Identifying malicious web infrastructures
US-9578042-B2 · Feb 21, 2017 · US
Abusive traffic detection
US2016366168A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016366168-A1 |
| Application number | US-201514739787-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 15, 2015 |
| Priority date | Jun 15, 2015 |
| Publication date | Dec 15, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Aspects of an abuse detection system for a web service include an abuse detection engine executing on a server. The abuse detection engine includes a pre-processing module for aggregating a data set for processing and analysis; a suspiciousness test module for identifying suspicious content owners and suspicious users; a graphing module for finding connections between suspicious content owners and suspicious users; an analysis module for determining which groups are constituted of fraudulent or abusive accounts; and a notification generation and output module for generating a list of abusive entities and a notification for output to at least one of: the abusive entity, a digital content distribution company associated with the abusive entity, and a legal department or other entity for further investigation or action. Additionally, royalties for content consumptions associated with abusive accounts may be held. Aspects of an abusive traffic detection method enable multi-account and multi-content owner fraud detection.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method of detecting abusive traffic on a web service, the method comprising: aggregating a set of consumption data, the aggregated set of consumption data including a list of one or more consumption records associated with consumption of digital content via the web service, the one or more consumption records comprising a content owner, a content user, and a date of the consumption; identifying one or more suspicious content owners, wherein the content owners are owners of digital content accessible via the web service; identifying one or more suspicious content users, wherein the content users are consumers of digital content via the web service; grouping at least one of the one or more suspicious content owners and at least one of the one or more suspicious content users into a group; analyzing the group for determining whether the at least one suspicious content owner and the at least one suspicious content user constitute an abusive entity; and in response to a positive determination, generating a notification including the at least one suspicious content owner and the at least one suspicious content user. 2 . The method of claim 1 , wherein aggregating a set of consumption data comprises aggregating a set of consumption data associated with consumption within a predetermined time period. 3 . The method of claim 1 , wherein identifying one or more suspicious content owners comprises: generating a list of a plurality of top users of the web service from the aggregated set of consumption data; identifying a plurality of content owners associated with content consumed by the plurality of top users; for each of the plurality of content owners associated with content consumed by the plurality of top users, computing a ratio comparing consumption of content associated with the content owner by the plurality of top users to consumption of content associated with the content owner by all users in the aggregated set of consumption data; determining whether the ratio is above a threshold value; and in response to a positive determination, determining the content owner is a suspicious content owner. 4 . The method of claim 3 , wherein generating a list of a plurality of top users comprises generating a list of the plurality of most active content users in the aggregated set of consumption data. 5 . The method of claim 3 , wherein consuming digital content via the web service comprises: subscribing to the web service for a subscription time period; and streaming or downloading content from the web service during the subscription time period. 6 . The method of claim 5 , wherein generating a list of a plurality of top users comprises generating a list of content users who trigger royalties in an amount that exceeds a price associated with the web service subscription. 7 . The method of claim 1 , wherein identifying one or more suspicious content users comprises: generating a list of active users from the aggregated set of consumption data; for each active user in the list, identifying a predetermined number of top content owners, wherein the predetermined number of top content owners are the content owners associated with content most consumed by the active user; determining whether the predetermined number of top content owners includes a suspicious content owner of the one or more suspicious content owners; in response to a positive determination, identifying a number of consumptions of content associated with the suspicious content owner; determining whether the number of consumptions is above a threshold value; and in response to a positive determination, determining the content user is a suspicious content user. 8 . The method of claim 1 , wherein grouping at least one of the one or more suspicious content owners and at least one of the one or more suspicious content users into a group comprises: modeling traffic between the one or more suspicious content owners and the one or more suspicious content users in a graph; and using a graph search algorithm to identify one or more of: connections between multiple content users; or connections between multiple content owners. 9 . The method of claim 1 , wherein analyzing the group comprises analyzing metrics associated with the one or more suspicious content owners and the one or more suspicious content users in the group, the one or more metrics including one or more of: a number of suspicious content users in the group; a number of suspicious content owners in the group; a number of suspicious content users in the group; a number of suspicious content owners in the group; a number of consumptions of content by suspicious content users in the group; a number of consumptions of content by any content user; for each suspicious content owner in the group, a number of suspicious content users in the group who consumed content owned by the suspicious content owner; for each suspicious content owner in the group, a number of all content users who consumed content owned by the suspicious content owner; a number of consumptions of content owned by suspicious content owners in the group; a number of consumptions of content owned by any content owner; for each suspicious content user in the group, a number of suspicious content owners in the group who own content consumed by the suspicious content user; for each suspicious content user in the group, a number of all content owners who own content consumed by the suspicious content user. 10 . The method of claim 9 , wherein analyzing the group comprises: for each suspicious content owner in the group: calculating a first percentage by dividing the number of consumptions of content by suspicious content users in the group by the number of consumptions of content by any content user; calculating a second percentage by dividing the number of suspicious content users in the group who consumed content owned by the suspicious owner by the number of all content users who consumed content owned by the suspicious content owner; computing a confidence of the first and second percentages; determining whether the confidence of the first and second percentages is above a threshold value; and in response to a positive determination, determining the suspicious content owner is an abusive entity. 11 . The method of claim 10 , further comprising: for each suspicious content user in the group: calculating a first percentage by dividing the number of consumptions of content owned by suspicious content owners in the group by the number of consumptions of content owned by any content owner; calculating a second percentage by dividing the number of suspicious content owners in the group who own content consumed by the suspicious content user by the number of all content owners who own content consumed by the suspicious content user; computing a confidence from the first and second percentages; determining whether the confidence of the first and second percentages is above a threshold value; in response to a positive determination, determining the suspicious content user is an abusive entity. 12 . The method of claim 1 , further comprising taking at least one action, wherein the at least one action comprises: sending the notification to a legal department for requesting rights for accessing personal information associated with the abusive entity; sending the notification to a company label associated with the at least one suspicious content owner constituting the abusive entity; sending the notification to the at least one suspicious content owner and the at least one suspicious content user con
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
- G06Q10/06Primary
Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling · CPC title
Product, service or business identity fraud · CPC title
involving fraud or risk level assessment in transaction processing · CPC title
Protecting distributed programs or content, e.g. vending or licensing of copyrighted material (protection in video systems or pay television H04N7/16) {; Digital rights management [DRM]} · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016366168A1 cover?
- Aspects of an abuse detection system for a web service include an abuse detection engine executing on a server. The abuse detection engine includes a pre-processing module for aggregating a data set for processing and analysis; a suspiciousness test module for identifying suspicious content owners and suspicious users; a graphing module for finding connections between suspicious content owners …
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Dec 15 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).