Within the field of computing, many scenarios involve the provision of services such as email, file sharing, web access, and access to accounts through mechanisms such as passwords. Many such services are provided to users according to a usage policy that describes acceptable uses and unacceptable uses of the service. As a first example, the usage policy for an email service may prohibit the transmission of bulk unsolicited email (“spam” messages). As a second example, the usage policy for a web service may prohibit access in an automated manner, which may lead to an overconsumption of computing resources that may limit the provision of the service to other users and/or inflate the infrastructure costs of providing the service. As a third example, services that protect sensitive resources through a login interface my prohibit users from attempting to guess passwords of other users and resources, such as brute-force guessing of usernames and passwords.
In order to enforce such policies, many services utilize a variety of heuristic techniques to detect misuse. Some heuristics may involve extracting quantitative and statistical data characteristics, such as monitoring the rate at which users are sending email, consuming bandwidth, and/or submitting login attempts. Some data analysis systems utilize background knowledge to evaluate such attempts, such as known patterns of activity that may indicate misuse. For example, unsolicited bulk messaging may utilize a recognizable set of email message templates that persuade recipients to read the messages and/or respond to phishing attempts. An email service may use a content analysis system and/or a database of known templates in order to distinguish legitimate messages from spam. Additionally, as users who seek to misuse services develop new techniques such as new email templates, the heuristics of the data analysis systems may have to adapt to new information or emerging patterns, which may be achieved through management by a human administrator or a refresh of the data analysis model.
When a heuristic analysis technique of a service detects user activity that appears to represent a misuse of the service, a variety of responses may be applied. As a first example, the activity may trigger an alarm, and/or present the activity suspected of violating the usage policy to an analyst for further review. As a second example, a misuse detection system may apply various penalties, such as blocking requests, locking accounts of malicious users such as spammers. As a third example, newly identified patterns of activity representing a misuse may yield information that may be utilized as historical data, e.g., to update the usage policy and/or to adapt the heuristic data analysis system to recognize the new patterns of activity.