System and method for detecting fraud and misuse of protected data by an authorized user using event logs
First Claim
1. A method of detecting improper access of protected data by an authorized user, the method comprising:
- extracting event data from an event log file including information associated with an attempt to access protected data, the extracting being performed by a computer system configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by a processor to oversee user activity across a plurality of applications for determining the attempt to access the protected data is fraudulent or indicative of probable misuse;
normalizing the event data based on a predefined format;
processing the normalized event data to determine an identifier associated with the attempt to access the protected data, the identifier being indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data;
processing the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system;
generating a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and
causing one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system,whereinthe monitoring system continuously processes the normalized event data and the identifier according to a predefined schedule, andthe event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transactions and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A hit is stored if the event has occurred and a notification can be provided if the event has occurred. A compilation of hits related to the rule can be provided.
-
Citations
19 Claims
-
1. A method of detecting improper access of protected data by an authorized user, the method comprising:
-
extracting event data from an event log file including information associated with an attempt to access protected data, the extracting being performed by a computer system configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by a processor to oversee user activity across a plurality of applications for determining the attempt to access the protected data is fraudulent or indicative of probable misuse; normalizing the event data based on a predefined format; processing the normalized event data to determine an identifier associated with the attempt to access the protected data, the identifier being indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data; processing the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system; generating a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and causing one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system, wherein the monitoring system continuously processes the normalized event data and the identifier according to a predefined schedule, and the event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 19)
-
-
17. An apparatus comprising:
-
a processor; and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the processor, cause the apparatus to; extract event data from an event log file including information associated with an attempt to access protected data, the apparatus being configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by the processor to oversee user activity across a plurality of applications for determining the attempt to access the protected data is fraudulent or indicative of probable misuse; normalize the event data based on a predefined format; process the normalized event data to determine an identifier associated with the attempt to access the protected data, the identifier being indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data; process the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system; generate a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and cause one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system, wherein the monitoring system is configured to continuously process the normalized event data and the identifier according to a predefined schedule, and the event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.
-
-
18. A non-transitory computer-readable storage medium carrying computer-readable instructions which, when executed by a processor, cause an apparatus to:
-
extract event data from an event log file including information associated with an attempt to access protected data, the apparatus being configured to recognize and parse the event data within the event log file for each of a plurality of different file formats to enable a monitoring system implemented by the processor to oversee user activity across a plurality of applications for determining the attempt to access the protected data is fraudulent or indicative of probable misuse; normalize the event data based on a predefined format; process the normalized event data to determine an identifier associated with the attempt to access the protected data, the identifier being indicative of one or more of an authorized user of a system associated with the protected data, a device used to attempt to access the protected data, an authorized user of the device used to attempt to access the protected data, a location of the device used to attempt to access the protected data, or a time of the attempt to access the protected data; process the normalized event data and the identifier to determine whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by the monitoring system; generate a notification based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse; and cause one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system, wherein the monitoring system is configured to continuously process the normalized event data and the identifier according to a predefined schedule, and the event log file corresponds with an application of the plurality of applications accessible by the authorized user, each application of the plurality of applications has a corresponding event log file, and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats.
-
Specification