ATO threat detection system

US 10,148,683 B1
Filed: 03/29/2016
Issued: 12/04/2018
Est. Priority Date: 03/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting a login attempt with respect to an on-line service, the login attempt originating from a target IP address;

accessing a first count indicating a number of login attempts during a time period with respect to the on-line service originating from the target IP address;

accessing a second count indicating a number of login attempts during the time period with respect to the on-line service originating from one or more IP addresses that differ from the target IP address only in the first octet; and

based on the sum of the first count and the second count, selectively restricting the login attempt, using at least one processor.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Account Takeover (ATO) threat detection system is configured to detect that a group of IP addresses is a suspected group of IP addresses (in that there is an indication that same potentially malicious entity is using a group of IP addresses to attempt logins) and automatically select a lower value that limits how many login attempts from the same IP address are permitted during a predetermined period of time before a login request from the suspected group of IP address is no longer accepted for processing. The limit that is used to restrict login attempts from a single IP address is set to be lower than a solo threshold value.

28 Citations

View as Search Results

20 Claims

1. A method comprising:
- detecting a login attempt with respect to an on-line service, the login attempt originating from a target IP address;
  
  accessing a first count indicating a number of login attempts during a time period with respect to the on-line service originating from the target IP address;
  
  accessing a second count indicating a number of login attempts during the time period with respect to the on-line service originating from one or more IP addresses that differ from the target IP address only in the first octet; and
  
  based on the sum of the first count and the second count, selectively restricting the login attempt, using at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the accessing of the second count is in response to determining that the first count is less than a solo threshold value.
  - 3. The method of claim 2, wherein the restricting of the login attempt based on the sum of the first count and the second count is in response to determining that the second count is greater than or equals a group threshold value.
  - 4. The method of claim 3, wherein the solo threshold value is less than the group threshold value.
  - 5. The method of claim 1, wherein the accessing of the second count is in response to determining that the target IP address is absent from a list of known legitimate IP addresses.
  - 6. The method of claim 1, wherein an IP address from the list of known legitimate IP addresses is an IP address of a registered user of the on-line service.
  - 7. The method of claim 1, comprising generating a presentation notifying a user associated with the target IP address that the login request is rejected.
  - 8. The method of claim 7, causing displaying of the presentation on a display device of the user.
  - 9. The method of claim 7, wherein the generating of the presentation comprises modifying a login web page associated with the on-line service.
  - 10. The method of claim 1, wherein the detecting of the login attempt is in the course of monitoring of login attempts with respect to the on-line service, the method comprising:
    - generating a visualization of the monitored login attempts during the target time period, the visualization presenting a login attempt from an IP address as an object in a three-dimensional coordinates system having the first axis representing the first octet of an IP address, the second axis representing the second octet of an IP address, and the third axis representing the third and the fourth octets of the IP address; and
      
      causing presentation of the visualization on a display device.

11. A computer-implemented system comprising:
- one or more processors; and
  
  a non-transitory computer readable storage medium comprising instructions that when executed by the one or processors cause the one or more processors to perform operations comprising;
  
  configuring a server computer system with a capability to detect a login attempt with respect to an on-line service, the login attempt originating from a target IP address; and
  
  configuring a server computer system with a capability to;
  
  access a first count indicating a number of login attempts during a time period with respect to the on-line service originating from the target IP address,access a second count indicating a number of login attempts during the time period with respect to the on-line service originating from one or more IP addresses that differ from the target IP address only in the first octet, andbased on the sum of the first count and the second count, selectively restrict the login attempt.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the accessing of the second count is in response to determining that the first count is less than a solo threshold value.
  - 13. The system of claim 12, wherein the restricting of the login attempt based on the sum of the first count and the second count is in response to determining that the second count is greater than or equals a group threshold value.
  - 14. The system of claim 13, wherein the solo threshold value is less than the group threshold value.
  - 15. The system of claim 11, wherein the accessing of the second count is in response to determining that the target IP address is absent from a list of known legitimate IP addresses.
  - 16. The system of claim 11, wherein an IP address from the list of known legitimate IP addresses is an IP address of a registered user of the on-line service.
  - 17. The system of claim 11, comprising generating a presentation notifying a user associated with the target IP address that the login request is rejected.
  - 18. The system of claim 17, comprising causing displaying of the presentation on a display device of the user.
  - 19. The system of claim 17, wherein the generating of the presentation comprises modifying a login web page associated with the on-line service.

20. A machine-readable non-transitory storage medium having instruction data executable by a machine to cause the machine to perform operations comprising:
- detecting a login attempt with respect to an on-line service, the login attempt originating from a target IP address;
  
  accessing a first count indicating a number of login attempts during a time period with respect to the on-line service originating from the target IP address;
  
  accessing a second count indicating a number of login attempts during the time period with respect to the on-line service originating from one or more IP addresses that differ from the target IP address only in the first octet; and
  
  based on the sum of the first count and the second count, selectively restricting the login attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Lin, Ziliang, Huang, Xiaosu, Jain, Sakshi Ratneshchand, Hwa, Theodore
Primary Examiner(s)
Revak, Christopher A

Application Number

US15/083,785
Time in Patent Office

980 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04W 12/06   Authentication

H04W 12/61   Time-dependent

H04W 12/63   Location-dependent; Proximi...

ATO threat detection system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

ATO threat detection system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others