1. Field of the Present Disclosure
This disclosure relates generally to computer operations network security and relates to client accounts resident on remote servers where such accounts are accessible remotely by password. The disclosure further relates to a daemon capable of notifying a client of access actions on his/her account and of taking actions to close down unauthorized sessions and change password access.
2. Description of Related Art Including Information Disclosed Under 37 CFR 1.97 and 1.98
In Unix and other computer multitasking operating systems a daemon is a computer program that runs in the background, rather than under the direct control of a user; they are usually instantiated as processes. Typically daemons have names that end with the letter “d”; for example, syslogd is the daemon which handles the system log. Daemons typically do not have any existing parent process, but resides directly under init in the process hierarchy. Daemons usually become daemons by forking a child process and then making the parent process kill itself, thus making init adopt the child. This practice is commonly known as “fork off and die.” Systems often start (or “launch”) daemons at boot time: they often serve the function of responding to network requests, hardware activity, or other programs by performing some task. Daemons can also configure hardware, run scheduled tasks, and perform a variety of other tasks. In a strictly technical sense, Unix recognizes as a daemon any process that has process number 1 (init) as its parent process. The init process adopts any process whose parent dies without waiting for the child's status, so the common method for launching a daemon involves forking once or twice, and making the parent (and possibly the grandparent) die while the child (or grandchild) process begins performing its normal function. In common Unix usage a daemon may be any background process, whether a child of init or not. UNIX users sometimes spell daemon as demon, and most usually pronounce the word that way. In the DOS environment, such programs were written as terminate and stay resident (TSR) software. On Microsoft Windows systems, programs called “services” perform the functions of daemons, though the term “daemon” has started to creep into common usage on that platform as well. On the original Mac OS similar systems were known as extensions. Mac OS X being a unix-like system, has daemons also but these are different in concept.
Shaw, 20040068559, discloses a method for detecting unauthorized computer system usage, and monitors the subscriber's activities while using the computer system, the system activities and the Internet activities. When the computer system is initialized, the subscriber may manually or automatically set parameters for determining when an activity is unauthorized. When an activity is detected with deviates from normal system usage and operation, the activity is unauthorized. The unauthorized activity may be recorded in an activity log, may be terminated by the computer system, or the subscriber may be notified of the unauthorized usage.
Wick, 20040093387, discloses communicating with and/or monitoring of a target used in computer-network environment (e.g., an instant messaging system) involving detecting that the targeted user has signed on to the network, and upon detecting the sign-on, automatically communicates with the targeted user, for example, by sending a previously specified instant message. Alternatively, or in addition, the targeting user can receive notification that the targeted user has signed on and/or that the instant message has been sent. Instead of, or in addition to, automatically sending an instant message and/or notifying the targeting user, a predefined operation specified by the targeting user (e.g., operating system command, script or executable file) can be performed. These various operations can be performed on one or more client systems, on one or more server systems, or any combination thereof.
Conklin, et al, U.S. Pat. No. 5,991,881, discloses a system and method for network surveillance and detection of attempted intrusions, or actual intrusions, into the network and into computers connected to the network. The System functions include: intrusion detection monitoring, real-time alert, logging of potential unauthorized activity, and incident progress analysis and reporting. Upon detection of any attempts to intrude, the System will initiate a log of all activity between the computer elements involved and send an alert to a monitoring console. When a log is initiated, the network continues to be monitored by a primary surveillance system. A secondary monitoring process is started which interrogates the activity log in real-time and sends additional alerts reporting the progress of the suspected intruder.
Roskind, U.S. Pat. No. 6,938,167, discloses a technique for defining a system with enhanced trust, in which an immediate contact is made with the user on the enhanced trust system when a compromise is first detected, e.g. when there is a second log in attempt from another location. Using these communications channels, the service can often contact the compromised user and ask for confirmation of the results, i.e. to change password or login, from a reduced trust machine. As a result, even if an attacker steals a password, the true user on the enhanced trust machine is able to preclude a login or preclude a password change. In each case, if the user of the enhanced trust machine does not respond within some short period of time, then a less trusted machine can be allowed to proceed. The invention comprehends two definitions of an enhanced trust machine. In a first embodiment of the invention, an enhanced trust machine is a machine where the user is currently logged in at the time that the second, less trusted machine attempts a login. A second embodiment of the invention comprehends an enhanced trust machine where the user has logged in repeatedly over a course of numerous weeks, as compared with a lesser trusted machine that the user has never logged into before and which is now asking for a change of the password. In this case, the system may or may not find the less trusted machine to be just that based on actions that are experientially inconsistent with what is expected.
Rowland, U.S. Pat. No. 6,405,318, discloses a computer-implemented intrusion detection system and method that monitors a computer system in real-time for activity indicative of attempted or actual access by unauthorized persons or computers. The system detects unauthorized users attempting to enter into a computer system by comparing user behavior to a user profile, detects events that indicate an unauthorized entry into the computer system, notifies a control function about the unauthorized users and events that indicate unauthorized entry into the computer system and has a control function that automatically takes action in response to the event. The user profiles are dynamically constructed for each computer user when the computer user first attempts to log into the computer system and upon subsequent logins, the user's profile is dynamically updated. By comparing user behavior to the dynamically built user profile, false alarms are reduced. The system also includes a log auditing function, a port scan detector and a session monitor function.
The related art described above discloses several systems and methods for identification of unauthorized access and notification of a valid user. However, the prior teaches the monitoring of a users system, an instant messaging network, network intrusions in a computer network environment, and identifying only access coming from a foreign Internet address, The present method distinguishes in that it is directed to a client account and provides for remedial actions. The present disclosure distinguishes over the prior art providing heretofore unknown advantages as described in the following summary.