Intellinx – Cyber Fraud and Risk Management

Intellinx is an innovative and unique software product for tracking end-user activity in internal business applications in heterogeneous platforms including legacy systems. Intellinx introduces a new dimension in auditing and fraud detection – the ability to record the interaction of all end-users with all the central applications, zoom-in on specific suspicious user activity and replay every screen accessed and every keystroke within an application as if looking over the end-user’s shoulder. Intellinx business rule engine tracks end-user behavior patterns triggering alerts on suspicious events in real-time.

Intellinx helps large organizations comply with regulations, such as Gramm-Leach-Bliley, Sarbanes-Oxley, HIPAA and Basel II. These regulations typically require tracking of user access to sensitive corporate and customer’s data. Answering the questions – Who? Did What? When? To Which record? How? Where from? – are typically required for complying with these regulations. Intellinx is unique in its ability to maintain a field-level audit-trail which includes read actions as well update actions, with zero-overhead, without installing any hardware or software on the host or clients and without changing a single line of code.



• Patented technology intercepts communication between end-users and application servers by sniffing network transmissions through the network switch. In this way, Intellinx does not impact the performance of hosts, clients or networks in any way.

• The system monitors a wide range of platforms.

• No need to install any software or hardware on host or clients. The system runs on a separate server running Windows, UNIX or Linux.


• Recording of all screens displayed, end-user keystrokes and messages between applications without interfering with the host’s or clients’ software or hardware.

• Replaying of screens accessed and actions performed by each end-user as if looking over his or her shoulder.

• Search for end-user sessions in a specific timeframe according to screen content – screen headers, field names and values within screens, for example, search and replay all user screens displayed on a specific date in which a specific account-number was viewed or typed.

• Pattern recognition algorithms automatically identify application screens, fields, flows and messages.

• Graphic Visualizer for mapping application entities (screens, fields, and flows) into meaningful business indicators and business entities.

• Customizable business rules track end-user behavior patterns in real-time and identify exceptions, triggering instant alerts. For example, tracking end-users who issue the query “Find customer account by customer name” more than twenty times within one hour, while on average this query is performed only twice an hour by a typical end-user.

• Recorded data may be archived, and new rules can be applied on old recordings after-the-fact.

• A business rules repository stores application entities, business indicators, and business events data.

• A case management function allows fraud and AML investigation teams to effectively manage the organizational process of internal investigations from alerts and cases prioritization and review to workload balancing and SAR filing.

• The product can also be used for real-time opportunity spotting and the generation of additional business. For example, bank customer deposits exceeding a certain threshold may trigger investment offers.


• Reduce operational risk and fraud losses by detecting fraud and other malicious activity in real-time.

• Deter potential fraudulent users just by knowing that all their actions are recorded.

• Improve internal audit effectiveness by alerting on detection of suspicious behavior and providing full visibility for the internal auditors to all the actions of each specific suspicious end-user, as if looking over his or her shoulder.

• Enforce corporate security policies by detecting security breaches and exceptions.

• Improve compliance with government regulations by creating a full audit trail of all end-user activity including queries that normally do not leave any traces in most systems.

• Detect business opportunities in real-time allowing for immediate action. For example, bank customer deposits exceeding a certain threshold may trigger various investment offers.

• Increase productivity and improve customer satisfaction by detecting process slowdown and bottlenecks in real time, triggering instant alerts on service level breaches.

• Totally non-invasive risk-free implementation.

Solution available

The Intellinx architecture is very flexible and scalable, providing a cost-effective solution to organizations with 500 employees as well as corporations with 100,000 employees. Intellinx can be deployed in a wide range of configurations according to the organization’s structure and needs. Intellinx may be configured for supporting a central auditing and investigation group that audits all end users as well as decentralized groups of auditors and investigators, each monitoring a subset of the users.

The Intellinx sensors (sniffers) can be deployed in several data centers connected to one or more network switches in each data center. Each sensor server may listen to one or more protocols in one or more network switches. Intellinx tracks user activity in internal business applications by sniffing network transmissions between the host servers and the clients. Intellinx tracks user activity in any application that utilizes any of the following protocols:

• IBM Mainframe screen protocol – 3270 on SNA, TCP/IP (TN3270) and Enterprise Extender

• IBM iSeries screen protocol – 5250 on SNA, TCP/IP (TN5250), and MPTN

• Client/Server messages – TCP/IP, MQ Series, MSMQ, IBM mainframe SNA LU0 and LU6.2, SMB


• VT100 and other VT flavors


• Text and binary files, log files, database tables, XML and CSV files

Legacy Systems Monitoring

Since the user activity is reconstructed from network transmissions, Intellinx monitors any type of user activity regardless of the host’s operating system (OS/390, VSE, VM, OS/400, etc.) or TP monitor (CICS, IMS/DC, TSO, etc.). The database used by the applications is transparent as well (DB2, IMS, ADABAS, VSAM, etc.). This wide coverage allows you to monitor the activity of any type of end-user – business users as well as privileged users including Database administrators, system administrators, and application programmers.

• Very short installation process (several hours), with no risk to ongoing IT operations.

• Recorded data is stored in a highly condensed format, allowing monitoring tens of thousands of end-users within an organization without major impact on disk space.

• Recording files are ciphered and digitally signed, making them potentially admissible in court proceedings.

• Powerful and scalable business rule engine tracks behavior patterns of up to tens of thousands of end-users per site generating alerts on exceptions in real-time.