System and method for detecting fraud and misuse of protected data by an authorized user using event logs

US 9,916,468 B2
Filed: 11/30/2015
Issued: 03/13/2018
Est. Priority Date: 05/31/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting improper access of protected data by an authorized user, the method comprising:

extracting event data from an event log file including information associated with an attempt to access protected data, the extracting being performed by a computer system configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by a processor to oversee user activity across a plurality of applications for determining the attempt to access the protected data is fraudulent or indicative of probable misuse;

normalizing the event data based on a predefined format;

processing the normalized event data to determine an identifier associated with the attempt to access the protected data, the identifier being indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data;

processing the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system;

generating a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and

causing one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system,whereinthe monitoring system continuously processes the normalized event data and the identifier according to a predefined schedule, andthe event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transactions and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A hit is stored if the event has occurred and a notification can be provided if the event has occurred. A compilation of hits related to the rule can be provided.

Citations

19 Claims

1. A method of detecting improper access of protected data by an authorized user, the method comprising:
- extracting event data from an event log file including information associated with an attempt to access protected data, the extracting being performed by a computer system configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by a processor to oversee user activity across a plurality of applications for determining the attempt to access the protected data is fraudulent or indicative of probable misuse;
  
  normalizing the event data based on a predefined format;
  
  processing the normalized event data to determine an identifier associated with the attempt to access the protected data, the identifier being indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data;
  
  processing the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system;
  
  generating a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and
  
  causing one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system,whereinthe monitoring system continuously processes the normalized event data and the identifier according to a predefined schedule, andthe event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 19)
- - 2. The method of claim 1, wherein the protected data is a patient'"'"'s protected health information.
  - 3. The method of claim 1, wherein the protected data is business information associated with customer relationship management.
  - 4. The method of claim 1, wherein the normalized event data comprises one or more types of data including a time of the attempt to access the protected data, a user id, a type of the attempt to access the protected data, a request address, a target address, event text, or a status code.
  - 5. The method of claim 4, further comprising:
    - storing the normalized event data in a database,wherein the normalized event data is a first instance of a plurality of instances of normalized event data stored in the database, and at least one different instance of the plurality of instances of normalized event data comprises one or more different types of data.
  - 6. The method of claim 5, wherein the database comprises a list of authorized users of the system associated with the protected data, and the method further comprises:
    - establishing a behavioral profile for one or more of the authorized users of the system associated with the protected data, the behavioral profile including one or more instances of normalized event data associated with the one or more authorized users of the system associated with the protected data,wherein the at least one rule is a basis for determining if the attempt to access the protected data is consistent with the established behavioral profile, and the attempt to access the protected data is determined to be fraudulent or indicative of probable misuse if the attempt to access the protected data is inconsistent with the established behavioral profile.
  - 7. The method of claim 5, wherein processing the normalized event data to determine the identifier comprises:
    - correlating the first instance of normalized event data with the other instances of normalized event data stored in the database to determine the identifier.
  - 8. The method of claim 5, wherein processing the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule implemented by the monitoring system comprises:
    - correlating the first instance of normalized event data with the other instances of normalized event data stored in the database to determine a set of activities performed by the authorized user of the system associated with the protected data,wherein the at least one rule is a basis for determining if the set of activities performed by the authorized user of the system associated with the protected data deviates from an allowable set of activities.
  - 9. The method of claim 8, wherein the allowable set of activities comprises a predefined sequence of activities.
  - 10. The method of claim 1, wherein the at least one rule comprises a maximum quantity of attempts to access the protected data within a predetermined period of time.
  - 11. The method of claim 1, wherein the at least one rule comprises an allowable location from which the attempt to access the protected data is permissible.
  - 12. The method of claim 1, wherein the at least one rule comprises a maximum amount of time after the protected data was last attempted to be accessed.
  - 13. The method of claim 1, wherein the notification is generated in real-time.
  - 14. The method of claim 1, further comprising:
    - tracking interactions between the authorized user of the system associated with the protected data and one or more other authorized users of the system associated with the protected data, the one or more other authorized users of the system associated with the protected data having been identified as being suspicious based on previous involvement with one or more other attempts to access the protected data identified as being fraudulent or indicative of probable misuse,wherein the at least one rule comprises a basis for determining the attempt to access the protected data is fraudulent or probable of misuse based on at least one of the interactions between the authorized user of the system associated with the protected data and the one or more other authorized users of the system associated with the protected data.
  - 15. The method of claim 1, further comprising:
    - causing a rule management interface to be displayed, the rule management interface comprising at least one input field for generating the at least one rule.
  - 16. The method of claim 1, further comprising:
    - processing one or more of the normalized event data or the identifier to ascertain a name of the authorized user of the system associated with the protected data.
  - 19. The method of claim 1, further comprising:
    - storing the notification as a hit in a hit log database.

17. An apparatus comprising:
- a processor; and
  
  at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the processor, cause the apparatus to;
  
  extract event data from an event log file including information associated with an attempt to access protected data, the apparatus being configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by the processor to oversee user activity across a plurality of applications for determining the attempt to access the protected data is fraudulent or indicative of probable misuse;
  
  normalize the event data based on a predefined format;
  
  process the normalized event data to determine an identifier associated with the attempt to access the protected data, the identifier being indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data;
  
  process the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system;
  
  generate a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and
  
  cause one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system,whereinthe monitoring system is configured to continuously process the normalized event data and the identifier according to a predefined schedule, andthe event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.

18. A non-transitory computer-readable storage medium carrying computer-readable instructions which, when executed by a processor, cause an apparatus to:
- extract event data from an event log file including information associated with an attempt to access protected data, the apparatus being configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by the processor to oversee user activity across a plurality of applications for determining the attempt to access the protected data is fraudulent or indicative of probable misuse;
  
  normalize the event data based on a predefined format;
  
  process the normalized event data to determine an identifier associated with the attempt to access the protected data, the identifier being indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data;
  
  process the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system;
  
  generate a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and
  
  cause one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system,whereinthe monitoring system is configured to continuously process the normalized event data and the identifier according to a predefined schedule, andthe event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fairwarning IP LLC
Original Assignee
Fairwarning IP LLC
Inventors
Long, Kurt James
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US14/954,470
Publication Number

US 20160085986A1
Time in Patent Office

834 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

G06Q 10/06   Resources, workflows, human...

G06Q 10/0635   Risk analysis of enterprise...

Y02A 90/10   Information and communicati...

System and method for detecting fraud and misuse of protected data by an authorized user using event logs

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting fraud and misuse of protected data by an authorized user using event logs

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links