Systems and methods for IP-based intrusion detection
First Claim
1. A computer implemented method for device security comprising:
- analyzing, using one or more processors of a server computer, a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from a first internet protocol (IP) address within a threshold time period of a first request time, wherein the login history comprises at least a first login request associated with a username, a password, the first IP address, and a first login request time;
determining, using the one or more processors, that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold;
determining, using the one or more processors, that a number of usernames associated with the total number of login requests is above a username threshold;
determining, using the one or more processors, that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and
in response to determining the login success ratio is below the threshold login success ratio and determining that a number of unique usernames is above a unique username threshold, automatically performing a security action using the server computer;
wherein the security action further comprises;
identifying, using the one or more processors, a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period;
identifying, for each account of the plurality of accounts using the one or more processors, an associated set of user actions taken during the threshold time period; and
initiating, using the one or more processors, a custom security action for each account based on the associated set of user actions for each account;
determining, using the one or more processors, a total number of locations associated with registration of the plurality of usernames; and
initiating, using the one or more processors, a group security action for the plurality of usernames when the total number of locations is above a location threshold value.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for account security are provided. In one example embodiment, a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address and a first request time associated with the first login request. A login history comprising login request data for the server computer is analyzed to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. In response to determining a login success ratio is below a threshold login success ratio and a number of unique usernames in the analyzed data is above the unique username threshold, the system automatically performs a security action.
-
Citations
20 Claims
-
1. A computer implemented method for device security comprising:
-
analyzing, using one or more processors of a server computer, a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from a first internet protocol (IP) address within a threshold time period of a first request time, wherein the login history comprises at least a first login request associated with a username, a password, the first IP address, and a first login request time; determining, using the one or more processors, that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold; determining, using the one or more processors, that a number of usernames associated with the total number of login requests is above a username threshold; determining, using the one or more processors, that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and in response to determining the login success ratio is below the threshold login success ratio and determining that a number of unique usernames is above a unique username threshold, automatically performing a security action using the server computer; wherein the security action further comprises; identifying, using the one or more processors, a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period; identifying, for each account of the plurality of accounts using the one or more processors, an associated set of user actions taken during the threshold time period; and initiating, using the one or more processors, a custom security action for each account based on the associated set of user actions for each account; determining, using the one or more processors, a total number of locations associated with registration of the plurality of usernames; and initiating, using the one or more processors, a group security action for the plurality of usernames when the total number of locations is above a location threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising one or more server computers configured to:
-
analyze a login history comprising login request data for a server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from a first internet protocol (IP) address within a threshold time period of a first request time, wherein the login history comprises at least a first login request associated with a username, a password, the first IP address, and a first login request time; determine that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold; determine a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; determine that a number of usernames associated with the total number of login requests is above a unique username threshold; and in response to determining that the login success ratio is below the threshold login success ratio and determining that a number of unique usernames is above the unique username threshold, automatically perform a security action using the server computers; wherein the security action further comprises; identifying a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period; identifying, for each account of the plurality of accounts, an associated set of user actions taken during the threshold time period; and initiating a custom security action for each account based on the associated set of user actions for each account; determining a total number of locations associated with registration of the plurality of usernames; and initiating a group security action for the plurality of usernames when the total number of locations is above a location threshold value. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A non-transitory computer readable medium comprising computer readable instructions that, when executed by one or more processors, cause one or more server computers to:
-
analyzing a login history comprising login request data for a server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from a first internet protocol (IP) address within a threshold time period of a first request time, wherein the login history comprises at least a first login request associated with a username, a password, the first IP address, and a first login request time; set a first security flag in response to a determination that a total number of login requests from the first IP address within a threshold time period is above the credential security threshold; set a second security flag in response to a second determination that a number of usernames associated with the total number of login requests is above a username threshold; determine that a login success ratio is below a threshold login success ratio; and automatically initiate a security action in response to the login success ratio, the first security flag and the second security flag; wherein the security action further comprises; identifying a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period; identifying, for each account of the plurality of accounts, an associated set of user actions taken during the threshold time period; and initiating a custom security action for each account based on the associated set of user actions for each account; determining a total number of locations associated with registration of the plurality of usernames; and initiating a group security action for the plurality of usernames when the total number of locations is above a location threshold value. - View Dependent Claims (17, 18, 19, 20)
-
Specification