Description:TECHNICAL FIELD
The present disclosure relates generally to computer forensics and more specifically relates to gathering information about users unauthorized to access a system.

BACKGROUND ART
[0001] In the cybersecurity world, the security data about any target (person, company, domain name or service) is something that’s coveted by parties on all fronts, including red teams and blue teams. Therefore, mastering the information gathering process is one of the ultimate goals of any cybersecurity researcher. That’s why today we’ll be exploring the main information gathering concept, as well as some Information gathering techniques and tools that will help you boost your daily infosec tasks.

[0002] When it comes to getting a clear information gathering concept, the simplest way to define it would be the process of collecting information about something you are interested in. A practical example: gathering information with your eyes is called visual perception. In the same way, in the digital world, a lot of information can be gathered in different ways, not with your senses, but with several methods, tools and techniques.

[0003] Nowadays, there are techniques which can be used to detect unauthorized users. For example, a reference can be made to US10033746B2 which discloses detecting unauthorized users responsible for making changes to a website. Further, reference can be made to US8289130B2 which discloses detecting change in behavior of owner of electronic device to detect unauthorized activity. However, none of the techniques disclose identifying unauthorized users when a network attack has occurred.

OBJECTS OF THE INVENTION

[0001] The principal object of the present invention is to provide techniques for identifying unauthorized users.

[0002] Another object of the present invention is to provide techniques for determining various parameters regarding unauthorized person in network attacks.

[0003] Another object of the present invention is to detecting unauthorized attacks.

SUMMARY OF THE INVENTION

[0004] In one embodiment, a system for detecting unauthorized users is disclosed. The system (200) comprises one or more sources configured to detect information about the unauthorized user and a network attack detection unit (212) configured to detect a network attack. The system further comprises a user parameter unit (214) configured to extract one or more parameters from the one or more sources when the network attack is detected, and identify the unauthorized user from the extracted one or more parameters.

[0005] In another embodiment, a method for detecting unauthorized users is disclosed. The method comprises detecting information about the unauthorised user, detecting a network attack, extracting one or more parameters from the one or more sources when the network attack is detected, and identifying the unauthorised user from the extracted one or more parameters.

BRIEF DESCRIPTION OF DRAWINGS

[0006] Figure 1 illustrates an environment for detecting unauthorized user, in accordance with one embodiment of the present invention.
[0007] Figure 2 illustrates a system for detecting unauthorized user, in accordance with one embodiment of the present invention.
[0008] Figure 3 illustrating a flowchart of a method for detecting unauthorized user, in accordance with the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0009] While the present invention is described herein by way of example using embodiments and illustrative drawings, those skilled in the art will recognize that the invention is not limited to the embodiments of drawing or drawings described and are not intended to represent the scale of the various components. Further, some components that may form a part of the invention may not be illustrated in certain figures, for ease of illustration, and such omissions do not limit the embodiments outlined in any way. It should be understood that the drawings and the detailed description thereto are not intended to limit the invention to the particular form disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the scope of the present invention as defined by the appended claim.
[0010] As used throughout this description, the word "may" is used in a permissive sense (i.e. meaning having the potential to), rather than the mandatory sense, (i.e. meaning must). Further, the words "a" or "an" mean "at least one” and the word “plurality” means “one or more” unless otherwise mentioned. Furthermore, the terminology and phraseology used herein are solely used for descriptive purposes and should not be construed as limiting in scope. Language such as "including," "comprising," "having," "containing," or "involving," and variations thereof, is intended to be broad and encompass the subject matter listed thereafter, equivalents, and additional subject matter not recited, and is not intended to exclude other additives, components, integers, or steps. Likewise, the term "comprising" is considered synonymous with the terms "including" or "containing" for applicable legal purposes. Any discussion of documents, acts, materials, devices, articles, and the like are included in the specification solely for the purpose of providing a context for the present invention. It is not suggested or represented that any or all these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention.
[0011] In this disclosure, whenever a composition or an element or a group of elements is preceded with the transitional phrase “comprising”, it is understood that we also contemplate the same composition, element, or group of elements with transitional phrases “consisting of”, “consisting”, “selected from the group of consisting of, “including”, or “is” preceding the recitation of the composition, element or group of elements and vice versa.
[0012] The present invention is described hereinafter by various embodiments with reference to the accompanying drawing, wherein reference numerals used in the accompanying drawing correspond to the like elements throughout the description. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete and will fully convey the scope of the invention to those skilled in the art. In the following detailed description, numeric values and ranges are provided for various aspects of the implementations described. These values and ranges are to be treated as examples only and are not intended to limit the scope of the claims. In addition, several materials are identified as suitable for various facets of the implementations. These materials are to be treated as exemplary and are not intended to limit the scope of the invention.
[0013] Referring to FIG. 1, an environment 100 for detecting unauthorized user is disclosed. The environment 100 shows a server 102 and a plurality of user devices 104 connected with the server 102 via a network 106. The plurality of user devices 104 may try to establish a connection with the server 102 for accessing content. For example, the content may be results relating to the web server. In one embodiment, the content may also include sending communications to other users via email communication. As shown in FIG. 1, the user devices 104 may be any computing devices which are compatible to access the internet, for example, but not limited to, mobile device, computer device, laptop, tablets, etc.
[0014] The server 102 may be placed at a physical location and a plurality of user devices 104 from all over the world access the server 102. Although, only one server 102 is shown, there may be a plurality of servers which may be placed at different locations. As explained above, the server 102 is able to recognize a user device 104 from the plurality of user devices 104 using a unique internet protocol (IP) address associated with each of the user device 102. Generally, the IP address is divided into multiple sub parts which can help the server identify the user device more efficiently and quickly. In addition to recognizing the user device, the server 102 is also able to identify location of the user device 104 from which the request for accessing the content is being sent. The tracing of location of the user device 104 generally helps the server 102 to take appropriate actions in case the user devices 104 are trying to access an unauthorized content from the server 102.
[0015] In one embodiment, any IP address can be traced and tracked. Any IP address may include IP address of any user device 104. In one embodiment, the IP information may include public address of a web server to reveal geographic information, holder information and registration information of the server. In one embodiment, the IP address may be IPv4 or IPv6 addresses. In one embodiment, the IP address may be 32-bit or 64-bit address. In one embodiment, the IP address may be associated with email communications. The email communications may include headers in them. The headers may include IP addresses.
[0016] Referring to FIG. 2 now, a system 200 for detecting unauthorized user is disclosed, in accordance with the present invention. The system 200 is responsible for analyzing various information about the users who is trying to access the system 100 in an unauthorized way. The information about the unauthorized user can be extracted from various sources. The various sources can include, but not limited to, information from social engineering, search engines, social networks, domain names, internet servers, etc. For extracting information from various sources, the system 200 comprises social engineering unit 202, social networks 204, domain names extraction unit 206, internet servers 208, search engines 210, a network attack detection unit 212 and a user parameter unit 214.
[0017] The social engineering unit 202 includes information about in-person chat, phone conversations and email spoofing attacks. What all these methods have in common is the psychology of human weakness, needed to get maximum data about the target unauthorized user.
[0018] The social networks 204 can include social websites such as Facebook, Twitter, LinkedIn and other social networks. These social networks are great sources of information to build a profile, especially when targeting individuals. Building profiles of users can include analyzing various information related to the individual users on the social networks. For example, the profile may include information relating to preferences of the user (likes/dislikes), comments/content posted by the user, job profile of the user, etc.
[0019] The domain names extraction unit 206 is configured to inspect domain name information. Domain names are registered by organizations, governments, public and private agencies, and people. Therefore, they’re a great starting point when it is required to investigate someone. Personal information, associated domains, projects, services and technologies can be found by inspecting domain name information.
[0020] The internet servers 208 is configured to analyze internet servers. Authoritative DNS servers are a great source of information, as they often include every single surface point exposed to the Internet—which means a direct link to related services such as HTTP, email, etc. The internet servers may be present at a single or multiple locations across the globe. A user request from a user device may be routed to the internet servers 208 in response to a desire to fetch a content.
[0021] The search engine 210 uses web crawling techniques. Web crawlers can be used to fetch information about anything, and this includes companies, persons, services, and even real hacks. The web crawler indexes content from all over the internet. The goal of such web crawlers is to learn what (almost) every webpage on the web is about, so that the information can be retrieved when it's needed.
[0022] The network attack unit 212 detects attacks on the network. In one embodiment, a .pcap file may be extracted/determined from the detected network attacks. The file contains data packet of a network which can be used to analyze network characteristics. In one embodiment, the .pcap file can also help in capturing and analyzing the network traffic. In one embodiment, the .pcap is an application programming interface (API). The captured network traffic is saved in a file which can later be read.
[0023] The user parameter unit 214 is configured to extract and identify various parameters which can help to determine unauthorized users. For example, the various parameters can be extracted from include all universal resource locators (URLs), Emails, Phone numbers, credit card numbers, cryptocurrency addresses, Social Security Numbers and much more. All these parameters may be extracted from the sources as defined above.
[0024] With various parameters detected from various sources, an unauthorized users can be detected in the network. The unauthorized user may be the one who does not have permission to access the network but still is trying to access the network. With these parameters, a complete detail of the attacker can be extracted which can be helpful to locate the attacker in the network. The details about the attacker can be located by a network administrator.
[0025] In one embodiment, PyWhat file can be used to scan for things that'll make money via bug bounties like: API Keys, Webhooks, credentials and more. In one embodiment, other information such as GitHub Repository API Key Leaks, download all GitHub repositories of an organisation and search for anything that can be submitted as a bounty, like API keys.
[0026] Referring to FIG. 3 now, a flowchart of a method 300 for detecting unauthorized users is provided. At step 302, the method comprises extracting information from various sources. At step 304, the method comprises detecting a network attack in an environment. At step 306, the method comprises extracting various parameters relating to an attacker in a network. At step 308, the method comprises identifying details about an attacker based on the extracted parameters.
[0027] The various actions, acts, blocks, steps, or the like in the flow diagram may be performed in the order presented, in a different order or simultaneously. Further, in some embodiments, some of the actions, acts, blocks, steps, or the like may be omitted, added, modified, skipped, or the like without departing from the scope of the invention.
[0028] Although particular embodiments of the invention have been described in detail for purposes of illustration, various modifications and enhancements may be made without departing from the spirit and scope of the invention.

, Claims:I/We Claim:
1. A system (200) for detecting unauthorised user, the system comprises:
one or more sources configured to detect information about the unauthorised user;
a network attack detection unit (212) configured to detect a network attack;
a user parameter unit (214) configured to:
extract one or more parameters from the one or more sources when the network attack is detected, and
identify the unauthorised user from the extracted one or more parameters.

2. The system as claimed in claim 1, wherein the one or more sources includes social engineering, search engines, social networks, domain names, internet servers.

3. The system as claimed in claim 1, wherein social engineering includes in-person chat, phone conversations and email spoofing attacks.

4. The system as claimed in claim 1, wherein the .pcap file is detected from the detected network attacks.

5. The system as claimed in claim 4, wherein the .pcap file comprises information such as all universal resource locators (URLs), Emails, Phone numbers, credit card numbers, cryptocurrency addresses, Social Security Numbers.

6. A method for detecting unauthorised user using the system as claimed in claim 1, the method comprises:
detecting information about the unauthorised user;
detecting a network attack;
extracting one or more parameters from the one or more sources when the network attack is detected, and
identifying the unauthorised user from the extracted one or more parameters.

7. The method as claimed in claim 6, wherein the one or more sources includes social engineering, search engines, social networks, domain names, internet servers.

8. The method as claimed in claim 6, wherein social engineering includes in-person chat, phone conversations and email spoofing attacks.

9. The method as claimed in claim 6, wherein the .pcap file is detected from the detected network attacks.

10. The method as claimed in claim 9, wherein the .pcap file comprises information such as all universal resource locators (URLs), Emails, Phone numbers, credit card numbers, cryptocurrency addresses, Social Security Numbers.