System and method providing data-driven user authentication misuse detection

US 10,165,005 B2
Filed: 09/07/2016
Issued: 12/25/2018
Est. Priority Date: 09/07/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by a computing device, where the computing device includes at least a hardware processor for executing instructions from a memory, the method comprising:

for each of a first user authentication attempt to access a secure computer resource and a second user authentication attempt to access the secure computer resource;

(i) collecting, via at least the hardware processor, user authentication log data having user attribute values;

(ii) transforming, via at least the hardware processor, the user authentication log data into a tracer data structure having the user attribute values organized in a common format; and

(iii) associating, via at least the hardware processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time corresponding to the respective user authentication attempt to access the secure computer resource;

performing a comparison of the event data structure for the first user authentication attempt to the event data structure for the second user authentication attempt;

based on a result of the comparison, detecting an impossible event pattern, wherein the impossible event pattern indicates that the first user authentication attempt and the second user authentication attempt possibly originated from different geographic locations, and physically traveling between the different geographic locations within a time defined by the timestamp data of the event data structures is not realizable;

applying, via at least the hardware processor, a filter to the impossible event pattern to determine whether the impossible event pattern is attributable to a non-malicious cause;

if application of the filter results in the impossible event pattern being attributed to the non-malicious cause, resolving the impossible event pattern as non-malicious; and

if application of the filter does not attribute the impossible event pattern to the non-malicious cause;

(i) designating, via at least the hardware processor, at least one of the first user authentication attempt or the second user authentication attempt as a malicious authentication attempt to access the secure computer resource; and

(ii) controlling issuance of an alarm message or signal as a warning to a remote computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and other embodiments are disclosed for data-driven user authentication misuse detection. In one embodiment, for each of multiple authentication attempts to a computing device by a user via user authentication log messages: user authentication log data having user attribute values is collected; the user authentication log data is transformed into a tracer data structure having the user attribute values organized in a common format; the tracer data structure is augmented with timestamp data to generate an event data structure, where the timestamp data represents a time at which the user authentication log data is observed by the computing device; a user behavior model filter, representing account usage patterns of the user, is updated based at least in part on the event data structure. A malicious authentication attempt to the computing device by a malicious user is detected based on, at least in part, the user behavior model filter.

9 Citations

View as Search Results

18 Claims

1. A computer-implemented method performed by a computing device, where the computing device includes at least a hardware processor for executing instructions from a memory, the method comprising:
- for each of a first user authentication attempt to access a secure computer resource and a second user authentication attempt to access the secure computer resource;
  
  (i) collecting, via at least the hardware processor, user authentication log data having user attribute values;
  
  (ii) transforming, via at least the hardware processor, the user authentication log data into a tracer data structure having the user attribute values organized in a common format; and
  
  (iii) associating, via at least the hardware processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time corresponding to the respective user authentication attempt to access the secure computer resource;
  
  performing a comparison of the event data structure for the first user authentication attempt to the event data structure for the second user authentication attempt;
  
  based on a result of the comparison, detecting an impossible event pattern, wherein the impossible event pattern indicates that the first user authentication attempt and the second user authentication attempt possibly originated from different geographic locations, and physically traveling between the different geographic locations within a time defined by the timestamp data of the event data structures is not realizable;
  
  applying, via at least the hardware processor, a filter to the impossible event pattern to determine whether the impossible event pattern is attributable to a non-malicious cause;
  
  if application of the filter results in the impossible event pattern being attributed to the non-malicious cause, resolving the impossible event pattern as non-malicious; and
  
  if application of the filter does not attribute the impossible event pattern to the non-malicious cause;
  
  (i) designating, via at least the hardware processor, at least one of the first user authentication attempt or the second user authentication attempt as a malicious authentication attempt to access the secure computer resource; and
  
  (ii) controlling issuance of an alarm message or signal as a warning to a remote computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the transforming includes parsing the user authentication log data into the user attribute values.
  - 3. The method of claim 1, wherein the common format of the tracer data structure includes each of the attribute values paired with a corresponding attribute type.
  - 4. The method of claim 1, further comprising attempting to match, via at least the hardware processor, the tracer data structure with an existing tracer data structure stored in a rules database, where:
    - when a match occurs, a list of timestamps for the existing tracer data structure is updated with the timestamp data, wherein the list of timestamps represents times at which the user authentication log data is observed by the computing device; and
      
      when a match does not occur, the tracer data structure is stored as a new tracer data structure in the rules database and a novelty flag and a first timestamp corresponding to the timestamp data associated with the new tracer data structure are set.
  - 5. The method of claim 1, wherein the detecting of the impossible event pattern comprises detecting a hypersonic travel pattern within authentication log messages received by the computing device as part of the first user authentication attempt and the second user authentication attempt, where the hypersonic travel pattern indicates a speed of travel required for a common user to perform the first user authentication attempt and the second user authentication attempt, from distant geographical locations, is greater than a speed of sound traveling through air.
  - 6. The method of claim 1, further comprising initially configuring the filter, via at least the hardware processor, at least in part by transforming an original set of event data structures, derived from an original set of authentication attempts by the user, into features that describe authentication behavior characteristics of an authorized user with permission to access the secure computer resource, without having to train the filter using truth-labeled training data, and without having apriori knowledge of user authentication misuse.
  - 7. The method of claim 1, further comprising controlling user specification of filter parameters associated with the filter via a graphical user interface or an application program interface.
  - 8. The method of claim 1, wherein the user attribute values include at least one of a user name value, a client IP address value, a resource name value, a login status value, a timestamp value, an authentication scheme value, an authentication policy value, a partner value, a failure code value, a retry count value, a session value, and an authentication level value.

9. A computer system, comprising:
- a hardware processor;
  
  a rules database device configured to store tracer data structures having user authentication attributes organized in a common format;
  
  a message parsing module stored in a non-transitory computer-readable medium including instructions that when executed cause the hardware processor to, for each of a first user authentication attempt to access a secure computer resource and a second user authentication attempt to access the secure computer resource;
  
  collect user authentication log data having user attribute values, andtransform the user authentication log data into a tracer data structure having the user attribute values in the common format at least in part by parsing the user authentication log data into the user attribute values;
  
  a tracer matching module stored in the non-transitory computer-readable medium including instructions that when executed cause the hardware processor to, for each of the first user authentication attempt and the second user authentication attempt;
  
  generate an event data structure by associating the tracer data structure with timestamp data, wherein the timestamp data represents a time corresponding to the respective user authentication attempt to access the secure computer resource ;
  
  an impossible event module stored in the non-transitory computer-readable medium including instructions that when executed cause the hardware processor to;
  
  (i) perform a comparison of the event data structure for the first user authentication attempt to the event data structure for the second user authentication attempt;
  
  (ii) based on a result of the comparison, detect an impossible event pattern within the authentication log messages, wherein the impossible event pattern indicates that the first user authentication attempt and the second user authentication attempt possibly originated from different geographic locations, and physically traveling between the different geographic locations within a time defined by the timestamp data of the event data structures is not realizable; and
  
  a filter module stored in the non-transitory computer-readable medium including instructions that when executed cause the hardware processor to apply a filter to the impossible event pattern to determine whether the impossible event pattern is attributable to a non-malicious cause, wherein the filter utilizes a user behavior model, representing account usage patterns of the user, to attribute at least one of the first user authentication attempt and the second user authentication attempt to the non-malicious cause.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer system of claim 9, further comprising an explain module stored in the non-transitory computer-readable medium including instructions that when executed cause the hardware processor to engage at least the filter module to:
    - determine a valid explanation for the impossible event pattern based on the user behavior model and generate a corresponding valid explanation message;
      
      orgenerate an alarm message indicating a malicious authentication attempt has occurred in response to an inability to determine the valid explanation.
  - 11. The computer system of claim 9, wherein the user attribute values include at least one of a user name value, a client IP address value, a resource name value, a login status value, a timestamp value, an authentication scheme value, an authentication policy value, a partner value, a failure code value, a retry count value, a session value, and an authentication level value.
  - 12. The computer system of claim 9, wherein the common format of the tracer data structure includes each of the attribute values paired with a corresponding attribute type.
  - 13. The computer system of claim 9, wherein the impossible event pattern corresponds to a hypersonic travel pattern indicating a speed of travel required for a common user to physically travel between geographical locations is greater than a speed of sound traveling through air.
  - 14. The computer system of claim 9, further comprising a visual user interface module stored in the non-transitory computer-readable medium including instructions that when executed cause the hardware processor to provide a graphical user interface that controls at least user specification of filter parameters associated with the filter module.
  - 15. The computer system of claim 14, further comprising a display screen configured to display and facilitate user interaction with at least the graphical user interface provided by the visual user interface module.

16. A non-transitory computer-readable medium storing instructions that, when executed by one or more hardware processors of a computing device, cause the computing device to at least:
- for each of a first user authentication attempt to access a secure computer resource and a second user authentication attempt to access the secure computer resource;
  
  (i) collect user authentication log data having user attribute values;
  
  (ii) transform the user authentication log data into a tracer data structure having the user attribute values; and
  
  (iii) associate the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time corresponding to the respective user authentication attempt to access the secure computer resource ;
  
  perform a comparison of the event data structure for the first user authentication attempt to the event data structure for the second user authentication attempt;
  
  based on a result of the comparison, detect an impossible event pattern, wherein the impossible event pattern indicates that the first user authentication attempt and the second user authentication attempt possibly originated from different geographic locations, and physically traveling between the different geographic locations within a time defined by the timestamp data of the event data structures is not realizable;
  
  apply a filter to the impossible event pattern to determine whether the impossible event pattern is attributable to a non-malicious cause;
  
  if application of the filter results in the impossible event pattern being attributed to the non-malicious cause, resolve the impossible event pattern as non-malicious; and
  
  if application of the filter does not attribute the impossible event pattern to the non-malicious cause;
  
  (i) designate at least one of the first user authentication attempt or the second user authentication attempt as a malicious authentication attempt to access the secure computer resource; and
  
  (ii) control issuance of an alarm message or signal as a warning to a remote computing device.
- View Dependent Claims (17, 18)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the instructions further comprise instructions that, when executed by the one or more hardware processors, cause the computing device to at least attempt to match the tracer data structure with an existing tracer data structure stored in a rules database, where:
    - when a match occurs, a list of timestamps for the existing tracer data structure is updated with the timestamp data, wherein the list of timestamps represents times at which the user authentication log data is observed by the computing device; and
      
      when a match does not occur, the tracer data structure is stored as a new tracer data structure in the rules database and a novelty flag and a first timestamp corresponding to the timestamp data associated with the new tracer data structure are set.
  - 18. The non-transitory computer-readable medium of claim 16, wherein the instructions further comprise instructions that, when executed by the one or more hardware processors, cause the computing device to at least initially configure the filter at least in part by transforming an original set of event data structures, derived from an original set of authentication attempts by the user, into features that describe authentication behavior characteristics of an authorized user who is permitted to access the secure computer resource, without having to train the filter using truth-labeled training data, and without having apriori knowledge of user authentication misuse.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Urmanov, Aleksey M., Wood, Alan P.
Primary Examiner(s)
Rahim, Monjour

Application Number

US15/258,135
Publication Number

US 20180069896A1
Time in Patent Office

839 Days
Field of Search

726 7
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/554   involving event detection a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/08   for authentication of entit...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

System and method providing data-driven user authentication misuse detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

System and method providing data-driven user authentication misuse detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others