Methods, systems and computer program products for monitoring user behavior for a server application

US 7,373,524 B2
Filed: 02/24/2004
Issued: 05/13/2008
Est. Priority Date: 02/24/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting abnormal activity of a server application user, the method comprising:

(a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement;

(b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and

(c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises web page requests.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and computer program products are disclosed for monitoring user behavior for a server application in a computer network. The methods, systems, and computer program products can monitor communication data between a server application and a client. The methods, systems, and computer program products can also include applying one or more detectors to the communication data to identify a variety of predetermined activity. Further, the methods, systems, and computer program products can include generating a threat score associated with the predetermined activity by comparing the identified predetermined activity with a security threshold criteria.

Citations

54 Claims

1. A method for detecting abnormal activity of a server application user, the method comprising:
- (a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement;
  
  (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and
  
  (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises web page requests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, comprising maintaining a log of the predetermined activity of the server application user over the first and second predetermined times.
  - 3. The method of claim 1, wherein the predetermined activity comprises a server application request.
  - 4. The method of claim 1, wherein the predetermined activity comprises failed login attempts.
  - 5. The method of claim 1, wherein the predetermined activity comprises login time.
  - 6. The method of claim 1, wherein the web page requests are hypertext transfer protocol (HTTP) requests.
  - 7. The method of claim 1, wherein the second measurement is an average count of web page requests for communication sessions between the server application user and a server application.
  - 8. The method of claim 1, wherein the second measurement is an average count of web page requests between the server application user and a server application during a time interval.
  - 9. The method of claim 1, wherein the predetermined activity comprises session duration.

10. A method for detecting abnormal activity of a server application user, the method comprising:
- (a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement;
  
  (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and
  
  (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises a server application request, andwherein the server application request is a hypertext transfer protocol (HTTP) request.

11. A method for detecting abnormal activity of a server application user, the method comprising:
- (a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement;
  
  (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and
  
  (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises failed web page requests.
- View Dependent Claims (12)
- - 12. The method of claim 11, wherein the second measurement is an average count of failed web page requests for communication sessions between the server application user and a server application.

13. A system for detecting abnormal activity of a server application user, the system comprising:
- (a) a network interface for receiving communication data of a predetermined activity of a server application user over a first and second predetermined time, respectively; and
  
  (b) a detector operable to generate a first and second measurement of the predetermined activity for the first and second predetermined times, respectively, and operable to determine whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises web page requests.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The system of claim 13, comprising a log operable to maintain a record of the predetermined activity of the server application user over the first and second predetermined times.
  - 15. The system of claim 13, wherein the predetermined activity comprises a server application request.
  - 16. The system of claim 13, wherein the predetermined activity comprises failed login attempts.
  - 17. The system of claim 13, wherein the predetermined activity comprises login time.
  - 18. The system of claim 13, wherein the web page requests are hypertext transfer protocol (HTTP) requests.
  - 19. The system of claim 13, wherein the second measurement is an average count of web page requests for communication sessions between the server application user and a server application.
  - 20. The system of claim 13, wherein the second measurement is an average count of web page requests between the server application user and a server application during a time interval.
  - 21. The system of claim 13, wherein the predetermined activity comprises failed web page requests.
  - 22. The system of claim 21, wherein the second measurement is an average count of failed web page requests for communication sessions between the server application user and a server application.
  - 23. The system of claim 13, wherein the predetermined activity comprises session duration.

24. A system for detecting abnormal activity of a server application user, the system comprising:
- (a) a network interface for receiving communication data of a predetermined activity of a server application user over a first and second predetermined time, respectively; and
  
  (b) a detector operable to generate a first and second measurement of the predetermined activity for the first and second predetermined times, respectively, and operable to determine whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises a server application request, andwherein the server application request is a hypertext transfer protocol (HTTP) request.

25. A computer program product comprising computer-executable instructions embodied in a computer-readable medium for performing steps comprising:
- (a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement;
  
  (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and
  
  (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises web page requests.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. The computer program product of claim 25, comprising maintaining a log of the predetermined activity of the server application user over the first and second predetermined times.
  - 27. The computer program product of claim 25, wherein the predetermined activity comprises a server application request.
  - 28. The computer program product of claim 25, wherein the predetermined activity comprises failed login attempts.
  - 29. The computer program product of claim 25, wherein the predetermined activity comprises login time.
  - 30. The computer program product of claim 25, wherein the web page requests are hypertext transfer protocol (HTTP) requests.
  - 31. The computer program product of claim 25, wherein the second measurement is an average count of web page requests for communication sessions between the server application user and a server application.
  - 32. The computer program product of claim 25, wherein the second measurement is an average count of web page requests between the server application user and a server application during a time interval.
  - 33. The computer program product of claim 25, wherein the predetermined activity comprises failed web page requests.
  - 34. The computer program product of claim 33, wherein the second measurement is an average count of failed web page requests for communication sessions between the server application user and a server application.
  - 35. The computer program product of claim 25, wherein the predetermined activity comprises session duration.

36. A computer program product comprising computer-executable instructions embodied in a computer-readable medium for performing steps comprising:
- (a) measuring a predetermined activity of a server application user over a first predetermined time for generating a first measurement;
  
  (b) measuring the predetermined activity of the server application user over a second predetermined time for generating a second measurement; and
  
  (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the server application user,wherein the predetermined activity comprises a server application request, andwherein the server application request is a hypertext transfer protocol (HTTP) request.

37. A method for detecting abnormal activity of a server application user, the method comprising:
- (a) measuring a predetermined activity of a plurality of server application users over a first predetermined time for generating a first measurement;
  
  (b) measuring the predetermined activity of a first server application user over a second predetermined time for generating a second measurement; and
  
  (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the first server application user,wherein the predetermined activity comprises web page requests.
- View Dependent Claims (38, 39, 40, 41, 42)
- - 38. The method of claim 37, comprising maintaining a log of the predetermined activity over the first and second predetermined times.
  - 39. The method of claim 37, wherein the web page requests are hypertext transfer protocol (HTTP) requests.
  - 40. The method of claim 37, wherein the second measurement is average count of web page requests for communication sessions between the server application user and a plurality of server applications.
  - 41. The method of claim 37, wherein the predetermined activity comprises session duration.
  - 42. The method of claim 37, wherein the second measurement is average session duration for communication sessions between the server application user and a plurality of server applications.

43. A system for detecting abnormal activity of a server application user, the system comprising:
- (a) a network interface for receiving communication data of a predetermined activity of a first server application user and a selected plurality of server application users over a first and second predetermined time, respectively; and
  
  (b) a detector operable to generate a first and second measurement of the predetermined activity for the first and second predetermined times, respectively, and operable to determine whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the first server application user,wherein the predetermined activity comprises web page requests.
- View Dependent Claims (44, 45, 46, 47, 48)
- - 44. The system of claim 43, comprising a log for recording the predetermined activity over the first and second predetermined times.
  - 45. The system of claim 43, wherein the web page requests are hypertext transfer protocol (HTTP) requests.
  - 46. The system of claim 43, wherein the second measurement is average count of web page requests for communication sessions between the server application user and a plurality of server applications.
  - 47. The system of claim 43, wherein the predetermined activity comprises session duration.
  - 48. The system of claim 43, wherein the second measurement is average session duration for communication sessions between the server application user and a plurality of server applications.

49. A computer program product comprising computer-executable instructions embodied in a computer-readable medium for performing steps comprising:
- (a) measuring a predetermined activity of a plurality of server application users over a first predetermined time for generating a first measurement;
  
  (b) measuring the predetermined activity of a first server application user over a second predetermined time for generating a second measurement; and
  
  (c) determining whether the first and second measurements deviate a predetermined amount to detect abnormal activity for the first server application userwherein the predetermined activity comprises web page requests.
- View Dependent Claims (50, 51, 52, 53, 54)
- - 50. The computer program product of claim 49, comprising maintaining a log of the predetermined activity over the first and second predetermined times.
  - 51. The computer program product of claim 49, wherein the web page requests are hypertext transfer protocol (HTTP) requests.
  - 52. The computer program product of claim 49, wherein the second measurement is average count of web page requests for communication sessions between the server application user and a plurality of server applications.
  - 53. The computer program product of claim 49, wherein the predetermined activity comprises session duration.
  - 54. The computer program product of claim 49, wherein the second measurement is average session duration for communication sessions between the server application user and a plurality of server applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Covelight Systems, Inc. (Radware Limited)
Original Assignee
Covelight Systems, Inc. (Radware Limited)
Inventors
Logan, David Byron, Motsinger, David Lee, Wall, Virgil Montgomery Jr., Gramley, Kenneth Robert, Choy, Albert Ming, Hargett, Byron Lee, Somerville, Garth Douglas, Hester, Douglas Wayne
Primary Examiner(s)
Peeso; Thomas R.

Application Number

US10/785,132
Publication Number

US 20050188423A1
Time in Patent Office

1,540 Days
Field of Search

713/194, 713/188, 713/189, 713/193
US Class Current

713/194
CPC Class Codes

G06F 11/3419   by assessing time

G06F 11/3438   monitoring of user actions ...

G06F 2201/86   Event-based monitoring

G06F 2201/87   Monitoring of transactions

G06F 2201/875   Monitoring of systems inclu...

G06F 2201/88   Monitoring involving counting

H04L 63/0236   Filtering by address, proto...

H04L 63/0876   based on the identity of th...

H04L 63/1466   Active attacks involving in...

H04L 67/535   Tracking the activity of th...

Methods, systems and computer program products for monitoring user behavior for a server application

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems and computer program products for monitoring user behavior for a server application

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links