Patent Application
20140129632
This invention relates generally to access control in computer networks. More particularly, this invention relates to techniques for social account access control.
A social networking service is an online service, platform, or site that focuses on facilitating the building of social networks or social relations among people who, for example, share interests, activities, backgrounds, or real-life connections. Social networking services, platforms and sites include Facebook®, Google+®, LinkedIn®, Twitter®, YouTube®, Xing®, and many others, collectively constituting over a billion users. They have become so pervasive that they are commonly used by organizations to advertise and otherwise communicate with their target audiences.
A social account is a communication portal on a social networking platform. An account can be owned by an individual or it can be owned by an employee of a company for the sole purpose of broadcasting information about the company or its products. Creating accounts on these social networks is relatively simple and allows individual users to create presences on those social networks for the organization's products, brands and initiatives. At the same time, granting additional individuals and other applications administrative access to a social account or multiple social accounts is also simple and very common. These social accounts and the activities on them become very valuable forums for communicating directly with key audiences of the organization from employees and potential employees to influencers, prospective customers, and actual customers of the organization. Ensuring the integrity of the accounts is as important as protecting the integrity of content published on an organization's website.
The social networking platforms themselves provide basic means to ensure that only authorized users can modify the settings and content on specific accounts, typically through simple passwords. However, as with any system that relies on a user to provide a password for authentication, unauthorized access can be gained by an individual by stealing that password through any of a multitude of well-known means: stealing the password by hacking the social network itself, phishing, malware, social engineering, shoulder surfing, etc. Once an unauthorized individual has password access, he can publish unauthorized content that might defame the organization or harass its users, revoke access for other authorized users, or even delete the account.
Further, unauthorized changes can also be made as a result of mistakes and poor coordination by authorized users across multiple social networks and via direct account access and via third party applications authorized on a particular social account or set of social accounts. This occurs where authorization is formalized as part of a written policy that doesn't provide granular access policies to meet the requirements of the organization across multiple accounts. For example, a platform like Facebook® makes it very easy to add additional users as administrators to page accounts in a way that makes it easy to contravene standards that may be set by an organization around administrative access. This adds to the risk and likelihood of accounts being inappropriately changed. For example,
Thus, there is a need to detect and prevent unauthorized changes to social accounts, notify proper authorities when changes occur, prevent them where possible, and mitigate the affects by removing content or reinstating settings.
A computer implemented method includes monitoring changes to an account accessible by a group of subscribers that form a social network. The changes to the account are compared to a normative base line to identify deviations from the normative base line. An alert is sent in response to deviations from the normative base line. The normative base line is defined by metadata gathered through an application program interface associated with the account, account entity data and a set of predefined rules.
The invention is more fully appreciated in connection with the following detailed description taken in conjunction with the accompanying drawings, in which:
Like reference numerals refer to corresponding parts throughout the several views of the drawings.
The invention provides techniques for authorized users of a social account to protect it from modifications by unauthorized individuals and to protect it from unintentional modifications by authorized users. The invention does this by first building a set of data that represents authorized and unauthorized changes to a social account. The set of data constitutes a normative base line.
The social account is then “locked” to that data set specified in the data store 204. In one embodiment, the data set includes at least one of:
(1) a “snapshot” of the metadata of the social account at a particular point in time.
(2) configuration and rules provided by users, including, but not limited to, times of day and days of week or month that changes may be made, types of content that are allowed or disallowed, types or content or data elements that must or must not exist in published content, locations from which changes may or may not be made, third party applications that may or may not be used to make changes;
(3) rules, regular expressions, machine learning algorithms and data, and heuristics either built offline via generic training sets or online via training sets built from the content and metadata of the social account itself, specifically, machine learning training sets that use aspects of the previous pattern of content posted to the social account, including, but not limited to: the words used in each post, the time of day posts are made, the social applications used to publish the content, and the geographic location that the content was posted from (all of which is queried by the invention through the APIs of the social networking platform), and
(4) data pulled from data stores owned the company that owns the social account, including Lightweight Directory Access Protocol (LDAP) user directories.
The invention uses the data set described above in a process or set of processes that are monitoring the social account for changes, as shown in
In one embodiment, the invention monitors the social account 202 by calling the social networking platform's programmatic APIs to query the social account metadata and content on a periodic basis. When a change is detected, the process uses the data set, or a separate process that abstracts access to the data set, to determine whether or not the change is authorized. If the change is not authorized, the change event is logged and notifications are created within the system and sent via electronic communications (email, text message, instant message, message on a social account, etc) to administrators configured within the system. The administrators have the option to approve the change or not. If the change is not approved, the system will attempt to put back the original authorized setting or remove the unauthorized content. If the change is approved, the invention may update the “locked” data set accordingly to ensure that subsequent changes of the same type are considered authorized. If configured to do so, the invention may revert the affects on an unauthorized change by updating the social account to restore changed settings or remove unauthorized content in addition to notifying administrators, as depicted in
The invention also periodically checks the list of administrative users of the social account and cross references that list against a set of user identities stored in an LDAP user directory owned and maintained by the company that owns the social account. If an administrator has been added that is not among the authorized set of users in the LDAP directory, the invention will remove that administrator or notify other administrators. If a user has been removed from the directory, the invention will remove that user's administrator credentials from the social account and notify other administrators, as shown in
The invention may also implicitly update the “locked” data set when an authorized user modifies the social account through a means that is implicitly trusted by the system, such as publishing content via the system itself
A memory 720 is also connected to the bus 714. The memory 720 stores the previously described data store 204 and monitoring process 402. The invention may be implemented on one or many computers. It is the operations of the invention that are significant, not the particular mechanism for implementing those operations.
There are examples of social account tampering that the invention will act upon. For example, on Oct. 3, 2012, an administrator for KitchenAid's social account on Twitter posted an inappropriate Tweet about Barack Obama. The invention would have detected that the content of this Tweet was dissimilar from the content of previous Tweets, and would have removed the Tweet and notified the other social account administrators.
On Aug. 5, 2012, a pro-Syria group hacked a Reuter's social account on Twitter, changed the screen name and then made pro-Syria posts. The invention would have detected the screen name had changed from the screen name set as part of the social account “snapshot”, then would have notified the social account owners, restored the screen name, and removed subsequent Tweets.
On Feb. 27, 2011, the blogger for Digital Inspiration had his social account on Facebook hacked. The hacker changed the password to lock out the legitimate owner. The invention would have detected that the password had been changed on the account, would have notified the account owner and removed any subsequent posts and comments.
An embodiment of the present invention relates to a computer storage product with a computer readable storage medium having computer code thereon for performing various computer-implemented operations. The media and computer code may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well known and available to those having skill in the computer software arts. Examples of computer-readable media include, but are not limited to: magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROMs, DVDs and holographic devices; magneto-optical media; and hardware devices that are specially configured to store and execute program code, such as application-specific integrated circuits (“ASICs”), programmable logic devices (“PLDs”) and ROM and RAM devices. Examples of computer code include machine code, such as produced by a compiler, and files containing higher-level code that are executed by a computer using an interpreter. For example, an embodiment of the invention may be implemented using JAVA®, C++, or other object-oriented programming language and development tools. Another embodiment of the invention may be implemented in hardwired circuitry in place of, or in combination with, machine-executable software instructions.
The foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the invention. However, it will be apparent to one skilled in the art that specific details are not required in order to practice the invention. Thus, the foregoing descriptions of specific embodiments of the invention are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed; obviously, many modifications and variations are possible in view of the above teachings. The embodiments were chosen and described in order to best explain the principles of the invention and its practical applications, they thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. It is intended that the following claims and their equivalents define the scope of the invention.
