Method and apparatus for detecting unauthorized-access, and computer product

US 8,166,553 B2
Filed: 10/26/2004
Issued: 04/24/2012
Est. Priority Date: 05/28/2002
Status: Expired due to Fees

First Claim

Patent Images

1. An unauthorized-access detecting apparatus that detects unauthorized access to a server that provides a service via a network, the unauthorized-access detecting apparatus comprising:

a storing unit that stores an unauthorized-access event string including a series of process requests made by an unauthorized user in past times, and a transition probability and a time interval between two consecutive process requests included in the unauthorized-access event string;

a receiving unit that receives a process request from a user; and

a judging unit that judges whether an unauthorized access occurs or not by comparing the unauthorized-access event string stored in the storing unit with an event string including a series of process requests received by the receiving unit, and, when it is determined that the event string matches with at least a portion of the unauthorized-access event string, estimates an occurrence time of the unauthorized access by adding time intervals between process requests included in the unauthorized-access event string and estimates a probability of an occurrence of the unauthorized access by multiplying transition probabilities between process requests included in the unauthorized-access event string.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An unauthorized-access detecting apparatus that detects unauthorized access to a server that provides a service via a network includes a storing unit that stores a series of process request, which is made by an unauthorized user via an unauthorized client, as an unauthorized-access event string; and a judging unit that compares a new process request with the unauthorized-access event string stored in the storing unit, and judges whether the process request is the unauthorized access based on a result of comparison.

Citations

21 Claims

1. An unauthorized-access detecting apparatus that detects unauthorized access to a server that provides a service via a network, the unauthorized-access detecting apparatus comprising:
- a storing unit that stores an unauthorized-access event string including a series of process requests made by an unauthorized user in past times, and a transition probability and a time interval between two consecutive process requests included in the unauthorized-access event string;
  
  a receiving unit that receives a process request from a user; and
  
  a judging unit that judges whether an unauthorized access occurs or not by comparing the unauthorized-access event string stored in the storing unit with an event string including a series of process requests received by the receiving unit, and, when it is determined that the event string matches with at least a portion of the unauthorized-access event string, estimates an occurrence time of the unauthorized access by adding time intervals between process requests included in the unauthorized-access event string and estimates a probability of an occurrence of the unauthorized access by multiplying transition probabilities between process requests included in the unauthorized-access event string.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The unauthorized-access detecting apparatus according to claim 1, further comprising a notifying unit to forecast an attack by a user based on results of the adding and multiplying performed by the judging unit, and notifies the attack forecasted and a countermeasure against the attack.
  - 3. The unauthorized-access detecting apparatus according to claim 1, further comprising:
    - an unauthorized-client storing unit to store a client that made the process request of the unauthorized access as an unauthorized client; and
      
      an unauthorized-client rejecting unit to reject the process request from the unauthorized client stored in the unauthorized-client storing unit.
  - 4. The unauthorized-access detecting apparatus according to claim 1, whereinan event includes either of a single process request and a plurality of process requests, andthe unauthorized-access event string includes a plurality of the events.
  - 5. The unauthorized-access detecting apparatus according to claim 4, whereinthe storing unit to further store an unauthorized-access event tree that branches according to the transition probability between the events including respective process requests made by an unauthorized user, andthe judging unit to further compare the past series of process requests with the unauthorized-access event tree.
  - 6. The unauthorized-access detecting apparatus according to claim 4, further comprising:
    - a data storing unit to store unauthorized-access data that relates to the unauthorized access;
      
      a history storing unit to store all the process requests to the server as a process history; and
      
      a creating unit to create the unauthorized-access event string using the unauthorized-access data and the process history.
  - 7. The unauthorized-access detecting apparatus according to claim 6, further comprising an access-event master table that contains a degree of significance of the event predefined for each of the events, whereinthe creating unit to further create the unauthorized-access event string based on the degree of significance of the event.

8. An unauthorized-access detecting method comprising:
- storing an unauthorized-access event string including a series of process requests made by an unauthorized user in past times, and a transition probability and a time interval between two consecutive process requests included in the unauthorized-access event string;
  
  receiving a process request from a user;
  
  judging whether an unauthorized access occurs or not by comparing the unauthorized-access event string stored, with an event string including a series of process requests received from the user;
  
  estimating, when it is determined that the event string matches with at least a portion of the unauthorized-access event string, a probability of an occurrence of the unauthorized access by multiplying a plurality of transition probabilities between process requests included in the unauthorized-access event string; and
  
  estimating, when it is determined that the event string matches with at least a portion of the unauthorized-access event string, an occurrence time of the unauthorized access by adding together a plurality of time intervals between process requests included in the unauthorized-access event string.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The unauthorized-access detecting method according to claim 8, further comprisingforecasting an attack by a user based on the probability of and the time until the occurrence of the fraudulent act estimated;
    - andnotifying the attack forecasted and a countermeasure against the attack.
  - 10. The unauthorized-access detecting method according to claim 8, further comprisingstoring a client that made the process request of the unauthorized access as an unauthorized client;
    - andrejecting the process request from the unauthorized client stored.
  - 11. The unauthorized-access detecting method according to claim 8, whereinan event includes either of a single process request and a plurality of process requests, andthe unauthorized-access event string includes a plurality of the events.
  - 12. The unauthorized-access detecting method according to claim 11, whereinthe storing includes storing an unauthorized-access event tree that branches according to the transition probability between the events including respective process requests made by a user that is unauthorized;
    - andthe comparing includes comparing the past series of process requests with the unauthorized-access event tree.
  - 13. The unauthorized-access detecting method according to claim 11, further comprisingstoring unauthorized-access data that relates to the unauthorized access;
    - storing all the process requests to the server as a process history; and
      
      creating the unauthorized-access event string using the unauthorized-access data and the process history.
  - 14. The unauthorized-access detecting method according to claim 13, wherein the creating includes creating the unauthorized-access event string based on a degree of significance of the event.

15. A non-transitory computer-readable recording medium that stores a computer program for detecting an unauthorized-access, the computer program makes the computer execute:
- storing an unauthorized-access event string including a series of process requests made by an unauthorized user in past times, and a transition probability and a time interval between two consecutive process requests included in the unauthorized-access event string;
  
  receiving a process request from a user;
  
  judging whether an unauthorized access occurs or not by comparing the unauthorized-access event string stored, with an event string including a series of process requests received from the user;
  
  estimating, when it is determined that the event string matches with at least a portion of the unauthorized-access event string, a probability of an occurrence of the unauthorized access by multiplying a plurality of transition probabilities between process requests included in the unauthorized-access event string; and
  
  estimating, when it is determined that the event string matches with at least a portion of the unauthorized-access event string, an occurrence time of the unauthorized access by adding together a plurality of time intervals between process requests included in the unauthorized-access event string.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable recording medium according to claim 15, wherein the computer program further makes the computer execute forecasting an attack by a user based on the probability of and the time until the occurrence of the fraudulent act estimated;
    - and notifying the attack forecasted and a countermeasure against the attack.
  - 17. The non-transitory computer-readable recording medium according to claim 15, wherein the computer program further makes the computer execute storing a client that made the process request of the unauthorized access as an unauthorized client;
    - and rejecting the process request from the unauthorized client stored.
  - 18. The non-transitory computer-readable recording medium according to claim 15, wherein an event includes either of a single process request and a plurality of process requests, and the unauthorized-access event string includes a plurality of the events.
  - 19. The non-transitory computer-readable recording medium according to claim 18, wherein the storing includes storing an unauthorized-access event tree that branches according to the transition probability between the events including respective process requests made by a user that is unauthorized;
    - and the comparing includes comparing the past series of process requests with the unauthorized-access event tree.
  - 20. The non-transitory computer-readable recording medium according to claim 18, wherein the computer program further makes the computer execute storing unauthorized-access data that relates to the unauthorized access;
    - storing all the process requests to the server as a process history; and
      
      creating the unauthorized-access event string using the unauthorized-access data and the process history.
  - 21. The non-transitory computer-readable recording medium according to claim 20, wherein the creating includes creating the unauthorized-access event string based on a degree of significance of the event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Kubota, Kazumi
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US10/972,436
Publication Number

US 20050086538A1
Time in Patent Office

2,737 Days
Field of Search

713/189, 713/168
US Class Current

726/26
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2101   Auditing as a secondary aspect

G06Q 20/10   specially adapted for elect...

G06Q 40/03   Credit; Loans; Processing t...

H04L 63/1416   Event detection, e.g. attac...

Method and apparatus for detecting unauthorized-access, and computer product

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting unauthorized-access, and computer product

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links