Methods, systems and computer program products for monitoring user behavior for a server application
First Claim
1. A method for detecting abnormal activity of a server application user, the method comprising:
- (a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement;
(b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and
(c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises web page requests.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems and computer program products are disclosed for monitoring user behavior for a server application in a computer network. The methods, systems, and computer program products can monitor communication data between a server application and a client. The methods, systems, and computer program products can also include applying one or more detectors to the communication data to identify a variety of predetermined activity. Further, the methods, systems, and computer program products can include generating a threat score associated with the predetermined activity by comparing the identified predetermined activity with a security threshold criteria.
-
Citations
54 Claims
-
1. A method for detecting abnormal activity of a server application user, the method comprising:
-
(a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement; (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user, wherein the predetermined activity comprises web page requests. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for detecting abnormal activity of a server application user, the method comprising:
-
(a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement; (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user, wherein the predetermined activity comprises a server application request, and wherein the server application request is a hypertext transfer protocol (HTTP) request.
-
-
11. A method for detecting abnormal activity of a server application user, the method comprising:
-
(a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement; (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user, wherein the predetermined activity comprises failed web page requests. - View Dependent Claims (12)
-
-
13. A system for detecting abnormal activity of a server application user, the system comprising:
-
(a) a network interface for receiving communication data of a predetermined activity of a server application user over a first and second predetermined time, respectively; and (b) a detector operable to generate a first and second measurement of the predetermined activity for the first and second predetermined times, respectively, and operable to determine whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user, wherein the predetermined activity comprises web page requests. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A system for detecting abnormal activity of a server application user, the system comprising:
-
(a) a network interface for receiving communication data of a predetermined activity of a server application user over a first and second predetermined time, respectively; and (b) a detector operable to generate a first and second measurement of the predetermined activity for the first and second predetermined times, respectively, and operable to determine whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user, wherein the predetermined activity comprises a server application request, and wherein the server application request is a hypertext transfer protocol (HTTP) request.
-
-
25. A computer program product comprising computer-executable instructions embodied in a computer-readable medium for performing steps comprising:
-
(a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement; (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user, wherein the predetermined activity comprises web page requests. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A computer program product comprising computer-executable instructions embodied in a computer-readable medium for performing steps comprising:
-
(a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement; (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user, wherein the predetermined activity comprises a server application request, and wherein the server application request is a hypertext transfer protocol (HTTP) request.
-
-
37. A method for detecting abnormal activity of a server application user, the method comprising:
-
(a) measuring a predetermined activity of a plurality of server application users over a first predetermined time for generating a first measurement; (b) measuring the predetermined activity of a first server application user over a second predetermined time for generating a second measurement; and (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the first server application user, wherein the predetermined activity comprises web page requests. - View Dependent Claims (38, 39, 40, 41, 42)
-
-
43. A system for detecting abnormal activity of a server application user, the system comprising:
-
(a) a network interface for receiving communication data of a predetermined activity of a first server application user and a selected plurality of server application users over a first and second predetermined time, respectively; and (b) a detector operable to generate a first and second measurement of the predetermined activity for the first and second predetermined times, respectively, and operable to determine whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the first server application user, wherein the predetermined activity comprises web page requests. - View Dependent Claims (44, 45, 46, 47, 48)
-
-
49. A computer program product comprising computer-executable instructions embodied in a computer-readable medium for performing steps comprising:
-
(a) measuring a predetermined activity of a plurality of server application users over a first predetermined time for generating a first measurement; (b) measuring the predetermined activity of a first server application user over a second predetermined time for generating a second measurement; and (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the first server application user wherein the predetermined activity comprises web page requests. - View Dependent Claims (50, 51, 52, 53, 54)
-
Specification