WO2017013688A1 - Method for detecting the use of remote screen control applications through the detection and profiling of anomalies on the user input introduced by the protocol of said applications - Google Patents

Method for detecting the use of remote screen control applications through the detection and profiling of anomalies on the user input introduced by the protocol of said applications Download PDF

Info

Publication number
WO2017013688A1
WO2017013688A1 PCT/IT2016/000179 IT2016000179W WO2017013688A1 WO 2017013688 A1 WO2017013688 A1 WO 2017013688A1 IT 2016000179 W IT2016000179 W IT 2016000179W WO 2017013688 A1 WO2017013688 A1 WO 2017013688A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
remote desktop
dbi
data
remote
Prior art date
Application number
PCT/IT2016/000179
Other languages
French (fr)
Inventor
Giorgio FEDON
Stefano DI PAOLA
Gianluca BRINDISI
Original Assignee
Minded Security S.R.L.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Minded Security S.R.L. filed Critical Minded Security S.R.L.
Publication of WO2017013688A1 publication Critical patent/WO2017013688A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Definitions

  • Remote Desktop or "Desktop Sharing” refers to the ability of a computer system, by means of a special application, of opening an interactive user session on a remote computer. Such systems are commonly used to interact with a physical machine for maintenance, technical support, and remote administration purposes.
  • the various solutions on the market of "Desktop Sharing" are based on different proprietary or open-source communication protocols, of which the most popular are RDP from Microsoft and VNC from RealVNC Ltd.
  • anomaly detection systems are based on biometric profiling of the users easily acquirable through the web portal: a user's interaction with the web page is measured in the order to create a "behavioural profile" of the same to be used later as a reference metric to detect abnormal interactions.
  • Such systems have in the first place the disadvantage of not being deterministic, and in the second of requiring large resources to collect and process the required amount of data to be able to build the behavioural profiles of each user.
  • the detection is not strictly connected to the use of a remote desktop but more simply the purpose is to try to distinguish the use of a same session by different individuals.
  • the object of the present invention is to provide a system for the detection of controlled user sessions through the Remote Desktop applications, by means of the profiling of the protocol used based on the anomalies that it produces on the user's input. These anomalies are constant and are normalized with respect to the traditional user biometric detection, and thus are a direct and measurable reflection of a remote connection in use.
  • an object is also to realize an "agent-less"-type solution, i.e., without the need for installing third-party software's on users' systems.
  • the proposed solution is to detect user input data via an application normally used by the user, for example a web browser that executes JavaScript code when the user visits a web page.
  • This code collects the user's input telemetry, and processes it directly, or sends it asynchronously to a remote server that is able to process the received data.
  • four metrics are extracted whose comparison with reference profiles allows to identify which of the remote desktop protocol family is associated with the activity measured.
  • Fig.l shows the typical situation in which a desktop session of a system is remotely controlled through a Remote Control software.
  • Fig.2 is an example implementation in which a user via a Remote Desktop application connects to a remote desktop from which the user uses the browser to access a web page.
  • This page includes the measurement code of the detection system that measures the user input data and sends them to a processing server, where the data are processed to extract the metrics and obtain the detection result.
  • This result ultimately, is saved in a database for future or immediate consultation.
  • Fig.3 indicates the process for measuring and analysing a user's input in order to detect the presence of a remote control. This process is carried out in five steps: measuring the user's input such as keyboard and mouse, collecting the data, processing the data and extracting the metrics, comparing the processed data with the reference models. • The Figure 4 represents in detail the four metrics used to calculate the result of the detection.
  • Fig.5 shows the periodic tuning process by which the processing system is trained by defining the protocol profiles to be used as a reference and by carrying out further classification of the data in relation to the measuring system used (version of the application used and operating system), and to allow a more precise profiling of the protocol.
  • the user input data are collected by a JavaScript code installed on a web page being monitored (Fig.2).
  • the coordinates of the pointer on the page are measured at every moment and time for each coordinate.
  • the data thus collected are processed to extract the four major indexes: "data burst index”, “data burst density”, “sampling density”, "frequency index”.
  • These four dimensions are further processed to derive: the estimated proximity of the observed connection, the estimated latency, and finally the profile of the Remote Desktop Protocol used. These dimensions make up the result of the detection.
  • Fig.3 In a first phase, the times of each sampling [TcJ are collected, along with the number [n] thereof and the sequence [Atime] of temporal distances between each sampling.
  • the data thus collected are processed in four successive analysis steps to produce four indexes (Fig.4), which are:
  • the threshold values of the variables used during all processing phases can be modified, if necessary, in order to increase the accuracy of the system.
  • Such values may be previously calculated through a "tuning" phase of the system (Fig.5) in which the produced data are measured from different sample interactions ("training set"), characterized by different combinations of Remote Desktop systems and protocols.
  • the detection indexes are normally extracted from these measurements, the detection indexes being then grouped into clusters according to different parameters of closeness. This process has the purpose of identifying the threshold values producing a cluster set that leads to minimum occurrence of false positives/negatives.
  • the page in question contains a JavaScript code that is responsible for collecting the user input data, in this case the telemetry of the mouse movement, and sending that data asynchronously to a remote server used for the processing phase.
  • a remote user via a Remote Desktop software interacts with the browser of the controlled system used to access the page that contains the monitoring code.
  • the collected data are sent to the remote server that performs the process explained in the previous paragraph and represented in Fig.3 to extract the dimensions that compose the detection.
  • the web application that contains the page to be monitored can query the processing server to obtain the analytical result and, in case of positive detection, can decide whether to take action on the user's session and, if necessary, to block or invalidate it.
  • the proposed solution is effective in distinguishing whether the use of a Desktop interface takes place locally or remotely.
  • local is meant a condition of proximity where the user is using devices connected physically with the computer whose operating system shows the graphical interface or Desktop interface.
  • the proximity analysis allows to detect whether a user session is subject to a remote control without having to construct a user biometric and/or behavioural profile but only through the measurement and the identification of anomalies in data transmission that depend on the remote control protocol in use.
  • This distinction is archived by comparing the deviation of the metrics with respect to the local profile, while the identification of the specific desktop sharing protocol is carried out by analysing the relationships between the identified metrics.
  • Another advantage of the proposed method is related to the increase of detection accuracy thanks to the increase of the connection latency, which increases proportionally with the network hops (network distance) between the controller and the controlled subject.
  • the proposed solution applies in particular to the risk control systems of financial transactions, such as anti-fraud systems for banking portals. In this case, it is monitored whether the user who is performing the transaction is using the own device locally.
  • This solution also applies to the risk analysis on the use of authentication and validation systems of the navigation session and, in general, to the integration with the monitoring systems to prevent cyber attacks, where the remote control condition is a known attack vector to circumvent security defences.

Abstract

Recently, the use of the so-called Desktop Sharing programs (RDP from Microsoft and VNC from RealVNC Ltd) has been exploited by cybercriminals as a further means to carry out identity thefts and financial frauds: by installing a malware with a component of "Remote Desktop" in a victim's system, the criminal can control its user session and interact, for example, with the banking portal of the victim on behalf thereof. To date, the operator of an on-line server is not able to establish with certainty whether a client session is native or controlled through a remote desktop system without using software components installed on the user's system. The object of the present invention is to provide a system for the detection of controlled user sessions through the Remote Desktop applications, by means of the profiling of the protocol used based on the anomalies that it produces on the user's input. These anomalies are constant and are normalized with respect to the traditional user biometric detection, and thus are a direct and measurable reflection of a remote connection in use. To simplify the implementation and usability of the system, an object is also to realize an "agent-less"-type solution, i.e., without the need for installing third-party software's on users' systems.

Description

Method for detecting the use of Remote Screen Control applications through the detection and profiling of anomalies on the user input introduced by the protocol of said applications
Background art
The term "Remote Desktop" or "Desktop Sharing" refers to the ability of a computer system, by means of a special application, of opening an interactive user session on a remote computer. Such systems are commonly used to interact with a physical machine for maintenance, technical support, and remote administration purposes. The various solutions on the market of "Desktop Sharing" are based on different proprietary or open-source communication protocols, of which the most popular are RDP from Microsoft and VNC from RealVNC Ltd. Recently, the use of such programs has been exploited by cybercriminals as a further means to carry out identity thefts and financial frauds: by installing a malware with a component of "Remote Desktop" in a victim's system, the criminal can control its user session and interact, for example, with the banking portal of the victim on behalf thereof. It is therefore difficult for the banking portal to detect accurately whether a session is legitimate or it is remotely controlled, as the traditional detection indexes such as the IP address and the characteristics of the system used are unchanged. In addition, the client side code of a web portal does not have the privileges to apply traditional remote desktop detection solutions such as those used by an anti-virus software. To try to distinguish between legitimate sessions and controlled remotely sessions, the so-called anomaly detection systems have been developed, which are based on biometric profiling of the users easily acquirable through the web portal: a user's interaction with the web page is measured in the order to create a "behavioural profile" of the same to be used later as a reference metric to detect abnormal interactions. Such systems have in the first place the disadvantage of not being deterministic, and in the second of requiring large resources to collect and process the required amount of data to be able to build the behavioural profiles of each user. Finally, the detection is not strictly connected to the use of a remote desktop but more simply the purpose is to try to distinguish the use of a same session by different individuals. To date, the operator of an on-line server is not able to establish with certainty whether a client session is native or controlled through a remote desktop system without using software components installed on the user's system. There are user identity verification solutions (patent WO2014105994A3 of NokNok Labs, patent US20050008148 of Biocatch, patent US20140289820 of Behaviosec) characterized by the use of biometric and behavioural metrics that specifically detect the protocol characteristics while using a Remote Desktop software but, more generally, identify whether the same session is used by individuals with different biometric/behavioural profiles. Alternatively, detection systems that require third-party software components to be installed locally on the monitored system (Method and apparatus for remote desktop control identification CN 103428190 A). Compared to such systems it is desirable for a solution that does not require third- components nor a profiling history, and especially that is independent from behavioural/biometric aspects of individual users whose alterations, detected for example by means of the above patents, may not necessarily imply a wilful misconduct.
An alternative approach to the solutions proposed consists in identifying abnormal features in the sequence of inputs sent that does not depend on the user's actions but rather are introduced by the Desktop Sharing protocols.
Disclosure of the invention
The object of the present invention is to provide a system for the detection of controlled user sessions through the Remote Desktop applications, by means of the profiling of the protocol used based on the anomalies that it produces on the user's input. These anomalies are constant and are normalized with respect to the traditional user biometric detection, and thus are a direct and measurable reflection of a remote connection in use. To simplify the implementation and usability of the system, an object is also to realize an "agent-less"-type solution, i.e., without the need for installing third-party software's on users' systems.
The proposed solution is to detect user input data via an application normally used by the user, for example a web browser that executes JavaScript code when the user visits a web page. This code collects the user's input telemetry, and processes it directly, or sends it asynchronously to a remote server that is able to process the received data. By processing the collected data, four metrics are extracted whose comparison with reference profiles allows to identify which of the remote desktop protocol family is associated with the activity measured.
Brief description of the drawings
Further characteristics and advantages of the proposed technical solution will appear more evident in the following description of a preferred but not exclusive embodiment shown by way of example and not limitation in the accompanying 5 drawings, in which:
• Fig.l shows the typical situation in which a desktop session of a system is remotely controlled through a Remote Control software.
• Fig.2 is an example implementation in which a user via a Remote Desktop application connects to a remote desktop from which the user uses the browser to access a web page. This page includes the measurement code of the detection system that measures the user input data and sends them to a processing server, where the data are processed to extract the metrics and obtain the detection result. This result, ultimately, is saved in a database for future or immediate consultation.
• Fig.3 indicates the process for measuring and analysing a user's input in order to detect the presence of a remote control. This process is carried out in five steps: measuring the user's input such as keyboard and mouse, collecting the data, processing the data and extracting the metrics, comparing the processed data with the reference models. • The Figure 4 represents in detail the four metrics used to calculate the result of the detection.
• Fig.5 shows the periodic tuning process by which the processing system is trained by defining the protocol profiles to be used as a reference and by carrying out further classification of the data in relation to the measuring system used (version of the application used and operating system), and to allow a more precise profiling of the protocol.
Best mode for carrying out the invention
In a case of a remote session via a Remote Desktop application (Fig.l), the user input data are collected by a JavaScript code installed on a web page being monitored (Fig.2). In the case of mouse movement data, the coordinates of the pointer on the page are measured at every moment and time for each coordinate. The data thus collected are processed to extract the four major indexes: "data burst index", "data burst density", "sampling density", "frequency index". These four dimensions are further processed to derive: the estimated proximity of the observed connection, the estimated latency, and finally the profile of the Remote Desktop Protocol used. These dimensions make up the result of the detection.
The process is defined by the following steps (Fig.3):In a first phase, the times of each sampling [TcJ are collected, along with the number [n] thereof and the sequence [Atime] of temporal distances between each sampling. The data thus collected are processed in four successive analysis steps to produce four indexes (Fig.4), which are:
• (Fig. 4.1) "Data Burst Index" [DBI]: this metric is calculated from [Atime] and represents the number of samples, as a percentage of total [n], whose temporal distances are smaller than a given threshold [th]. These values are called Data Bursts [DB]
• (Fig. 4.2) "Data Burst Density" [DBD]: this index measures the percentage of total Data Bursts [DB] sent in succession.
• (Fig. 4.3) "Sampling Density" [SD]: this metric represents the density based on the sampling time except for the values driving from the inactivity or termination of user's activity, which are excluded from the calculation to filter the result from the influences of any behavioural aspects.
• (Fig. 4.4) "Frequency Index" [FI]: calculated as a given percentile [p-th] of the cumulative frequency of [Atime].
At this point, the four main metrics are further processed to produce additional parameters:
• The estimated proximity [proximity] of the connection, which is calculated by comparing [n], [DBI] and [SD], and indicating whether the observed connection is "local" or "remote". This index defines an abstraction layer in turn consists of:
• The estimated latency [latency] of the network connection, the value of which is conditioned by both the desktop sharing protocol used and the distance in terms of network hops between the monitored user and the controller.
• The Remote Desktop Protocol profile used [ratdet].
These new dimensions make up the result of the detection.
The threshold values of the variables used during all processing phases can be modified, if necessary, in order to increase the accuracy of the system. Such values may be previously calculated through a "tuning" phase of the system (Fig.5) in which the produced data are measured from different sample interactions ("training set"), characterized by different combinations of Remote Desktop systems and protocols. The detection indexes are normally extracted from these measurements, the detection indexes being then grouped into clusters according to different parameters of closeness. This process has the purpose of identifying the threshold values producing a cluster set that leads to minimum occurrence of false positives/negatives.
For further clarity, below we show an implementation of the method using a common web page. The page in question contains a JavaScript code that is responsible for collecting the user input data, in this case the telemetry of the mouse movement, and sending that data asynchronously to a remote server used for the processing phase.
As shown in Fig.2, a remote user via a Remote Desktop software interacts with the browser of the controlled system used to access the page that contains the monitoring code. The collected data are sent to the remote server that performs the process explained in the previous paragraph and represented in Fig.3 to extract the dimensions that compose the detection. The web application that contains the page to be monitored can query the processing server to obtain the analytical result and, in case of positive detection, can decide whether to take action on the user's session and, if necessary, to block or invalidate it.
Industrial applicability and implementation options
By way of example and not of limitation, it is observed that different sources of measured user input data can be used ("mouse", "keyboard", etc.) and that further data can be considered such as, by way of example and not of limitation, the profile of the user system (browser, operating system, etc.) and the interfaces that interact by application proxy to the native user interface of a system, such as virtualizations of desktop interfaces and alternative remote control systems.
The proposed solution is effective in distinguishing whether the use of a Desktop interface takes place locally or remotely. With the term local is meant a condition of proximity where the user is using devices connected physically with the computer whose operating system shows the graphical interface or Desktop interface. The proximity analysis allows to detect whether a user session is subject to a remote control without having to construct a user biometric and/or behavioural profile but only through the measurement and the identification of anomalies in data transmission that depend on the remote control protocol in use. This distinction is archived by comparing the deviation of the metrics with respect to the local profile, while the identification of the specific desktop sharing protocol is carried out by analysing the relationships between the identified metrics. Another advantage of the proposed method is related to the increase of detection accuracy thanks to the increase of the connection latency, which increases proportionally with the network hops (network distance) between the controller and the controlled subject.
The proposed solution applies in particular to the risk control systems of financial transactions, such as anti-fraud systems for banking portals. In this case, it is monitored whether the user who is performing the transaction is using the own device locally. This solution also applies to the risk analysis on the use of authentication and validation systems of the navigation session and, in general, to the integration with the monitoring systems to prevent cyber attacks, where the remote control condition is a known attack vector to circumvent security defences.

Claims

1. A method for detecting the use of desktop remote control applications through the detection and profiling of user's input anomalies introduced by the protocol of such applications and characterized by the following steps:
A) Collecting the user input data provided by a client code executed in the context of an application being monitored;
B) Detecting the input data such as the telemetry of the movement and the sequencing of the events produced by mouse, keyboards, or similar devices;
C) Extracting, from the sequence of the above samples, the sampling times [Ten], the number of samples [n], and the sequence [Atime] of time intervals between each sampling;
D) Processing the data collected and extracting four main parameters, i.e., "data burst index" [DBI], "data burst density" [DBD]," sampling density" [SD], "frequency index" [FI];
E) Identifying if the user session is controlled by a Remote Desktop Application through a connection proximity parameter [proximity] obtained by measuring the distance between the vector of components [DBI], [DBD], [SD], [FI] and a reference cluster related to sessions executed in local mode;
F) Identifying the type of remote desktop protocol [ratdet] by verifying the possible belonging of the vector of components [DBI], [DBD], [SD], [FI] to the reference clusters related to known remote desktop protocols; G) Calculating the quality of the connection [latency] comparing the vector of components [DBI], [DBD], [SD], [FI] with specific thresholds of the clusters related to known protocols.
2. Method according to claim 1 , wherein said "Data Burst Index" [DBI] parameter is calculated from the data sequence [Atime] and represents the percent number of the samples of "Data Burst" [DB] type as compared to the number of total samples [n], said samples being characterized by temporal distances less than a predetermined threshold [th].
3. Method according to claim 1 , wherein said "Data Burst Density" [DBD] parameter measures the percentage of the samples of [DB] type, as compared to the total, sent in the group i.e. in temporal succession.
4. Method according to claim 1 , wherein said "Sampling Density" [SD] parameter represents the density in time of the samplings obtained by excluding the values attributable to behavioural nature, such as those resulting from stationing or any cessation of activity by the user.
5. Method according to claim 1 , wherein said "Frequency Index" [FI] parameter is calculated as a given percentile of the cumulative frequency [Atime].
6. Method according to claim 1 , points E), F), G), wherein said reference cluster and the relevant thresholds are calculated by measuring and combining the vectors of components [DBI], [DBD], [SD], [FI] at different combinations of operating systems, applications, remote desktop protocols, and latencies known a priori.
7. Method according to claims 1 and 6, wherein said reference cluster is updated by means of a periodic tuning carried out manually or automatically using statistical inference, and validated manually.
PCT/IT2016/000179 2015-07-21 2016-07-20 Method for detecting the use of remote screen control applications through the detection and profiling of anomalies on the user input introduced by the protocol of said applications WO2017013688A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ITUB2015A002827A ITUB20152827A1 (en) 2015-07-21 2015-07-21 METHOD TO DISCRIMINATE LOCAL AND REMOTE ACCESS TO A DESKTOP INTERFACE
IT102015000036552 2015-07-21

Publications (1)

Publication Number Publication Date
WO2017013688A1 true WO2017013688A1 (en) 2017-01-26

Family

ID=54347780

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IT2016/000179 WO2017013688A1 (en) 2015-07-21 2016-07-20 Method for detecting the use of remote screen control applications through the detection and profiling of anomalies on the user input introduced by the protocol of said applications

Country Status (2)

Country Link
IT (1) ITUB20152827A1 (en)
WO (1) WO2017013688A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108595655A (en) * 2018-04-27 2018-09-28 福建师范大学 A kind of abnormal user detection method of dialogue-based characteristic similarity fuzzy clustering

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428190A (en) * 2012-05-25 2013-12-04 阿里巴巴集团控股有限公司 Method and apparatus for remote desktop control identification
US20140317744A1 (en) * 2010-11-29 2014-10-23 Biocatch Ltd. Device, system, and method of user segmentation

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140317744A1 (en) * 2010-11-29 2014-10-23 Biocatch Ltd. Device, system, and method of user segmentation
CN103428190A (en) * 2012-05-25 2013-12-04 阿里巴巴集团控股有限公司 Method and apparatus for remote desktop control identification

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BIOCATCH BIOCATCH: "Detecting Remote Access (RAT) Attacks on Online Banking Sites", A BIOCATCH WHITE PAPER, 3 July 2014 (2014-07-03), XP055257988, Retrieved from the Internet <URL:http://informationsecurity.report/Resources/Whitepapers/bbb3b0fb-9ba1-4602-8cec-17dcb2381892_detecting-remote-access-attacks-on-online-banking-sites-pdf-7-w-1088.pdf> [retrieved on 20160314] *
ZHONGQIANG CHEN ET AL: "Catching Remote Administration Trojans (RATs)", SOFTWARE PRACTICE & EXPERIENCE, WILEY & SONS, BOGNOR REGIS, GB, vol. 38, no. 7, 1 June 2008 (2008-06-01), pages 667 - 703, XP007917689, ISSN: 0038-0644, [retrieved on 20070809], DOI: 10.1002/SPE.837 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108595655A (en) * 2018-04-27 2018-09-28 福建师范大学 A kind of abnormal user detection method of dialogue-based characteristic similarity fuzzy clustering
CN108595655B (en) * 2018-04-27 2022-04-01 福建师范大学 Abnormal user detection method based on session feature similarity fuzzy clustering

Also Published As

Publication number Publication date
ITUB20152827A1 (en) 2017-01-21

Similar Documents

Publication Publication Date Title
US10467394B2 (en) Pointing device biometrics for continuous user authentication
EP3019991B1 (en) Device, system, and method of differentiating among users of a computerized service
Wang A multinomial logistic regression modeling approach for anomaly intrusion detection
US9558347B2 (en) Detecting anomalous user behavior using generative models of user actions
JP4523480B2 (en) Log analysis system, analysis method, and log analysis device
US10366217B2 (en) Continuous user authentication
US11200491B2 (en) Artificial intelligence with cyber security
Ahmed et al. Detecting Computer Intrusions Using Behavioral Biometrics.
EP3804271B1 (en) Hybrid unsupervised machine learning framework for industrial control system intrusion detection
US11575688B2 (en) Method of malware characterization and prediction
CN104994092A (en) Service request processing method, terminal browser and anti-attack server
US11810014B2 (en) Systems, methods and apparatus for evaluating status of computing device user
US20230086187A1 (en) Detection of anomalies associated with fraudulent access to a service platform
US11409873B2 (en) Detection of cyber machinery attacks
US11665185B2 (en) Method and apparatus to detect scripted network traffic
WO2017013688A1 (en) Method for detecting the use of remote screen control applications through the detection and profiling of anomalies on the user input introduced by the protocol of said applications
Garg et al. A user behavior monitoring and profiling scheme for masquerade detection
US9047608B1 (en) Method and system to improve risk assessments in fraud detection systems using machine identifiers
WO2018026303A1 (en) Method and system for detecting remote access during activity on the pages of a web resource
CN105787369A (en) Android software security analysis method based on slice measurement
EP3928225A1 (en) Systems and methods for protecting remotely hosted application from malicious attacks
CN111970269B (en) Server access behavior identification method and device and server
Bourdon et al. Hardware-Performance-Counters-based anomaly detection in massively deployed smart industrial devices
JP4668092B2 (en) Learning ability evaluation device, learning ability evaluation method, and learning ability evaluation program
CN113449167A (en) Data acquisition abnormity detection method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16784585

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16784585

Country of ref document: EP

Kind code of ref document: A1