Systems and methods for IP-based intrusion detection

US 10,091,221 B1
Filed: 06/06/2017
Issued: 10/02/2018
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for device security comprising:

analyzing, using one or more processors of a server computer, a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from a first internet protocol (IP) address within a threshold time period of a first request time, wherein the login history comprises at least a first login request associated with a username, a password, the first IP address, and a first login request time;

determining, using the one or more processors, that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold;

determining, using the one or more processors, that a number of usernames associated with the total number of login requests is above a username threshold;

determining, using the one or more processors, that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and

in response to determining the login success ratio is below the threshold login success ratio and determining that a number of unique usernames is above a unique username threshold, automatically performing a security action using the server computer;

wherein the security action further comprises;

identifying, using the one or more processors, a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period;

identifying, for each account of the plurality of accounts using the one or more processors, an associated set of user actions taken during the threshold time period; and

initiating, using the one or more processors, a custom security action for each account based on the associated set of user actions for each account;

determining, using the one or more processors, a total number of locations associated with registration of the plurality of usernames; and

initiating, using the one or more processors, a group security action for the plurality of usernames when the total number of locations is above a location threshold value.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for account security are provided. In one example embodiment, a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address and a first request time associated with the first login request. A login history comprising login request data for the server computer is analyzed to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. In response to determining a login success ratio is below a threshold login success ratio and a number of unique usernames in the analyzed data is above the unique username threshold, the system automatically performs a security action.

38 Citations

View as Search Results

20 Claims

1. A computer implemented method for device security comprising:
- analyzing, using one or more processors of a server computer, a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from a first internet protocol (IP) address within a threshold time period of a first request time, wherein the login history comprises at least a first login request associated with a username, a password, the first IP address, and a first login request time;
  
  determining, using the one or more processors, that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold;
  
  determining, using the one or more processors, that a number of usernames associated with the total number of login requests is above a username threshold;
  
  determining, using the one or more processors, that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and
  
  in response to determining the login success ratio is below the threshold login success ratio and determining that a number of unique usernames is above a unique username threshold, automatically performing a security action using the server computer;
  
  wherein the security action further comprises;
  
  identifying, using the one or more processors, a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period;
  
  identifying, for each account of the plurality of accounts using the one or more processors, an associated set of user actions taken during the threshold time period; and
  
  initiating, using the one or more processors, a custom security action for each account based on the associated set of user actions for each account;
  
  determining, using the one or more processors, a total number of locations associated with registration of the plurality of usernames; and
  
  initiating, using the one or more processors, a group security action for the plurality of usernames when the total number of locations is above a location threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the security action comprises communicating a security notification to an e-mail address associated with the username.
  - 3. The method of claim 2 wherein the security action further comprisescommunicating the security notification to a corresponding e-mail address for each of the plurality of usernames.
  - 4. The method of claim 1 wherein the security action comprises temporarily blocking accesses to an account associated with a username and automatically initiating a password reset process for the account.
  - 5. The method of claim 4 wherein the security action further comprises temporarily blocking access to a plurality of accounts associated with each of the plurality of usernames and initiating the password reset process for each of the plurality of accounts.
  - 6. The method of claim 1 wherein the security action further comprises:
    - determining a location associated with the IP address; and
      
      identifying, for each account of the plurality of accounts, a difference between the IP address and a registration IP address associated with a creation of each account;
      
      wherein the custom security action for each account is further based on the difference between the IP address and the registration IP address associated with the creation of each account.
  - 7. The method of claim 1 wherein the security action further comprises:
    - identifying, for each successful login, a user agent value associated with a requesting client device;
      
      identifying, for each account of the plurality of accounts from a login history, a user agent value history, associated with historical requesting client devices; and
      
      comparing, for each account, the user agent value and the user agent value history;
      
      wherein the custom security action for each account is further based on the comparing of the user agent value and the user agent value history.
  - 8. The method of claim 1 wherein determining the number of usernames associated with the total number of login requests comprises:
    - comparing each username with each other username to determine a difference value for each username pair, wherein the difference value for each username pair comprises a sum of each character change, character addition, and character subtraction required to transform a first username of each username pair into a second username of each username pair; and
      
      for each username pair identified as similar usernames having a difference value less than a threshold difference value, counting the similar usernames as a single username for the number of usernames as compared to the username threshold.
  - 9. The method of claim 8 wherein counting the similar usernames as a single username comprises, for each username pair identified as similar usernames, subtracting one from the number of usernames prior to comparing the number of usernames to the username threshold.

10. A system comprising one or more server computers configured to:
- analyze a login history comprising login request data for a server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from a first internet protocol (IP) address within a threshold time period of a first request time, wherein the login history comprises at least a first login request associated with a username, a password, the first IP address, and a first login request time;
  
  determine that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold;
  
  determine a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold;
  
  determine that a number of usernames associated with the total number of login requests is above a unique username threshold; and
  
  in response to determining that the login success ratio is below the threshold login success ratio and determining that a number of unique usernames is above the unique username threshold, automatically perform a security action using the server computers;
  
  wherein the security action further comprises;
  
  identifying a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period;
  
  identifying, for each account of the plurality of accounts, an associated set of user actions taken during the threshold time period; and
  
  initiating a custom security action for each account based on the associated set of user actions for each account;
  
  determining a total number of locations associated with registration of the plurality of usernames; and
  
  initiating a group security action for the plurality of usernames when the total number of locations is above a location threshold value.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10 wherein the one or more server computers are further configured to:
    - compare the first username with each username of the plurality of usernames to identify a set of similar usernames; and
      
      merge a set of login requests associated with the set of similar usernames into a merged login request in a login history.
  - 12. The system of claim 11 wherein identifying the set of similar usernames comprises determining that each username of the set of similar usernames is within a threshold number of character changes of the first username.
  - 13. The system of claim 12 wherein the one or more server computers are further configured to:
    - identify, for each successful login, a user agent value associating with a requesting client device; and
      
      identify, for each account of the plurality of accounts from the login history, a user agent value history, associated with historical requesting client devices.
  - 14. The system of claim 13 wherein automatically performing a security action using the server computer comprises, for each corresponding account of the plurality of accounts and based on the user agent value, registration IP address, the total number of locations associated with registration of the plurality of usernames, selecting one or more of:
    - blocking access to the corresponding account;
      
      initiating a password reset for the corresponding account;
      
      communicating a security notification to an e-mail address associated with the corresponding account; and
      
      updating the login history with a security indicator.
  - 15. The system of claim 10 further comprising a registration server computer configured to:
    - receive a registration request from a first client device;
      
      communicate a security notification to the first client device requesting permission to store tracking information associated with the first client device;
      
      receive a security notification response; and
      
      in response to the security notification response, storing a registration IP address and a user agent value associated with the client device in a login history database comprising the login history.

16. A non-transitory computer readable medium comprising computer readable instructions that, when executed by one or more processors, cause one or more server computers to:
- analyzing a login history comprising login request data for a server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from a first internet protocol (IP) address within a threshold time period of a first request time, wherein the login history comprises at least a first login request associated with a username, a password, the first IP address, and a first login request time;
  
  set a first security flag in response to a determination that a total number of login requests from the first IP address within a threshold time period is above the credential security threshold;
  
  set a second security flag in response to a second determination that a number of usernames associated with the total number of login requests is above a username threshold;
  
  determine that a login success ratio is below a threshold login success ratio; and
  
  automatically initiate a security action in response to the login success ratio, the first security flag and the second security flag;
  
  wherein the security action further comprises;
  
  identifying a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period;
  
  identifying, for each account of the plurality of accounts, an associated set of user actions taken during the threshold time period; and
  
  initiating a custom security action for each account based on the associated set of user actions for each account;
  
  determining a total number of locations associated with registration of the plurality of usernames; and
  
  initiating a group security action for the plurality of usernames when the total number of locations is above a location threshold value.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable medium of claim 16 wherein the instructions further cause the one or more server computers to determine that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold;
    - wherein the security action is further based on the determination that the login success ratio is below the threshold login success ratio.
  - 18. The non-transitory computer readable medium of claim 16 wherein the security action comprises communicating a security notification to an e-mail address associated with the username.
  - 19. The non-transitory computer readable medium of claim 17 wherein the security action further comprises communicating the security notification to a corresponding e-mail address for each of the plurality of usernames.
  - 20. The non-transitory computer readable medium of claim 16 wherein the security action comprises temporarily blocking accesses to an account associated with a username and automatically initiating a password reset process for the account;
    - andwherein the security action further comprises temporarily blocking access to a plurality of accounts associated with each of the plurality of usernames and initiating the password reset process for each of the plurality of accounts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Snap, Inc.
Original Assignee
Snap, Inc.
Inventors
Yang, Jinlin
Primary Examiner(s)
Brown, Christopher J

Application Number

US15/615,149
Time in Patent Office

483 Days
Field of Search

726 6
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 63/308   retaining data, e.g. retain...

Systems and methods for IP-based intrusion detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for IP-based intrusion detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links