ATO threat detection system
First Claim
Patent Images
1. A method comprising:
- detecting a login attempt with respect to an on-line service, the login attempt originating from a target IP address;
accessing a first count indicating a number of login attempts during a time period with respect to the on-line service originating from the target IP address;
accessing a second count indicating a number of login attempts during the time period with respect to the on-line service originating from one or more IP addresses that differ from the target IP address only in the first octet; and
based on the sum of the first count and the second count, selectively restricting the login attempt, using at least one processor.
4 Assignments
0 Petitions
Accused Products
Abstract
An Account Takeover (ATO) threat detection system is configured to detect that a group of IP addresses is a suspected group of IP addresses (in that there is an indication that same potentially malicious entity is using a group of IP addresses to attempt logins) and automatically select a lower value that limits how many login attempts from the same IP address are permitted during a predetermined period of time before a login request from the suspected group of IP address is no longer accepted for processing. The limit that is used to restrict login attempts from a single IP address is set to be lower than a solo threshold value.
28 Citations
20 Claims
-
1. A method comprising:
-
detecting a login attempt with respect to an on-line service, the login attempt originating from a target IP address; accessing a first count indicating a number of login attempts during a time period with respect to the on-line service originating from the target IP address; accessing a second count indicating a number of login attempts during the time period with respect to the on-line service originating from one or more IP addresses that differ from the target IP address only in the first octet; and based on the sum of the first count and the second count, selectively restricting the login attempt, using at least one processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented system comprising:
-
one or more processors; and a non-transitory computer readable storage medium comprising instructions that when executed by the one or processors cause the one or more processors to perform operations comprising; configuring a server computer system with a capability to detect a login attempt with respect to an on-line service, the login attempt originating from a target IP address; and configuring a server computer system with a capability to; access a first count indicating a number of login attempts during a time period with respect to the on-line service originating from the target IP address, access a second count indicating a number of login attempts during the time period with respect to the on-line service originating from one or more IP addresses that differ from the target IP address only in the first octet, and based on the sum of the first count and the second count, selectively restrict the login attempt. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A machine-readable non-transitory storage medium having instruction data executable by a machine to cause the machine to perform operations comprising:
-
detecting a login attempt with respect to an on-line service, the login attempt originating from a target IP address; accessing a first count indicating a number of login attempts during a time period with respect to the on-line service originating from the target IP address; accessing a second count indicating a number of login attempts during the time period with respect to the on-line service originating from one or more IP addresses that differ from the target IP address only in the first octet; and based on the sum of the first count and the second count, selectively restricting the login attempt.
-
Specification