer program product in a computer readable medium for handling unauthorized access to a network data processing system, the computer program product comprising:
- first instructions for recording user actions for each user logged into the network data processing system, wherein an audit is formed;
  
  second instructions for monitoring for a pattern of user actions indicating a user is an unauthorized user;
  
  third instruction means for analyzing the pattern of user actions to determine whether the user is an unauthorized user, wherein the pattern of user actions is processed by a script andfourth instructions for initiating a security action if the user is identified as an unauthorized user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Moore, Lawrence Martin
Primary Examiner(s)
Smithers, Matthew
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US10/185,690
Publication Number

US 20040003294A1
Time in Patent Office

1,510 Days
Field of Search

726/21, 726/22, 726/23, 726/26, 726/27, 726/28, 726/2, 713/187, 713/188, 713/193, 713/194
US Class Current

726/26
CPC Class Codes

G06F 21/316 by observing the pattern of...

G06F 21/552 involving long-term monitor...

Method and apparatus for monitoring a network data processing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for monitoring a network data processing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links