User behavior analyzer

US 9,529,777 B2
Filed: 10/26/2012
Issued: 12/27/2016
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to said one or more servers, the method comprising:

receiving a plurality of messages at a server from a plurality of client devices communicatively coupled to the server;

grouping the plurality of messages into subsets of messages using a learn module of said server, with each subset of messages associated with a unique client identifier and with all messages within a subset being associated with the same unique client identifier;

identifying each message within a subset of messages as belonging to a defined type of message;

recording sequences of said defined types of messages within each of said subsets of messages using said learn module;

measuring time intervals between said defined types of messages using said learn module;

generating a state machine configured to model communications designated as constituting normal client behavior for defined types of messages, wherein the state machine comprises a determined order of a sequence of states and transitions configured based, at least in part, on the recorded sequences of defined types of messages and the measured time intervals between said defined types of messages that constitute normal client behavior;

constructing a sequence of defined types of messages received from a client device using a detect module of said server;

comparing the constructed sequence of defined types of messages to the state machine;

calculating any differences between the constructed sequence and the state machine, wherein the differences are based, at least in part, on whether an order of the constructed sequence deviates from the determined order of the sequence of the state machine; and

in response to a determination that the constructed sequence differs from the state machine by more than a predetermined value or range of values, generating an output designating a constructed sequence as abnormal client behavior.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is shown for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to the one or more servers. Messages are received at a server from one or more client devices communicatively coupled to the server. The plurality of messages are grouped into subsets of messages using a learn module of the server. Each subset of messages is associated with a unique client identifier, and all messages within a subset are associated with the same unique client identifier. Each message within a subset of messages is identified as belonging to a defined type of message. Sequences of the defined types of messages within each of said subsets of messages are recorded using the learn module. Time intervals between the defined types of messages are measured using the learn module. The recorded sequences of defined types of messages and the measured time intervals between the defined types of messages are designated as constituting normal client behavior.

Citations

18 Claims

1. A method for identifying abnormal client behavior with respect to communications between one or more servers and one or more client devices communicatively coupled to said one or more servers, the method comprising:
- receiving a plurality of messages at a server from a plurality of client devices communicatively coupled to the server;
  
  grouping the plurality of messages into subsets of messages using a learn module of said server, with each subset of messages associated with a unique client identifier and with all messages within a subset being associated with the same unique client identifier;
  
  identifying each message within a subset of messages as belonging to a defined type of message;
  
  recording sequences of said defined types of messages within each of said subsets of messages using said learn module;
  
  measuring time intervals between said defined types of messages using said learn module;
  
  generating a state machine configured to model communications designated as constituting normal client behavior for defined types of messages, wherein the state machine comprises a determined order of a sequence of states and transitions configured based, at least in part, on the recorded sequences of defined types of messages and the measured time intervals between said defined types of messages that constitute normal client behavior;
  
  constructing a sequence of defined types of messages received from a client device using a detect module of said server;
  
  comparing the constructed sequence of defined types of messages to the state machine;
  
  calculating any differences between the constructed sequence and the state machine, wherein the differences are based, at least in part, on whether an order of the constructed sequence deviates from the determined order of the sequence of the state machine; and
  
  in response to a determination that the constructed sequence differs from the state machine by more than a predetermined value or range of values, generating an output designating a constructed sequence as abnormal client behavior.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, further including:
    - determining a range for the number of defined types of messages recorded in a recorded sequence of messages.
  - 3. The method according to claim 1, further including:
    - transforming measured time intervals between defined types of messages in the recorded sequences of defined types of messages using Fourier analysis to calculate an average expected frequency of each of the recorded sequences of defined types of messages.
  - 4. The method according to claim 1, wherein:
    - each defined type of message corresponds to a unique client behavior, and wherein the recording of a sequence of defined types of client behaviors by said learn module begins after a predetermined number of said defined types of client behaviors have been received by the server.
  - 5. The method according to claim 1, wherein:
    - the learn module analyzes a plurality of recorded sequences of defined types of messages and determines an average expectation of a particular type of message occurring in a recorded sequence based on a plurality of occurrences of the particular type of message in the plurality of recorded sequences.
  - 6. The method according to claim 5, wherein:
    - the learn module further determines an average expectation of a second particular type of message occurring next to a first particular type of message in a recorded sequence of messages based on a plurality of occurrences of the first and second particular types of messages occurring next to each other in the plurality of recorded sequences.

7. A method for classifying client behavior, the method comprising:
- receiving a plurality of messages from a client device;
  
  grouping the plurality of messages into subsets of messages;
  
  identifying each message within a subset of messages as belonging to a defined type of message;
  
  constructing a sequence of said defined types of messages for at least one of said subsets of messages;
  
  comparing the constructed sequence of the defined types of messages to a state machine, wherein the state machine is configured to model communications designated as constituting normal client behavior for the defined types of messages, wherein the state machine comprises a determined order of a sequence of states and transitions configured based, at least in part, on recorded sequences of the defined types of messages and measured time intervals between said defined types of messages that constitute normal client behavior;
  
  calculating any differences between the constructed sequence and the state machine, wherein the differences are based, at least in part, on whether an order of the constructed sequence deviates from the determined order of the sequence of the state machine; and
  
  in response to a determination that the constructed sequence differs from the state machine by more than a predetermined value or range of values, generating an output designating the constructed sequence as abnormal.
- View Dependent Claims (18)
- - 18. The method according to claim 7, wherein the plurality of messages from the client device is generated based, at least in part, on inputs to a user interface received by the client device.

8. An apparatus for identifying abnormal communications between a client and a game server, the apparatus comprising a hardware processor configured to implement modules comprising:
- a processing module configured to receive a plurality of messages from a client device;
  
  the processing module configured to group the plurality of messages into subsets of messages;
  
  the processing module configured to identify each message within a subset of messages as belonging to a defined type of message;
  
  the processing module configured to construct a sequence of said defined types of messages for at least one of said subsets of messages;
  
  the processing module configured to compare the constructed sequence of the defined types of messages to a state machine, wherein the state machine is configured to model communications designated as constituting normal client behavior for the defined types of messages, wherein the state machine comprises a determined order of a sequence of states and transitions configured based, at least in part, on recorded sequences of the defined types of messages and measured time intervals between said defined types of messages that constitute normal client behavior,the processing module configured to calculate any differences between the constructed sequence and the state machine, wherein the differences are based, at least in part, on whether an order of the constructed sequence deviates from the determined order of the sequence of the state machine; and
  
  the processing module configured to generate an output designating the constructed sequence as abnormal in response to a determination that the constructed sequence differs from the state machine by more than a predetermined value or range of values.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus according to claim 8, wherein:
    - the processing module is further configured to determine a range for the number of defined types of messages recorded in a recorded sequence of messages.
  - 10. The apparatus according to claim 8, wherein:
    - the processing module is further configured to transform measured time intervals between defined types of messages in the recorded sequences of defined types of messages using Fourier analysis to calculate an average expected frequency of each of the recorded sequences of defined types of messages.
  - 11. The apparatus according to claim 8, wherein:
    - each defined type of message corresponds to a unique client behavior, and wherein the recording of a sequence of defined types of client behaviors by said learn module begins after a predetermined number of said defined types of client behaviors have been received by the server.
  - 12. The apparatus according to claim 8, wherein:
    - the processing module is further configured to analyze a plurality of recorded sequences of defined types of messages and determine an average expectation of a particular type of message occurring in a recorded sequence based on a plurality of occurrences of the particular type of message in the plurality of recorded sequences.
  - 13. The apparatus according to claim 12, wherein:
    - the processing module is further configured to determine an average expectation of a second particular type of message occurring next to a first particular type of message in a recorded sequence of messages based on a plurality of occurrences of the first and second particular types of messages occurring next to each other in the plurality of recorded sequences.

14. A non-transitory computer-readable medium for use with a computer and encoded with program code, that when executed by a computer, causes the computer to:
- receive a plurality of messages from a client device;
  
  group the plurality of messages into subsets of messages;
  
  identify each message within a subset of messages as belonging to a defined type of message;
  
  construct a sequence of said defined types of messages for at least one of said subsets of messages;
  
  compare the constructed sequence of the defined types of messages to a state machine, wherein the state machine is configured to model communications designated as constituting normal client behavior for the defined types of messages, wherein the state machine comprises a determined order of a sequence of states and transitions configured based, at least in part, on recorded sequences of the defined types of messages and measured time intervals between said defined types of messages that constitute normal client behavior,calculate any differences between the constructed sequence and the state machine, wherein the differences are based, at least in part, on whether an order of the constructed sequence deviates from the determined order of the sequence of the state machine; and
  
  generate an output designating the constructed sequence as abnormal in response to a determination that the constructed sequence differs from the state machine by more than a predetermined value or range of values.
- View Dependent Claims (15, 16, 17)
- - 15. The non-transitory computer-readable medium according to claim 14, further comprising code, that when executed by a computer, causes the computer to:
    - determine a range for the number of defined types of messages recorded in a recorded sequence of messages.
  - 16. The non-transitory computer-readable medium according to claim 14, further comprising code, that when executed by a computer, causes the computer to:
    - transform measured time intervals between defined types of messages in the recorded sequences of defined types of messages using Fourier analysis to calculate an average expected frequency of each of the recorded sequences of defined types of messages.
  - 17. The non-transitory computer-readable medium according to claim 14, further comprising code, that when executed by a computer, causes the computer to:
    - record a sequence of defined types of client behaviors after a predetermined number of said defined types of client behaviors have been received from a client device by a server;
      
      analyze a plurality of recorded sequences of defined types of messages and determine an average expectation of a particular type of message occurring in a recorded sequence based on a plurality of occurrences of the particular type of message in the plurality of recorded sequences; and
      
      determine an average expectation of a second particular type of message occurring next to a first particular type of message in a recorded sequence of messages based on a plurality of occurrences of the first and second particular types of messages occurring next to each other in the plurality of recorded sequences.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronic Arts Incorporated
Original Assignee
Electronic Arts Incorporated
Inventors
Tjew, Andrew, Chan, Wilson
Primary Examiner(s)
BURGESS, BARBARA N

Application Number

US13/662,319
Publication Number

US 20130111019A1
Time in Patent Office

1,523 Days
Field of Search

709/203, 709/206, 709/207, 709/223, 709/224
US Class Current

1/1
CPC Class Codes

G06F 11/3447   Performance evaluation by m...

G06F 11/3672   Test management

G06F 21/00   Security arrangements for p...

G06F 9/541   via adapters, e.g. between ...

G06N 20/00   Machine learning

G06Q 10/06   Resources, workflows, human...

G06Q 10/0631   Resource planning, allocati...

H04L 41/14   Network analysis or design

H04L 43/045   for graphical visualisation...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 65/1076   Screening of IP real time c...

H04L 67/01   Protocols

User behavior analyzer

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

User behavior analyzer

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links