System and method providing data-driven user authentication misuse detection
First Claim
1. A computer-implemented method performed by a computing device, where the computing device includes at least a hardware processor for executing instructions from a memory, the method comprising:
- for each of a first user authentication attempt to access a secure computer resource and a second user authentication attempt to access the secure computer resource;
(i) collecting, via at least the hardware processor, user authentication log data having user attribute values;
(ii) transforming, via at least the hardware processor, the user authentication log data into a tracer data structure having the user attribute values organized in a common format; and
(iii) associating, via at least the hardware processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time corresponding to the respective user authentication attempt to access the secure computer resource;
performing a comparison of the event data structure for the first user authentication attempt to the event data structure for the second user authentication attempt;
based on a result of the comparison, detecting an impossible event pattern, wherein the impossible event pattern indicates that the first user authentication attempt and the second user authentication attempt possibly originated from different geographic locations, and physically traveling between the different geographic locations within a time defined by the timestamp data of the event data structures is not realizable;
applying, via at least the hardware processor, a filter to the impossible event pattern to determine whether the impossible event pattern is attributable to a non-malicious cause;
if application of the filter results in the impossible event pattern being attributed to the non-malicious cause, resolving the impossible event pattern as non-malicious; and
if application of the filter does not attribute the impossible event pattern to the non-malicious cause;
(i) designating, via at least the hardware processor, at least one of the first user authentication attempt or the second user authentication attempt as a malicious authentication attempt to access the secure computer resource; and
(ii) controlling issuance of an alarm message or signal as a warning to a remote computing device.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and other embodiments are disclosed for data-driven user authentication misuse detection. In one embodiment, for each of multiple authentication attempts to a computing device by a user via user authentication log messages: user authentication log data having user attribute values is collected; the user authentication log data is transformed into a tracer data structure having the user attribute values organized in a common format; the tracer data structure is augmented with timestamp data to generate an event data structure, where the timestamp data represents a time at which the user authentication log data is observed by the computing device; a user behavior model filter, representing account usage patterns of the user, is updated based at least in part on the event data structure. A malicious authentication attempt to the computing device by a malicious user is detected based on, at least in part, the user behavior model filter.
9 Citations
18 Claims
-
1. A computer-implemented method performed by a computing device, where the computing device includes at least a hardware processor for executing instructions from a memory, the method comprising:
-
for each of a first user authentication attempt to access a secure computer resource and a second user authentication attempt to access the secure computer resource;
(i) collecting, via at least the hardware processor, user authentication log data having user attribute values;(ii) transforming, via at least the hardware processor, the user authentication log data into a tracer data structure having the user attribute values organized in a common format; and (iii) associating, via at least the hardware processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time corresponding to the respective user authentication attempt to access the secure computer resource; performing a comparison of the event data structure for the first user authentication attempt to the event data structure for the second user authentication attempt; based on a result of the comparison, detecting an impossible event pattern, wherein the impossible event pattern indicates that the first user authentication attempt and the second user authentication attempt possibly originated from different geographic locations, and physically traveling between the different geographic locations within a time defined by the timestamp data of the event data structures is not realizable; applying, via at least the hardware processor, a filter to the impossible event pattern to determine whether the impossible event pattern is attributable to a non-malicious cause; if application of the filter results in the impossible event pattern being attributed to the non-malicious cause, resolving the impossible event pattern as non-malicious; and if application of the filter does not attribute the impossible event pattern to the non-malicious cause; (i) designating, via at least the hardware processor, at least one of the first user authentication attempt or the second user authentication attempt as a malicious authentication attempt to access the secure computer resource; and (ii) controlling issuance of an alarm message or signal as a warning to a remote computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer system, comprising:
-
a hardware processor; a rules database device configured to store tracer data structures having user authentication attributes organized in a common format; a message parsing module stored in a non-transitory computer-readable medium including instructions that when executed cause the hardware processor to, for each of a first user authentication attempt to access a secure computer resource and a second user authentication attempt to access the secure computer resource; collect user authentication log data having user attribute values, and transform the user authentication log data into a tracer data structure having the user attribute values in the common format at least in part by parsing the user authentication log data into the user attribute values; a tracer matching module stored in the non-transitory computer-readable medium including instructions that when executed cause the hardware processor to, for each of the first user authentication attempt and the second user authentication attempt; generate an event data structure by associating the tracer data structure with timestamp data, wherein the timestamp data represents a time corresponding to the respective user authentication attempt to access the secure computer resource ; an impossible event module stored in the non-transitory computer-readable medium including instructions that when executed cause the hardware processor to; (i) perform a comparison of the event data structure for the first user authentication attempt to the event data structure for the second user authentication attempt; (ii) based on a result of the comparison, detect an impossible event pattern within the authentication log messages, wherein the impossible event pattern indicates that the first user authentication attempt and the second user authentication attempt possibly originated from different geographic locations, and physically traveling between the different geographic locations within a time defined by the timestamp data of the event data structures is not realizable; and a filter module stored in the non-transitory computer-readable medium including instructions that when executed cause the hardware processor to apply a filter to the impossible event pattern to determine whether the impossible event pattern is attributable to a non-malicious cause, wherein the filter utilizes a user behavior model, representing account usage patterns of the user, to attribute at least one of the first user authentication attempt and the second user authentication attempt to the non-malicious cause. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable medium storing instructions that, when executed by one or more hardware processors of a computing device, cause the computing device to at least:
-
for each of a first user authentication attempt to access a secure computer resource and a second user authentication attempt to access the secure computer resource; (i) collect user authentication log data having user attribute values; (ii) transform the user authentication log data into a tracer data structure having the user attribute values; and (iii) associate the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time corresponding to the respective user authentication attempt to access the secure computer resource ; perform a comparison of the event data structure for the first user authentication attempt to the event data structure for the second user authentication attempt; based on a result of the comparison, detect an impossible event pattern, wherein the impossible event pattern indicates that the first user authentication attempt and the second user authentication attempt possibly originated from different geographic locations, and physically traveling between the different geographic locations within a time defined by the timestamp data of the event data structures is not realizable; apply a filter to the impossible event pattern to determine whether the impossible event pattern is attributable to a non-malicious cause; if application of the filter results in the impossible event pattern being attributed to the non-malicious cause, resolve the impossible event pattern as non-malicious; and if application of the filter does not attribute the impossible event pattern to the non-malicious cause; (i) designate at least one of the first user authentication attempt or the second user authentication attempt as a malicious authentication attempt to access the secure computer resource; and (ii) control issuance of an alarm message or signal as a warning to a remote computing device. - View Dependent Claims (17, 18)
-
Specification