System and method for monitoring computing servers for possible unauthorized access

US 9,300,679 B1
Filed: 12/16/2013
Issued: 03/29/2016
Est. Priority Date: 12/16/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more VoIP servers, each configured and arranged to provide respective VoIP services to remote users; and

a processing circuit communicatively-coupled to the one or more VoIP servers and configured and arranged to;

monitor data transactions of at least one server, of the one or more VoIP servers, that is associated with a user account, the user account having a security policy;

detect a flag set in at least one data packet of the data transactions of the at least one VoIP server;

analyze, in response to detecting the flag, a VoIP call corresponding to the at least one data packet for characteristics of the data transactions that correspond to a call loop;

determine a threat level as a function of one or more characteristics of the data transactions, including the characteristics of the data transactions that correspond to a call loop, and one or more conditions of the security policy, each of the one or more conditions being indicative of unauthorized access when satisfied by the one or more characteristics; and

in response to the threat level exceeding a first threshold level indicated in the security policy of the user account, send a notification to an authorized user of the user account.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided that includes one or more computing servers and a processing circuit for monitoring data transactions of the computing servers. Each of the computing servers is configured to provide respective services to remote users. The processing circuit is configured to monitor data transactions of at least one of the computing servers, which is associated with a user account. A security policy of the user account includes a set of conditions that are indicative of unauthorized access when the conditions are satisfied by various characteristics of the monitored data. The processing circuit is configured to determine a threat level based on the characteristics of the data transactions and the conditions of the security policy. In response to the threat level exceeding a first threshold level indicated in the security policy of the user account, the processing circuit sends a notification to an authorized user of the user account.

37 Citations

View as Search Results

19 Claims

1. A system, comprising:
- one or more VoIP servers, each configured and arranged to provide respective VoIP services to remote users; and
  
  a processing circuit communicatively-coupled to the one or more VoIP servers and configured and arranged to;
  
  monitor data transactions of at least one server, of the one or more VoIP servers, that is associated with a user account, the user account having a security policy;
  
  detect a flag set in at least one data packet of the data transactions of the at least one VoIP server;
  
  analyze, in response to detecting the flag, a VoIP call corresponding to the at least one data packet for characteristics of the data transactions that correspond to a call loop;
  
  determine a threat level as a function of one or more characteristics of the data transactions, including the characteristics of the data transactions that correspond to a call loop, and one or more conditions of the security policy, each of the one or more conditions being indicative of unauthorized access when satisfied by the one or more characteristics; and
  
  in response to the threat level exceeding a first threshold level indicated in the security policy of the user account, send a notification to an authorized user of the user account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the processing circuit is further configured and arranged to:
    - in response to the monitored data transactions exhibiting characteristics indicative of a system problem, send a notification to the authorized user of the user account.
  - 3. The system of claim 2, wherein the processing circuit is further configured and arranged to in further response to the monitored data transactions exhibiting characteristics indicative of a system problem:
    - determine if the system problem is a server-side problem or a user-side problem;
      
      in response to determining that the system problem is a server-side problem, send a notification to the authorized user of the user account; and
      
      in response to determining that the system problem is a user-side problem, of one of the remote users corresponding to one of the monitored data transactions, send a notification to the remote user.
  - 4. The system of claim 2, wherein the characteristics indicative of a system problem include call jitter, dropped data packets, and network connectivity.
  - 5. The system of claim 1, wherein the processing circuit is configured and arranged to determine the threat level based on a number of the conditions of the security policy that are satisfied by the one or more characteristics of the data transactions.
  - 6. The system of claim 1, wherein the one or more conditions of the security policy indicative of unauthorized access includes a condition that is satisfied by a frequency of data transactions exceeding a threshold indicated in the security policy.
  - 7. The system of claim 1, wherein the one or more conditions of the security policy indicative of unauthorized access includes a condition that is satisfied by a size of a data transaction exceeding a threshold transaction size in the security policy.
  - 8. The system of claim 1, wherein the one or more conditions of a security policy indicative of unauthorized access includes a condition that is satisfied by exceeding a daily data transfer limit indicated in the security policy.
  - 9. The system of claim 1, wherein the one or more conditions of a security policy indicative of unauthorized access includes a condition that is satisfied by a frequency of data transactions surpassing a stored average for the account by a threshold indicated in the security policy.
  - 10. The system of claim 1, wherein the one or more conditions of a security policy indicative of unauthorized access includes a condition that is satisfied by detecting a user logged in to the at least one server from an IP address outside of an IP address range specified by the security policy.
  - 11. The system of claim 1, wherein the one or more conditions of a security policy indicative of unauthorized access includes a condition that is satisfied by a number of failed login attempts exceeding a limit indicated in the security policy.
  - 12. The system of claim 1, wherein the processing circuit is configured and arranged to determine the threat level as a function of a sensitivity level of files/folders that are accessed.
  - 13. The system of claim 1, wherein the processing circuit is configured and arranged to determine the threat level as a function of a direction of the data transactions, wherein the threat level as the function of the direction of the data transactions includes a higher threat level for a download of data than a threat level for an upload of data and a higher threat level for an outgoing call than a threat level for an incoming call.
  - 14. The system of claim 1, wherein the processing circuit is configured and arranged to determine the threat level as a function of IP location of a user initiating the data transactions.
  - 15. The system of claim 1, wherein the processing circuit is further configured and arranged to, respond to the threat level exceeding a second threshold level indicated in the security policy, perform one or more automated tasks to prevent further unauthorized access to the at least one server, the one or more automated tasks including disabling a remote service provided by the at least one server.
  - 16. The system of claim 1, wherein the processing circuit is configured and arranged to send the notification by sending one or more types of messages including:
    - an SMS text message to a number listed in the security policy, an automated voice call to a number listed in the security policy, an email to an email address listed in the security policy, and a social network message.
  - 17. The system of claim 1, wherein the notification provides a mechanism to allow the authorized user to select from one or more possible actions.
  - 18. The system of claim 1, wherein the processing circuit is further configured and arranged to:
    - provide an internet based graphical user interface (GUI); and
      
      modify the security policy in response to user input via the GUI.

19. A method, comprising the steps of:
- monitoring data transactions of a VoIP server corresponding to a user account, the user account having a security policy;
  
  detecting a flag set in at least one data packet of the data transactions of the at VoIP server;
  
  analyzing, in response to detecting the flag, a VoIP call corresponding to the at least one data packet for characteristics of the data transactions that correspond to a call loop;
  
  determining a threat level of the VoIP server as a function of one or more characteristics of the data transactions, including the characteristics of the data transactions that correspond to a call loop, and one or more conditions of the security policy that are indicative of unauthorized access;
  
  in response to the threat level exceeding a first threshold level indicated in the security policy of the user account, sending a notification to an authorized user of the user account indicating that the threat level has been exceeded; and
  
  wherein processing circuitry is communicatively coupled to the VoIP server and configured and arranged to perform the above steps.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
8X8, Inc.
Original Assignee
8X8, Inc.
Inventors
Martin, Bryan, Liu, Zhishen, Zhao, Qing
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US14/107,656
Time in Patent Office

834 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

System and method for monitoring computing servers for possible unauthorized access

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for monitoring computing servers for possible unauthorized access

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links