Security using velocity metrics identifying authentication performance for a set of devices
First Claim
1. A method of performing authentication, the method comprising:
- performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication;
after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from the particular authentication request source device; and
providing, by the processing circuitry, an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate;
wherein performing the set of authentication operations and updating the set of velocity metrics includes;
generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user,generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, andmodifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and
wherein the method further comprises;
locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold;
wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity;
wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes;
updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations;
wherein the method further comprises;
performing an authentication-related action based on the set of failed authentication velocities;
wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for the particular authentication request source device; and
wherein performing the authentication-related action based on the set of failed authentication velocities includes;
in response to detection of the abnormally high failed authentication velocity for the particular authentication request source device, (i) distributing a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device, and (ii) transitioning the processing circuitry from operating in a “
not locked out”
state in which further authentication requests are processed to a “
locked out”
state in which further authentication requests are denied.
9 Assignments
0 Petitions
Accused Products
Abstract
A technique performs authentication. The technique involves performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request sources that originated the set of authentication requests. The technique further involves, after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from an authentication request source. The technique further involves providing, by the processing circuitry, an authentication result in response to the authentication request from the authentication request source. The authentication result (i) is based on the set of velocity metrics and (ii) indicates whether the authentication request is considered to be legitimate. Such a technique can detect malicious activity even if a person tries to authenticate just a few times to several accounts in a “touch the fence” style of attack.
138 Citations
15 Claims
-
1. A method of performing authentication, the method comprising:
-
performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication; after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from the particular authentication request source device; and providing, by the processing circuitry, an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate; wherein performing the set of authentication operations and updating the set of velocity metrics includes; generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user, generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, and modifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and wherein the method further comprises; locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold; wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity; wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes; updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations; wherein the method further comprises; performing an authentication-related action based on the set of failed authentication velocities; wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for the particular authentication request source device; and wherein performing the authentication-related action based on the set of failed authentication velocities includes; in response to detection of the abnormally high failed authentication velocity for the particular authentication request source device, (i) distributing a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device, and (ii) transitioning the processing circuitry from operating in a “
not locked out”
state in which further authentication requests are processed to a “
locked out”
state in which further authentication requests are denied.- View Dependent Claims (2, 3, 5)
-
-
4. A method of performing authentication, the method comprising:
-
performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication; after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from the particular authentication request source device; and providing, by the processing circuitry, an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate; wherein performing the set of authentication operations and updating the set of velocity metrics includes; generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user, generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, and modifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and wherein the method further comprises; locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold; wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity; wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes; updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations; wherein the method further comprises; performing an authentication-related action based on the set of failed authentication velocities; wherein the processing circuitry resides in an authentication server; wherein the method further comprises; maintaining, as an overall server sensitivity index, a measure of riskiness indicating whether the authentication server is currently under attack from an attacker, the measure of riskiness being based on the set of velocity metrics that is updated by the processing circuitry; and wherein performing the authentication-related action includes; comparing the overall server sensitivity index to a predefined threshold; maintaining the authentication server in a “
not locked out”
state in which the authentication server performs further authentication operations in response to further authentication requests while the overall server sensitivity index is below the predefined threshold; andoperating the authentication server in a “
locked out”
state in which the authentication server denies further authentication requests while the overall server sensitivity index is above the predefined threshold.- View Dependent Claims (7, 8, 9)
-
-
6. A method of performing authentication, the method comprising:
-
performing, by processing circuitry, a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication; after updating the set of velocity metrics, receiving, by the processing circuitry, an authentication request from the particular authentication request source device; and providing, by the processing circuitry, an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate; wherein performing the set of authentication operations and updating the set of velocity metrics includes; generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user, generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, and modifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and wherein the method further comprises; locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold; wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity; wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes; updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations; wherein the method further comprises; performing an authentication-related action based on the set of failed authentication velocities; and wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for a particular authentication request source device; and
wherein performing the authentication-related action based on the set of failed authentication velocities includes;distributing a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device.
-
-
10. An electronic apparatus, comprising:
-
a communications interface; memory; and control circuitry coupled to the communications interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to; perform a set of authentication operations in response to a set of authentication requests received through the communications interface, and update a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication, after updating the set of velocity metrics, receive an authentication request from the particular authentication request source device through the communications interface, and provide an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate; wherein the control circuitry, when performing the set of authentication operations and updating the set of velocity metrics, is constructed and arranged to; generate a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user, generate a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, and modify the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and wherein the control circuitry is further constructed and arranged to; lock out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold; wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity; wherein the control circuitry, when updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests, is constructed and arranged to; update the set of failed authentication velocities based on failed authentication operations of the set of authentication operations; wherein the control circuitry is further constructed and arranged to; perform an authentication-related action based on the set of failed authentication velocities; wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for the particular authentication request source device; and wherein the control circuitry, when performing the authentication-related action based on the set of failed authentication velocities, is constructed and arranged to; in response to detection of the abnormally high failed authentication velocity for the particular authentication request source device, (i) distribute a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device, and (ii) transition the control circuitry from operating in a “
not locked out”
state in which further authentication requests are processed to a “
locked out”
state in which further authentication requests are denied. - View Dependent Claims (11, 12)
-
-
13. A computer program product having a non-transitory computer readable medium which stores a set of instructions to perform authentication, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
-
performing a set of authentication operations in response to a set of authentication requests, and updating a set of velocity metrics which identifies authentication performance for a set of authentication request source devices that originated the set of authentication requests, the set of velocity metrics including a particular failed authentication velocity identifying a rate at which a particular authentication request source device provided authentication requests resulting in failed authentication; after updating the set of velocity metrics, receiving an authentication request from the particular authentication request source device; and providing an authentication result in response to the authentication request from the particular authentication request source device, the authentication result (i) being based on the rate identified by the particular failed authentication velocity of the set of velocity metrics and (ii) indicating whether the authentication request is considered to be legitimate; wherein performing the set of authentication operations and updating the set of velocity metrics includes; generating a first failed authentication result in response to a first authentication attempt by the particular authentication request source device, the first authentication attempt using a first user identifier that identifies a first user, generating a second failed authentication result in response to a second authentication attempt by the particular authentication request source device, the second authentication attempt using a second user identifier that is different from the first user identifier and that identifies a second user that is different from the first user, and modifying the particular failed authentication velocity in response to the first and second failed authentication results to accurately identify occurrence of a particular number of failed authentication attempts by the particular authentication request source device during a particular amount of time; and wherein the method further comprises; locking out the particular authentication request source device from successfully authenticating in response to the particular failed authentication velocity identifying a current failed authentication rate that exceeds a predefined threshold; wherein the set of velocity metrics includes a set of failed authentication velocities, the set of failed authentication velocities including the particular failed authentication velocity; wherein updating the set of velocity metrics which identifies authentication performance for the set of authentication request source devices that originated the set of authentication requests includes; updating the set of failed authentication velocities based on failed authentication operations of the set of authentication operations; wherein the method further comprises; performing an authentication-related action based on the set of failed authentication velocities; wherein the set of failed authentication velocities indicates an abnormally high failed authentication velocity for the particular authentication request source device; and wherein performing the authentication-related action based on the set of failed authentication velocities includes; in response to detection of the abnormally high failed authentication velocity for the particular authentication request source device, (i) distributing a list of suspicious authentication request source devices to a set of server devices of a fraud mitigation network, the list of suspicious authentication request source devices identifying the particular authentication request source device, and (ii) transitioning the computerized circuitry from operating in a “
not locked out”
state in which further authentication requests are processed to a “
locked out”
state in which further authentication requests are denied.- View Dependent Claims (14, 15)
-
Specification