Detection of account hijacking in a social network

US 8,646,073 B2
Filed: 05/18/2011
Issued: 02/04/2014
Est. Priority Date: 05/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a user of a social network, comprising the steps of:

(a) monitoring activity of the user on the social network during a baseline monitoring period to determine a baseline activity record, said monitoring including;

if an instance of said activity is suspicious, asking the user whether said instance is a normal activity instance of said user;

(b) monitoring activity of the user on the social network subsequent to said baseline monitoring period;

(c) determining whether said activity of the user on the social network subsequent to said baseline monitoring deviates sufficiently from said baseline activity record to indicate abuse of the user'"'"'s account on the social network; and

(d) if said activity of the user on the social network subsequent to said baseline monitoring deviates sufficiently from said baseline activity record to indicate abuse of the user'"'"'s account on the social network;

mitigating said abuse.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To protect a user of a social network, the user'"'"'s activity is monitored during a baseline monitoring period to determine a baseline activity record. If subsequently monitored activity of the user deviates sufficiently from the baseline activity record to indicate abuse (hijacking) of the user'"'"'s account, the abuse is mitigated, for example by notifying the user of the abuse. Monitored activity includes posting links, updating statuses, sending messages, and changing a profile. Monitoring also includes logging times of the user activity. Monitoring anomalous profile changes does not need a baseline.

Citations

26 Claims

1. A method of protecting a user of a social network, comprising the steps of:
- (a) monitoring activity of the user on the social network during a baseline monitoring period to determine a baseline activity record, said monitoring including;
  
  if an instance of said activity is suspicious, asking the user whether said instance is a normal activity instance of said user;
  
  (b) monitoring activity of the user on the social network subsequent to said baseline monitoring period;
  
  (c) determining whether said activity of the user on the social network subsequent to said baseline monitoring deviates sufficiently from said baseline activity record to indicate abuse of the user'"'"'s account on the social network; and
  
  (d) if said activity of the user on the social network subsequent to said baseline monitoring deviates sufficiently from said baseline activity record to indicate abuse of the user'"'"'s account on the social network;
  
  mitigating said abuse.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1 wherein said activity includes posting links.
  - 3. The method of claim 2, wherein said monitoring includes monitoring a frequency of said posting.
  - 4. The method of claim 2, wherein said monitoring includes classifying said links among a plurality of classes and calculating statistics of said links in at least one of said classes.
  - 5. The method of claim 4, where said classes are selected from the group consisting of neutral, news, shopping, gambling, drugs, terror, xenophobia, adult, malware, hacking, criminal activity and child abuse.
  - 6. The method of claim 2, wherein said monitoring includes monitoring respective distributions of said links and calculating statistics of said distributions.
  - 7. The method of claim 2, wherein said mitigating includes posting a disclaimer of at least one of said links.
  - 8. The method of claim 1, wherein said activity includes status updates.
  - 9. The method of claim 8, wherein said monitoring includes classifying words used in said status updates among a plurality of classes and calculating statistics of said words in at least one of said classes.
  - 10. The method of claim 9, wherein said classes are selected from the group consisting of neutral, racist, obscene, psychopathological, suicidal and cyberbullying.
  - 11. The method of claim 8, wherein said mitigating includes posting a disclaimer of at least one of said status updates.
  - 12. The method of claim 1, wherein said activity includes sending messages.
  - 13. The method of claim 12, wherein said monitoring includes classifying words used in said messages among a plurality of classes and calculating statistics of said words in at least one of said classes.
  - 14. The method of claim 13, wherein said classes are selected from the group consisting of neutral, racist, obscene, psychopathological, suicidal and cyberbullying.
  - 15. The method of claim 12, wherein said mitigating includes sending a disclaimer of at least one said message.
  - 16. The method of claim 1, wherein said activity includes changing a profile and wherein said monitoring includes monitoring a frequency of said changing.
  - 17. The method of claim 1, wherein said activity includes changing at least one entry in a profile and wherein said monitoring subsequent to said baseline monitoring includes checking a consistency of said changing of said at least one entry with a prior configuration of said profile.
  - 18. The method of claim 1, wherein said monitoring includes logging times of said activity and calculating statistics of said times.
  - 19. The method of claim 1, wherein said mitigating includes notifying the user of said abuse.
  - 20. The method of claim 1, wherein said monitoring includes calculating joint statistics on at least one respective aspect of each of two modes of said activity.
  - 21. The method of claim 20, wherein said two modes are posting links and status updates, and wherein said at least one respective aspect of said posting of said statuses includes at least one class of words that are used in said statuses.
  - 22. The method of claim 20, wherein said two modes are posting links and sending messages, and wherein said at least one respective aspect of said sending of said messages includes at least one class of words that are used in said messages.
  - 23. The method of claim 1, wherein said suspicious instance of said activity includes posting a link from a suspicious category.
  - 24. The method of claim 1, wherein said suspicious instance of said activity includes sending a message that includes at least one forbidden word.

25. A system for managing a social network, comprising:
- (a) a memory for storing code for protecting a user of the social network by;
  
  (i) monitoring activity of said user on the social network during a baseline monitoring period to determine a baseline activity record, said monitoring including;
  
  if an instance of said activity is suspicious, asking the user whether said instance is a normal activity instance of said user,(ii) monitoring activity of said user on the social network subsequent to said baseline monitoring period,(iii) determining whether said activity of said user on the social network subsequent to said baseline monitoring deviates sufficiently from said baseline activity record to indicate abuse of said user'"'"'s account on the social network, and(iv) if said activity of said user on the social network subsequent to said baseline monitoring deviates sufficiently from said baseline activity record to indicate abuse of said user'"'"'s account on the social network;
  
  mitigating said abuse; and
  
  (b) a processor for executing said code.

26. A non-transitory computer-readable storage medium having embodied thereon computer-readable code for protecting a user of a social network, the computer-readable code comprising:
- (a) program code for monitoring activity of the user on the social network during a baseline monitoring period to determine a baseline activity record, said monitoring including;
  
  if an instance of said activity is suspicious, asking the user whether said instance is a normal activity instance of said user;
  
  (b) program code for monitoring activity of the user on the social network subsequent to said baseline monitoring period;
  
  (c) program code for determining whether said activity of the user on the social network subsequent to said baseline monitoring deviates sufficiently from said baseline activity record to indicate abuse of the user'"'"'s account on the social network; and
  
  (d) program code for;
  
  if said activity of the user on the social network subsequent to said baseline monitoring deviates sufficiently from said baseline activity record to indicate abuse of the user'"'"'s account on the social network;
  
  mitigating said abuse.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
Raviv, Gil
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
Mehrmanesh, Amir

Application Number

US13/110,017
Publication Number

US 20120297477A1
Time in Patent Office

993 Days
Field of Search

726 22- 25, 726 1- 7, 705/30, 705 38- 41, 709/224
US Class Current

726/22
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/316   by observing the pattern of...

G06F 21/554   involving event detection a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

Detection of account hijacking in a social network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of account hijacking in a social network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links