System and method of fraud and misuse detection using event logs

US 9,202,189 B2
Filed: 12/10/2013
Issued: 12/01/2015
Est. Priority Date: 05/31/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting improper access of business information in a customer relationship management (CRM) computer environment, the method comprising:

analyzing audit log data representing at least one of transactions or activities of an authorized user having access to the business information in the CRM computer environment, the business information including at least one of a customer record or a prospective customer record, to determine at least one of a number of accesses by the authorized user to the CRM computer environment or a time interval of access by the authorized user to the CRM computer environment;

generating a rule for monitoring the analyzed audit log data, the rule comprising at least one criterion specifying at least one of a specific volume threshold of access by the authorized user to the CRM computer environment, or a predetermined time interval of access by the authorized user to the CRM computer environment;

applying the rule to the analyzed audit log data to determine if an event has occurred, the event occurring if at least one of the number of accesses by the authorized user to the CRM computer environment exceeds an allowed access count corresponding to the specific volume threshold or the time interval of access by the authorized user to the CRM computer environment overlaps the predetermined time interval;

storing, in a memory, a hit if the event has occurred; and

providing notification if the event has occurred.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transactions and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A hit is stored in the event has occurred and a notification can be provided if the event has occurred. A compilation of hits related to the rule can be provided.

38 Citations

View as Search Results

30 Claims

1. A method of detecting improper access of business information in a customer relationship management (CRM) computer environment, the method comprising:
- analyzing audit log data representing at least one of transactions or activities of an authorized user having access to the business information in the CRM computer environment, the business information including at least one of a customer record or a prospective customer record, to determine at least one of a number of accesses by the authorized user to the CRM computer environment or a time interval of access by the authorized user to the CRM computer environment;
  
  generating a rule for monitoring the analyzed audit log data, the rule comprising at least one criterion specifying at least one of a specific volume threshold of access by the authorized user to the CRM computer environment, or a predetermined time interval of access by the authorized user to the CRM computer environment;
  
  applying the rule to the analyzed audit log data to determine if an event has occurred, the event occurring if at least one of the number of accesses by the authorized user to the CRM computer environment exceeds an allowed access count corresponding to the specific volume threshold or the time interval of access by the authorized user to the CRM computer environment overlaps the predetermined time interval;
  
  storing, in a memory, a hit if the event has occurred; and
  
  providing notification if the event has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as claimed in claim 1, wherein the specific volume threshold is a configurable or statistically derived number of business information accesses.
  - 3. The method as claimed in claim 1, wherein the specific volume threshold is at least 50 business information accesses.
  - 4. The method as claimed in claim 1, wherein the specific volume threshold is at least 50 business information accesses and the pre-determined time interval is configurable.
  - 5. The method as claimed in claim 1, further comprising at least one criterion related to forwarding the accessed business information to a personal account of a specific user.
  - 6. The method as claimed in claim 5, wherein the specific user is accessing business information having an owner of the record indication which is a user other than the specific user.
  - 7. The method as claimed in claim 5, wherein the specific user is remotely located from the storage location of the business information.
  - 8. The method as claimed in claim 7, wherein the specific user is accessing the business information via at least one of a virtual private network or an extranet.
  - 9. The method as claimed in claim 7, wherein the business information is maintained in a customer relationship management application.
  - 10. The method as claimed in claim 1, wherein the notification of event occurrence is provided to at least one of a human resources department, security team or responsible person.
  - 11. The method as claimed in claim 1, wherein access of a specific user is automatically suspended if the event has occurred.
  - 12. The method as claimed in claim 1, wherein the rule comprises at least two of the criterion.

13. A non-transitory computer-readable medium with computer-executable instructions embodied thereon for performing a method of detecting improper access of business information in a customer relationship management (CRM) computer environment, the method comprising:
- analyzing audit log data representing at least one of transactions or activities of an authorized user having access to the business information in the CRM computer environment, the business information including at least one of a customer record or a prospective customer record, to determine at least one of a number of accesses by the authorized user to the CRM computer environment or a time interval of access by the authorized user to the CRM computer environment;
  
  providing a selection of at least one criterion specifying a specific volume threshold of access by an authorized user to the CRM computer environment, or a pre-determined time interval of access by the authorized user to the CRM computer environment;
  
  providing a selection for a schedule for application of a rule to the analyzed audit log data;
  
  applying the rule to the analyzed audit log data according to the selected schedule to determine if at least one of the number of accesses by the authorized user to the CRM computer environment exceeds an allowed access count corresponding to the specific volume threshold or the time interval of access by the authorized user to the CRM computer environment overlaps the predetermined time interval;
  
  storing a hit if the event has occurred; and
  
  providing a notification if the event has occurred.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The medium as claimed in claim 13, wherein the specific volume threshold is a predetermined number of business information accesses.
  - 15. The medium as claimed in claim 13, wherein the specific volume threshold is at least 50 business information accesses and the pre-determined time interval is configurable.
  - 16. The medium as claimed in claim 13, further comprising at least one criterionrelated to forwarding the accessed business information to a personal account of a specific user.
  - 17. The method as claimed in claim 16, wherein the specific user is accessing business information having an owner of the record indication which is a user other than the specific user.
  - 18. The method as claimed in claim 13, wherein the business information is maintained in a customer relationship management application.
  - 19. The method as claimed in claim 13, wherein the rule comprises at least two of the criterion.

20. A system for detecting improper access of business information in a customer relationship management (CRM) computer environment, the system comprising:
- a user interface for selection of at least one criterion specifying a specific volume threshold of access by an authorized user to the CRM computer environment, or a pre-determined time interval of access by the authorized user to the CRM computer environment, the authorized user having a predefined role comprising authorized computer access to the business information, and for selection of a schedule for application of a rule for monitoring the audit log date;
  
  a microprocessor in communication with the user interface and having access to the audit log data, the microprocessor generating the rule based at least in part on the at least one criterion selected and applying the rule to the audit log data according to the schedule selected in order to determine if an event has occurred,wherein the event occurs if the at least one criterion has been met,wherein the microprocessor stores a hit if the event has occurred,wherein the microprocessor provides notification if the event has occurred, and whereinthe microprocessor generates a compilation of hits related to the rule.

21. A method of detecting improper access of a pre-identified record in a customer relationship management (CRM) computer environment, the method comprising:
- applying a rule for monitoring audit log data to determine if an event has occurred, the event occurring if at least one criterion has been met, the at least one criterion specifying a specific volume threshold of access by an authorized user to the CRM computer environment, or a pre-determined time interval of access by the authorized user to the CRM computer environment, the rule comprising the at least one criterion related to access of a pre-identified record, that is indicative of improper access of the pre-identified record by a authorized user, the authorized user having a pre-defined role comprising authorized computer access to the pre-identified record;
  
  storing, in a memory, a hit if the event has occurred; and
  
  providing notification if the event has occurred.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method as claimed in claim 21, wherein the pre-identified record is associated with an entity identified as a very important person (VIP).
  - 23. The method as claimed in claim 21, wherein the pre-identified record is associated with an entity identified as a famous person.
  - 24. The method as claimed in claim 21, wherein the pre-identified record is associated with a neighbor of the authorized user.
  - 25. The method as claimed in claim 21, wherein the pre-identified record is associated with a relative of the authorized user.
  - 26. The method as claimed in claim 21, wherein the authorized user is accessing the pre-identified record having an owner other than the authorized user.
  - 27. The method as claimed in claim 21, wherein the authorized user is remotely located from the storage location of the pre-identified record.
  - 28. The method as claimed in claim 21, wherein the authorized user is accessing the pre-identified record via at least one of a virtual private network or an extranet.
  - 29. The method as claimed in claim 21, wherein the pre-identified record is maintained in a customer relationship management application.
  - 30. The method as claimed in claim 21, wherein the rule comprises at least two of the criterion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fairwarning IP LLC
Original Assignee
Fairwarning IP LLC
Inventors
Long, Kurt James
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US14/102,017
Publication Number

US 20140188548A1
Time in Patent Office

721 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

G06Q 10/06   Resources, workflows, human...

G06Q 10/0635   Risk analysis of enterprise...

Y02A 90/10   Information and communicati...

System and method of fraud and misuse detection using event logs

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of fraud and misuse detection using event logs

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links