Real-time security monitoring using cross-channel event processor

US 9,800,615 B2
Filed: 09/09/2014
Issued: 10/24/2017
Est. Priority Date: 09/09/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of computer system security monitoring:

deploying a first event monitoring agent and a second event monitoring agent across an enterprise-wide computing system wherein the first event monitoring agent monitors events occurring at a first event generator accessed by a first device of a first type via a first portal into the enterprise-wide computing system and wherein the second event monitoring agent monitors events occurring at a second event generator accessed by a second device of a second type different from the first type via a second portal into the enterprise-wide computing system;

connecting the first and second event monitoring agents to an event processing server;

receiving, at the event processing server, first event information generated by the first event monitoring agent describing a first event that occurred at the first event generator in response to a first communication received from the first device via the first portal;

receiving, at the event processing server, second event information generated by the second event monitoring agent describing a second event that occurred at the second event generator in response to a second communication received from the second device via the second portal;

performing, by the event processing server, a security analysis that comprises applying a security policy to the first event information and the second event information and performing a predictive analysis on the first event information and the second event information to obtain a security prediction score that quantifies a likelihood that the first event and the second event correspond to a potential security issue, wherein performing the predictive analysis includes comparing a sequence of the first event, the first event including a transaction amount at least a predetermined percentage over an average amount of a transaction, and the second event, the second event including a transaction amount at least the predetermined percentage over the average amount of a transaction, and a time between the occurrence of the first event and the second event, to one or more event patterns,wherein the security prediction score is based on a similarity of the first event and the second event to the one or more event patterns;

determining, by the event processing server, that the security prediction score is above a predetermined threshold; and

executing, by the event processing server, a security response based on the security analysis performed and the determining that the security prediction score is above a predetermined threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects described herein provide systems and methods for computer system security monitoring. Multiple event monitoring agents may be deployed across an enterprise-wide computing system such that each event monitoring agent monitors at least one event generator of the enterprise-wide computing system. The event monitoring agents may be connected to an event processing server. The event processing server may receive event information generated by the event monitoring agents that describe events occurring at the event generators. The event processing server may perform a security analysis on at least a portion of the event information received that includes applying a security policy to the event information. The event processing server may execute a security response based on the security analysis performed such as, for example, a response specified in the security policy applied.

Citations

14 Claims

1. A computer-implemented method of computer system security monitoring:
- deploying a first event monitoring agent and a second event monitoring agent across an enterprise-wide computing system wherein the first event monitoring agent monitors events occurring at a first event generator accessed by a first device of a first type via a first portal into the enterprise-wide computing system and wherein the second event monitoring agent monitors events occurring at a second event generator accessed by a second device of a second type different from the first type via a second portal into the enterprise-wide computing system;
  
  connecting the first and second event monitoring agents to an event processing server;
  
  receiving, at the event processing server, first event information generated by the first event monitoring agent describing a first event that occurred at the first event generator in response to a first communication received from the first device via the first portal;
  
  receiving, at the event processing server, second event information generated by the second event monitoring agent describing a second event that occurred at the second event generator in response to a second communication received from the second device via the second portal;
  
  performing, by the event processing server, a security analysis that comprises applying a security policy to the first event information and the second event information and performing a predictive analysis on the first event information and the second event information to obtain a security prediction score that quantifies a likelihood that the first event and the second event correspond to a potential security issue, wherein performing the predictive analysis includes comparing a sequence of the first event, the first event including a transaction amount at least a predetermined percentage over an average amount of a transaction, and the second event, the second event including a transaction amount at least the predetermined percentage over the average amount of a transaction, and a time between the occurrence of the first event and the second event, to one or more event patterns,wherein the security prediction score is based on a similarity of the first event and the second event to the one or more event patterns;
  
  determining, by the event processing server, that the security prediction score is above a predetermined threshold; and
  
  executing, by the event processing server, a security response based on the security analysis performed and the determining that the security prediction score is above a predetermined threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the first and second event generators are selected from the group consisting of:
    - i) an interactive voice response system, ii) a financial transaction system, iii) an account maintenance system, iv) an application server, and v) a software application installed at a workstation.
  - 3. The method of claim 1 further comprising:
    - creating, by the event processing server, a first event record in an event database corresponding to the first event information; and
      
      creating, by the event processing server, a second event record in the event database corresponding to the second event information.
  - 4. The method of claim 1 wherein:
    - receiving the first event information comprises receiving a first event notification from the first event monitoring agent; and
      
      receiving the second event information comprises receiving a second event notification from the second event monitoring agent.
  - 5. The method of claim 1 wherein:
    - the first event information comprises first event log information saved to a first event log by the first event monitoring agent; and
      
      the second event information comprises second event log information saved to a second event log by the second event monitoring agent.
  - 6. The method of claim 1 wherein executing the security response comprises issuing, to at least one of the first or second event monitoring agents, an instruction to halt at least one of the first event or the second event.
  - 7. The method of claim 6 wherein executing the security response further comprises transmitting a notification to an individual associated with a security monitoring team.

8. A system for computer system security monitoring comprising:
- a plurality of event generators operating at an enterprise-wide computing system, the plurality of event generators comprising a first event generator accessed by a first device of a first type via a first portal into the enterprise-wide computing system and a second event generator accessed by a second device of a second type different from the first type via a second portal into the enterprise-wide computing system;
  
  a first event monitoring agent that monitors events occurring at the first event generator;
  
  a second event monitoring agent that monitors events occurring at the second event generator; and
  
  an event processing server in signal communication with the first and second event monitoring agents wherein the event processing server comprises memory storing computer-readable instructions that, when executed, cause the event processing server to;
  
  i) receive first event information generated by the first event monitoring agent that describes a first event that occurred at the first event generator,ii) receive second event information generated by the second event monitoring agent that describes a second event that occurred at the second event generator,iii) perform a security analysis that includes applying a security policy to the first event information and the second event information, and performing predictive analysis on the first event information and the second event information to obtain a security prediction score that quantifies a likelihood that the first event and the second event correspond to a potential security issue, wherein the predictive analysis is performed by comparing a sequence of the first event, the first event including a transaction amount at least a predetermined percentage over an average amount of a transaction, and the second event, the second event including a transaction amount at least the predetermined percentage over the average amount of a transaction, and a time between the occurrence of the first event and the second event to one or more event patterns, and wherein the security prediction score is based on similarity of the first event and the second event to the one or more event patterns,iv) determining that the security prediction score is above a predetermined threshold,v) executing a security response based on the security analysis performed and the determining that the security prediction score is above a predetermined threshold.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8 wherein the first and second event generators are selected from the group consisting of:
    - a) an interactive voice response system, b) a financial transaction system, c) an account maintenance system, d) an application server, and e) a software application installed at a workstation.
  - 10. The system of claim 8 wherein:
    - the instructions, when executed, further cause the event processing server tovi) create a first event record in an event database corresponding to the first event information, andvii) create a second event record in the event database corresponding to the second event information.
  - 11. The system of claim 8 wherein:
    - the first event information comprises a first event notification received from the first event monitoring agent; and
      
      the second event information comprises a second event notification received from the second event monitoring agent.
  - 12. The system of claim 8 wherein:
    - the first event information comprises first event log information saved to a first event log by the first event monitoring agent; and
      
      the second event information comprises second event log information saved to a second event log by the second event monitoring agent.
  - 13. The system of claim 8 wherein:
    - the instructions, when executed, further cause the event processing server tovi) execute the security response by issuing an instruction to at least one of the first or second event monitoring agents to halt at least one of the first event or the second event.
  - 14. The system of claim 13 wherein:
    - the instructions, when executed, further cause the event processing server tovii) further execute the security response by transmitting a notification to an individual associated with a security monitoring team.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Iyer, Shankar, Castro, Edison M., Krishnamoorthy, Sundar
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
NGUY, CHI D

Application Number

US14/481,223
Publication Number

US 20160072840A1
Time in Patent Office

1,141 Days
Field of Search

726 1, 726 22- 25
US Class Current
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/20 for managing network securi...

Real-time security monitoring using cross-channel event processor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time security monitoring using cross-channel event processor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links