Transaction-based intrusion detection

US 8,776,228 B2
Filed: 11/22/2011
Issued: 07/08/2014
Est. Priority Date: 11/22/2011
Status: Active Grant

First Claim

Patent Images

1. An intrusion detection system comprising a processor, and a memory with instructions which when executed by the processor cause the processor to perform a plurality of operations, the plurality of operations comprising:

receiving transaction information related to a current transaction between a client entity and a resource server;

accessing a database storing a plurality of transaction groups, wherein the transaction groups are formed based on a plurality of past transactions between a plurality of client entities and the resource server;

analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups associated with a user, the user associated with the current transaction;

based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server; and

dynamically updating the plurality of transaction groups based at least on the received transaction information, wherein said dynamically updating comprises disassociating the user from the at least one of the plurality of transaction groups, associating the user with a transaction group other than the at least one of the plurality of transaction groups, or both;

obtaining identity information of the user; and

based on a determination that the intrusion act has occurred at the resource server, one or more selected from;

modifying access privileges of the user for accessing one or more of the plurality of client entities, the resource server, or a combination thereof,notifying an administrative entity about the intrusion act, orrecording the received transaction information, the identityinformation, or both, in a list of intrusion acts.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for intrusion detection. The systems and methods may include receiving transaction information related to one or more current transactions between a client entity and a resource server, accessing a database storing a plurality of transaction groups, analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups, and based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server. The transaction groups may be formed based on a plurality of past transactions between a plurality of client entities and the resource server. Identity information of a user associated with the one or more current transactions may also be received along with the transaction information. The user may be associated with at least one of the plurality of transaction groups.

Citations

18 Claims

1. An intrusion detection system comprising a processor, and a memory with instructions which when executed by the processor cause the processor to perform a plurality of operations, the plurality of operations comprising:
- receiving transaction information related to a current transaction between a client entity and a resource server;
  
  accessing a database storing a plurality of transaction groups, wherein the transaction groups are formed based on a plurality of past transactions between a plurality of client entities and the resource server;
  
  analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups associated with a user, the user associated with the current transaction;
  
  based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server; and
  
  dynamically updating the plurality of transaction groups based at least on the received transaction information, wherein said dynamically updating comprises disassociating the user from the at least one of the plurality of transaction groups, associating the user with a transaction group other than the at least one of the plurality of transaction groups, or both;
  
  obtaining identity information of the user; and
  
  based on a determination that the intrusion act has occurred at the resource server, one or more selected from;
  
  modifying access privileges of the user for accessing one or more of the plurality of client entities, the resource server, or a combination thereof,notifying an administrative entity about the intrusion act, orrecording the received transaction information, the identityinformation, or both, in a list of intrusion acts.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein said analyzing comprises comparing the received transaction information with information related to the at least one of the plurality of transaction groups, andwherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is different than at least a part of the information related to the at least one of the plurality of transaction groups.
  - 3. The system of claim 1, wherein said analyzing comprises comparing the received transaction information with information related to one or more of the plurality of transaction groups excluding the at least one of the plurality of transaction groups, andwherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is similar to at least a part of the information related to a transaction group other than the at least one of the plurality of transaction groups.
  - 4. The system of claim 1, wherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said analyzing, the received transaction information is different than information related to all of the plurality of transaction groups.
  - 5. The system of claim 1, wherein the current transaction comprises at least one selected from:
    - a banking transaction, a cloud computing transaction, or a web application transaction.
  - 6. The system of claim 1, wherein the transaction groups are formed based on a fuzzy clustering technique.

7. A computer-implemented method of intrusion detection, the method executed by a processor configured to perform a plurality of operations, the plurality of operations comprising:
- receiving transaction information related to a current transaction between a client entity and a resource server;
  
  accessing a database storing a plurality of transaction groups, wherein the transaction groups are formed based on a plurality of past transactions between a plurality of client entities and the resource server;
  
  analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups associated with a user, the user associated with the current transaction;
  
  based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server; and
  
  dynamically updating the plurality of transaction groups based at least on the received transaction information, wherein said dynamically updating comprises disassociating the user from the at least one of the plurality of transaction groups, associating the user with a transaction group other than the at least one of the plurality of transaction groups, or both;
  
  obtaining identity information of the user; and
  
  based on a determination that the intrusion act has occurred at the resource server, one or more selected from;
  
  modifying access privileges of the user for accessing one or more of the plurality of client entities, the resource server, or a combination thereof,notifying an administrative entity about the intrusion act, orrecording the received transaction information, the identity information, or both, in a list of intrusion acts.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein said analyzing comprises comparing the received transaction information with information related to the at least one of the plurality of transaction groups, andwherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is different than at least a part of the information related to the at least one of the plurality of transaction groups.
  - 9. The method of claim 7, wherein said analyzing comprises comparing the received transaction information with information related to one or more of the plurality of transaction groups excluding the at least one of the plurality of transaction groups, andwherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is similar to at least a part of the information related to a transaction group other than the at least one of the plurality of transaction groups.
  - 10. The method of claim 7, wherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said analyzing, the received transaction information is different than information related to all of the plurality of transaction groups.
  - 11. The method of claim 7, wherein the current transaction comprises at least one selected from:
    - a banking transaction, a cloud computing transaction, or a web application transaction.
  - 12. The method of claim 7, wherein the transaction groups are formed based on a fuzzy clustering technique.

13. A non-transitory computer-readable medium comprising computer-readable instructions, the computer-readable instructions when executed by a processor, causes the processor to carry out a plurality of operations, the plurality of operations comprising:
- receiving transaction information related to a current transaction between a client entity and a resource server;
  
  accessing a database storing a plurality of transaction groups, wherein the transaction groups are formed based on a plurality of past transactions between a plurality of client entities and the resource server;
  
  analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups associated with a user, the user associated with the current transaction;
  
  based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server; and
  
  dynamically updating the plurality of transaction groups based at least on the received transaction information, wherein said dynamically updating comprises disassociating the user from the at least one of the plurality of transaction groups, associating the user with a transaction group other than the at least one of the plurality of transaction groups, or both;
  
  obtaining identity information of the user; and
  
  based on a determination that the intrusion act has occurred at the resource server, one or more selected from;
  
  modifying access privileges of the user for accessing one or more of the plurality of client entities, the resource server, or a combination thereof,notifying an administrative entity about the intrusion act, orrecording the received transaction information, the identity information, or both, in a list of intrusion acts.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable medium of claim 13, wherein said analyzing comprises comparing the received transaction information with information related to the at least one of the plurality of transaction groups, andwherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is different than at least a part of the information related to the at least one of the plurality of transaction groups.
  - 15. The computer-readable medium of claim 13, wherein said analyzing comprises comparing the received transaction information with information related to one or more of the plurality of transaction groups excluding the at least one of the plurality of transaction groups, andwherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said comparing, at least a part of the received transaction information is similar to at least a part of the information related to a transaction group other than the at least one of the plurality of transaction groups.
  - 16. The computer-readable medium of claim 13, wherein said determining comprises determining that the intrusion act has occurred at the resource server, if, based on said analyzing, the received transaction information is different than information related to all of the plurality of transaction groups.
  - 17. The computer-readable medium of claim 13, wherein the current transaction comprises at least one selected from:
    - a banking transaction, a cloud computing transaction, or a web application transaction.
  - 18. The computer-readable medium of claim 13, wherein the transaction groups are formed based on a fuzzy clustering technique.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Natarajan, Ramesh, Brown, Timothy Gordon, Gates, Carrie Elaine
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
LYNCH, SHARON S

Application Number

US13/302,395
Publication Number

US 20130133066A1
Time in Patent Office

959 Days
Field of Search

235/380, 705/51
US Class Current

726/23
CPC Class Codes

G06Q 20/4016   involving fraud or risk lev...

H04L 63/1408   by monitoring network traff...

Y10S 707/99933   Query processing, i.e. sear...

Transaction-based intrusion detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Transaction-based intrusion detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links