Search

US-12621340-B2 - Detecting and preventing malware attacks using simulated analytics and continuous authentication

US12621340B2US 12621340 B2US12621340 B2US 12621340B2US-12621340-B2

Abstract

Aspects of the disclosure relate to detecting and preventing malware attacks using simulated analytics and continuous authentication. An application server may receive device information and processing capabilities information of a client device. Based on the device information and the processing capabilities information, the application server may generate analytical output data indicating, for each transaction executed on the client device, a transaction processing time. The application server may receive transaction information associated with a transaction being executed at the client device. Based on the received transaction information and the analytical output data, the application server may simulate the transaction being executed at the client device and determine expected payload data. The application server may receive an authorization request including actual payload data associated with the transaction being executed at the client device. The application server may compare the expected payload data with the actual payload data and send an authorization response.

Inventors

  • Vijay Kumar Yarabolu

Assignees

  • BANK OF AMERICA CORPORATION

Dates

Publication Date
20260505
Application Date
20220711

Claims (14)

  1. 1 . A system comprising: a client device; an application server; and an application interface located between the client device and the application server, wherein the application server is configured to: receive, via the application interface, device information of the client device; receive, via the application interface, processing capabilities information of the client device, wherein the processing capabilities information of the client device is determined by executing simulated processing of one or more types of transactions at the client device during an enrollment process; based on the device information and the processing capabilities information, generate analytical output data indicating, for each transaction executed on the client device, a transaction processing time, and transmit the analytical output data for storage in one or more database tables; receive transaction information associated with a transaction being executed at the client device; based on the received transaction information and the analytical output data, simulate the transaction being executed at the client device using a virtual representation of the client device; determine expected payload data based on the simulation, wherein the expected payload data comprises an execution time and a data size; receive an authorization request, wherein the authorization request includes actual payload data associated with the transaction being executed at the client device, wherein the actual payload data comprises an execution time and a data size; compare the expected payload data with the actual payload data to determine a relative match amount or a relative match percentage; compare the relative match amount or the relative match percentage to a match threshold to determine when the expected payload data matches the actual payload data; and based on the comparison, send an authorization response, wherein when the expected payload data does not match the actual payload data, the authorization response comprises a notification indicating presence of malware.
  2. 2 . The system of claim 1 , wherein the analytical output data comprises a graphical visualization representing results of a simulated process.
  3. 3 . The system of claim 1 , wherein simulating the transaction being executed at the client device comprising simulating transaction steps of the transaction based on the device information and the processing capabilities information of the client device.
  4. 4 . The system of claim 1 , wherein receiving the device information of the client device comprises receiving information related to one or more of: a device type, a vendor name, a model name or number, a firmware version, a product name, a device identifier, or a processor identifier.
  5. 5 . The system of claim 1 , wherein sending the authorization response comprises sending a message indicating whether the transaction is approved or denied.
  6. 6 . The system of claim 1 , wherein receiving transaction information associated with the transaction being executed at the client device comprises receiving information indicative of a transaction type.
  7. 7 . The system of claim 1 , wherein the transaction being executed at the client device comprises a transaction initiated on the client device via a mobile application.
  8. 8 . A method comprising: at a computing platform comprising at least one processor, a communication interface, and memory: receiving, by the at least one processor, via the communication interface, device information of a client device; receiving, by the at least one processor, via the communication interface, processing capabilities information of the client device, wherein the processing capabilities information of the client device is determined by executing simulated processing of one or more types of transactions at the client device during an enrollment process; based on the device information and the processing capabilities information, generating, by the at least one processor, analytical output data indicating, for each transaction executed on the client device, a transaction processing time, and transmitting the analytical output data for storage in one or more database tables; receiving, by the at least one processor, transaction information associated with a transaction being executed at the client device using a virtual representation of the client device; based on the received transaction information and the analytical output data, simulating, by the at least one processor, the transaction being executed at the client device; determining, by the at least one processor, expected payload data based on the simulation, wherein the expected payload data comprises an execution time and a data size; receiving, by the at least one processor, an authorization request, wherein the authorization request includes actual payload data associated with the transaction being executed at the client device, wherein the actual payload data comprises an execution time and a data size; comparing, by the at least one processor, the expected payload data with the actual payload data to determine a relative match amount or a relative match percentage; comparing the relative match amount or the relative match percentage to a match threshold to determine when the expected payload data matches the actual payload data; and based on the comparison, sending, by the at least one processor, an authorization response, wherein when the expected payload data does not match the actual payload data, the authorization response comprises a notification indicating presence of malware.
  9. 9 . The method of claim 8 , wherein the analytical output data comprises a graphical visualization representing results of a simulated process.
  10. 10 . The method of claim 8 , wherein simulating the transaction being executed at the client device comprising simulating transaction steps of the transaction based on the device information and the processing capabilities information of the client device.
  11. 11 . The method of claim 8 , wherein receiving the device information of the client device comprises receiving information related to one or more of: a device type, a vendor name, a model name or number, a firmware version, a product name, a device identifier, or a processor identifier.
  12. 12 . The method of claim 8 , wherein sending the authorization response comprises sending a message indicating whether the transaction is approved or denied.
  13. 13 . The method of claim 8 , wherein receiving transaction information associated with the transaction being executed at the client device comprises receiving information indicative of a transaction type.
  14. 14 . One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, cause the computing platform to: receive, via the communication interface, device information of a client device; receive, via the communication interface, processing capabilities information of the client device, wherein the processing capabilities information of the client device is determined by executing simulated processing of one or more types of transactions at the client device during an enrollment process; based on the device information and the processing capabilities information, generate analytical output data indicating, for each transaction executed on the client device, a transaction processing time, and transmit the analytical output data for storage in one or more database tables; receive transaction information associated with a transaction being executed at the client device using a virtual representation of the client device; based on the received transaction information and the analytical output data, simulate the transaction being executed at the client device; determine expected payload data based on the simulation, wherein the expected payload data comprises an execution time and a data size; receive an authorization request, wherein the authorization request includes actual payload data associated with the transaction being executed at the client device, wherein the actual payload data comprises an execution time and a data size; compare the expected payload data with the actual payload data to determine a relative match amount or a relative match percentage; compare the relative match amount or the relative match percentage to a match threshold to determine when the expected payload data matches the actual payload data; and based on the comparison, send an authorization response, wherein when the expected payload data does not match the actual payload data, the authorization response comprises a notification indicating presence of malware.

Description

BACKGROUND Aspects of the disclosure relate to computer system security. In particular, one or more aspects of the disclosure relate to detecting and preventing malware attacks using simulated analytics and continuous authentication. Malicious software, i.e. □malware, □presents a serious hazard to computer systems and devices. Once present on a computing system or device, malware can, among other effects, appropriate personal, financial or otherwise sensitive information, and hinder or wholly prevent proper system performance. Despite efforts to block or remove malware from systems, such as the use of antivirus software programs, reports have shown an exponential increase in malware activities year after year. The widespread presence of malware is due in part to the extent and diversity of malware variants. New malware variants are constantly being created, typically in increasing sophistication and complexity. Oftentimes it may be difficult to detect and prevent malware from penetrating user applications. SUMMARY Aspects of the disclosure provide effective, efficient, scalable, and convenient technical solutions that address and overcome the technical problems associated with detecting and preventing malware attacks. For example, some aspects of the disclosure may leverage simulated analytics and digital twin technology to continuously detect and prevent malware activity and/or to perform other functions. In accordance with one or more embodiments, a system including a client device, an application server, and an application interface therebetween is provided. The application server may receive, via the application interface, device information of the client device. The application server may receive, via the application interface, processing capabilities information of the client device. Based on the device information and the processing capabilities information, the application server may generate analytical output data indicating, for each transaction executed on the client device, a transaction processing time. The application server may receive transaction information associated with a transaction being executed at the client device. Based on the received transaction information and the analytical output data, the application server may simulate the transaction being executed at the client device. The application server may determine expected payload data based on the simulation. The application server may receive an authorization request. In addition the authorization request may include actual payload data associated with the transaction being executed at the client device. The application server may compare the expected payload data with the actual payload data. Based on the comparison, the application server may send an authorization response. In some examples, the processing capabilities of the client device may be determined by executing simulated processing of one or more types of transactions at the client device during an enrollment process. In some embodiments, the analytical output data may include a graphical visualization representing results of a simulated process. In some arrangements, simulating the transaction being executed at the client device may include simulating transaction steps of the transaction based on the device information and the processing capabilities information of the client device. In some examples, receiving the device information of the client device may include receiving information related to one or more of: a device type, a vendor name, a model name or number, a firmware version, a product name, a device identifier, or a processor identifier. In some example arrangements, sending the authorization response may include sending a message indicating whether the transaction is approved or denied. In some examples, sending the authorization response may include sending a notification indicating presence of malware. In some arrangements, receiving transaction information associated with the transaction being executed at the client device may include receiving information indicative of a transaction type. In some embodiments, the application server may transmit the analytical output data for storage in one or more database tables. In some examples, simulating the transaction being executed at the client device may include using a virtual representation of the client device. In some embodiments, the transaction being executed at the client device may include a transaction initiated on the client device via a mobile application. These features, along with many others, are discussed in greater detail below. BRIEF DESCRIPTION OF THE DRAWINGS The present disclosure is illustrated by way of example and not limited in the accompanying figures in which like reference numerals indicate similar elements and in which: FIGS. 1A-1C depict an illustrative computing environment for detecting and preventing malware attacks using simulated analytics and continuous authentication in ac