Security using velocity metrics identifying authentication performance for a set of devices

US 10,015,153 B1
Filed: 12/23/2013
Issued: 07/03/2018
Est. Priority Date: 12/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method of performing authentication, the method comprising:

performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication;

after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from the particular authentication request source device; and

providing, by the processing circuitry, an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate;

wherein performing the set of authentication operations and updating the set of velocity metrics includes;

generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user,generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, andmodifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and

wherein the method further comprises;

locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold;

wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity;

wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes;

updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations;

wherein the method further comprises;

performing an authentication-related action based on the set of failed authentication velocities;

wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for the particular authentication request source device; and

wherein performing the authentication-related action based on the set of failed authentication velocities includes;

in response to detection of the abnormally high failed authentication velocity for the particular authentication request source device, (i) distributing a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device, and (ii) transitioning the processing circuitry from operating in a “

not locked out”

state in which further authentication requests are processed to a “

locked out”

state in which further authentication requests are denied.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique performs authentication. The technique involves performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request sources that originated the set of authentication requests. The technique further involves, after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from an authentication request source. The technique further involves providing, by the processing circuitry, an authentication result in response to the authentication request from the authentication request source. The authentication result (i) is based on the set of velocity metrics and (ii) indicates whether the authentication request is considered to be legitimate. Such a technique can detect malicious activity even if a person tries to authenticate just a few times to several accounts in a “touch the fence” style of attack.

138 Citations

15 Claims

1. A method of performing authentication, the method comprising:
- performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication;
  
  after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from the particular authentication request source device; and
  
  providing, by the processing circuitry, an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate;
  
  wherein performing the set of authentication operations and updating the set of velocity metrics includes;
  
  generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user,generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, andmodifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and
  
  wherein the method further comprises;
  
  locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold;
  
  wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity;
  
  wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes;
  
  updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations;
  
  wherein the method further comprises;
  
  performing an authentication-related action based on the set of failed authentication velocities;
  
  wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for the particular authentication request source device; and
  
  wherein performing the authentication-related action based on the set of failed authentication velocities includes;
  
  in response to detection of the abnormally high failed authentication velocity for the particular authentication request source device, (i) distributing a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device, and (ii) transitioning the processing circuitry from operating in a “
  
  not locked out”
  
  state in which further authentication requests are processed to a “
  
  locked out”
  
  state in which further authentication requests are denied.
- View Dependent Claims (2, 3, 5)
- - 2. A method as in claim 1 wherein updating the set of failed authentication velocities based on the failed authentication operations of the set of authentication operations includes:
    - updating, for each source device of the set of the authentication request source devices, a respective failed authentication velocity, riskiness of that source device increasing as the respective failed authentication velocity for that source device increases.
  - 3. A method as in claim 1 wherein updating the set of failed authentication velocities based on the failed authentication operations of the set of authentication operations includes:
    - deriving, for each source device of the set of the authentication request source devices, a respective rate of change in respective failed authentication velocity, riskiness of that source device increasing as the respective rate of change in respective failed authentication velocity for that source device increases.
  - 5. A method as in claim 1 wherein the particular failed authentication velocity is a numerical count of the number of failed authentication attempts for all users of the particular authentication request source device during the particular amount of time;
    - wherein modifying the particular failed authentication velocity in response to the first and second failed authentication results includes;
      
      incrementing the numerical count in response to the first failed authentication result, and subsequently incrementing the numerical count in response to the second failed authentication result; and
      
      wherein locking out the particular authentication request source device includes;
      
      preventing successful authentication attempts from the particular authentication request source device in response to modifying the failed authentication velocity and while continuing to allow successful authentication attempts from another authentication request source device.

4. A method of performing authentication, the method comprising:
- performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication;
  
  after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from the particular authentication request source device; and
  
  providing, by the processing circuitry, an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate;
  
  wherein performing the set of authentication operations and updating the set of velocity metrics includes;
  
  generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user,generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, andmodifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and
  
  wherein the method further comprises;
  
  locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold;
  
  wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity;
  
  wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes;
  
  updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations;
  
  wherein the method further comprises;
  
  performing an authentication-related action based on the set of failed authentication velocities;
  
  wherein the processing circuitry resides in an authentication server;
  
  wherein the method further comprises;
  
  maintaining, as an overall server sensitivity index, a measure of riskiness indicating whether the authentication server is currently under attack from an attacker, the measure of riskiness being based on the set of velocity metrics that is updated by the processing circuitry; and
  
  wherein performing the authentication-related action includes;
  
  comparing the overall server sensitivity index to a predefined threshold;
  
  maintaining the authentication server in a “
  
  not locked out”
  
  state in which the authentication server performs further authentication operations in response to further authentication requests while the overall server sensitivity index is below the predefined threshold; and
  
  operating the authentication server in a “
  
  locked out”
  
  state in which the authentication server denies further authentication requests while the overall server sensitivity index is above the predefined threshold.
- View Dependent Claims (7, 8, 9)
- - 7. A method as in claim 4 wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for a particular authentication request source device.
  - 8. A method as in claim 4 wherein the authentication server is currently operating in the “
    - locked out”
      
      state; and
      
      wherein the method further comprises;
      
      after the authentication server operates in the “
      
      locked out”
      
      state due to the overall server sensitivity index being above the predefined threshold, maintaining the authentication server in the “
      
      locked out”
      
      state until a human administrator resets the authentication server to the “
      
      not locked out”
      
      state.
  - 9. A method as in claim 4 wherein the authentication server is currently operating in the “
    - locked out”
      
      state; and
      
      wherein the method further comprises;
      
      after the authentication server operates in the “
      
      locked out”
      
      state due to the overall server sensitivity index being above the predefined threshold, maintaining the authentication server in the “
      
      locked out”
      
      state for a predefined period of time and automatically transitioning the authentication server from the “
      
      locked out”
      
      state back to the “
      
      not locked out”
      
      state after expiration of the predefined period of time.

6. A method of performing authentication, the method comprising:
- performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication;
  
  after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from the particular authentication request source device; and
  
  providing, by the processing circuitry, an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate;
  
  wherein performing the set of authentication operations and updating the set of velocity metrics includes;
  
  generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user,generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, andmodifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and
  
  wherein the method further comprises;
  
  locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold;
  
  wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity;
  
  wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes;
  
  updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations;
  
  wherein the method further comprises;
  
  performing an authentication-related action based on the set of failed authentication velocities; and
  
  wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for a particular authentication request source device; and
  
  wherein performing the authentication-related action based on the set of failed authentication velocities includes;
  
  distributing a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device.

10. An electronic apparatus, comprising:
- a communications interface;
  
  memory; and
  
  control circuitry coupled to the communications interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to;
  
  perform a set of authentication operations in response to a set of authentication requests received through the communications interface, and update a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication,after updating the set of velocity metrics, receive an authentication request from the particular authentication request source device through the communications interface, andprovide an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate;
  
  wherein the control circuitry, when performing the set of authentication operations and updating the set of velocity metrics, is constructed and arranged to;
  
  generate a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user,generate a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, andmodify the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and
  
  wherein the control circuitry is further constructed and arranged to;
  
  lock out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold;
  
  wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity;
  
  wherein the control circuitry, when updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests, is constructed and arranged to;
  
  update the set of failed authentication velocities based on failed authentication operations of the set of authentication operations;
  
  wherein the control circuitry is further constructed and arranged to;
  
  perform an authentication-related action based on the set of failed authentication velocities;
  
  wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for the particular authentication request source device; and
  
  wherein the control circuitry, when performing the authentication-related action based on the set of failed authentication velocities, is constructed and arranged to;
  
  in response to detection of the abnormally high failed authentication velocity for the particular authentication request source device, (i) distribute a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device, and (ii) transition the control circuitry from operating in a “
  
  not locked out”
  
  state in which further authentication requests are processed to a “
  
  locked out”
  
  state in which further authentication requests are denied.
- View Dependent Claims (11, 12)
- - 11. An electronic apparatus as in claim 10 wherein the control circuitry, when updating the set of failed authentication velocities based on the failed authentication operations of the set of authentication operations, is constructed and arranged to:
    - update, for each source device of the set of the authentication request source devices, a respective failed authentication velocity indicating a numerical measure of failed authentication attempts by that source device, riskiness of that source device increasing as the respective failed authentication velocity for that source device increases.
  - 12. An electronic apparatus as in claim 10 wherein the control circuitry, when updating the set of failed authentication velocities based on the failed authentication operations of the set of authentication operations, is constructed and arranged to:
    - derive, for each source device of the set of the authentication request source devices, a respective rate of change in respective failed authentication velocity indicating a numerical rate of failed authentication attempts by that source device, riskiness of that source device increasing as the respective rate of change in respective failed authentication velocity for that source device increases.

13. A computer program product having a non-transitory computer readable medium which stores a set of instructions to perform authentication, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
- performing a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication;
  
  after updating the set of velocity metrics, receiving an authentication request from the particular authentication request source device; and
  
  providing an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate;
  
  wherein performing the set of authentication operations and updating the set of velocity metrics includes;
  
  generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user,generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, andmodifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and
  
  wherein the method further comprises;
  
  locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold;
  
  wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity;
  
  wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes;
  
  updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations;
  
  wherein the method further comprises;
  
  performing an authentication-related action based on the set of failed authentication velocities;
  
  wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for the particular authentication request source device; and
  
  wherein performing the authentication-related action based on the set of failed authentication velocities includes;
  
  in response to detection of the abnormally high failed authentication velocity for the particular authentication request source device, (i) distributing a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device, and (ii) transitioning the computerized circuitry from operating in a “
  
  not locked out”
  
  state in which further authentication requests are processed to a “
  
  locked out”
  
  state in which further authentication requests are denied.
- View Dependent Claims (14, 15)
- - 14. A computer program product as in claim 13 wherein updating the set of failed authentication velocities based on the failed authentication operations of the set of authentication operations includes:
    - updating, for each source device of the set of the authentication request source devices, a respective failed authentication velocity indicating a numerical measure of failed authentication attempts by that source device, riskiness of that source device increasing as the respective failed authentication velocity for that source device increases.
  - 15. A computer program product as in claim 13 wherein updating the set of failed authentication velocities based on the failed authentication operations of the set of authentication operations includes:
    - deriving, for each source device of the set of the authentication request source devices, a respective rate of change in respective failed authentication velocity indicating a numerical rate of failed authentication attempts by that source device, riskiness of that source device increasing as the respective rate of change in respective failed authentication velocity for that source device increases.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Dotan, Yedidya, Suresh, Lakshmi, Watts, John, Blatt, Marcelo
Primary Examiner(s)
Vostal, O. C.

Application Number

US14/138,622
Time in Patent Office

1,653 Days
Field of Search

726 3
US Class Current
CPC Class Codes

G06F 21/316 by observing the pattern of...

H04L 63/083 using passwords cryptograph...

Security using velocity metrics identifying authentication performance for a set of devices

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

138 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Security using velocity metrics identifying authentication performance for a set of devices

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links