Conventional intrusion detection systems (IDS) typically apply a large number of rules and patterns to detect illegal access or intrusions at a protected resource, service provider, etc. These conventional IDS provide “attack monitoring,” that includes monitoring factors associated with characteristics of the originator of the transactions, such as monitoring binary signatures, IP address or address range of the originator of a network call, geo location, time of access and/or other similar factors. Such information may be retrieved from network traffic, and existing solutions may utilize IP address ranges to determine where an attack is coming from or look for specific signatures to determine malicious activity. Such monitoring may be used for spam detection, anti-virus protection, etc. However, such intrusion detection solutions are primarily technology-oriented solutions focused on the characteristics of the resources used for transactions, but do not utilize business intelligence or information related to the transactions to track and detect malicious activity. Moreover, existing solutions fail to provide intrusion detection based on the transactional behavior of a current user within the context of other identities that have similar transactional behavior.
For example, when an attacker finds out the password of a user and logs-in to the user's account at a server associated with a banking system, conventional IDS cannot detect that an illegal user is accessing the banking system. Thus, it is desirable to develop and provide an improved technique that will use transaction information as well as the identity of the user to identify malicious activity in real time.