Detection of compromised credentials as a network service
First Claim
Patent Images
1. A system, comprising:
- a processor configured to;
monitor a plurality of sessions at a firewall;
log a plurality of failed or timed out attempts to authenticate at the firewall in a log;
analyze the log for a pattern of the failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication;
determine that a set of credentials for authentication have been compromised based on the analysis of the log, wherein the log includes a first threshold number of successful authentication events for a first authentication factor followed by a second threshold number of timed-out authentication events for a second authentication factor, wherein the first authentication factor is distinct from the second authentication factor, and wherein the second threshold number of timed-out authentication events for the second authentication factor correspond to timed-out authentication attempts based on an authentication timeout setting associated with the second authentication factor; and
perform a responsive action based on determining that the set of credentials for authentication have been compromised based on the analysis of the log that determines that a number of monitored authentication success events for the first authentication factor exceeds the first threshold number of successful authentication events for the first authentication factor and that a number of monitored authentication failure events for the second authentication factor exceeds the second threshold number of timed-out authentication events for the second authentication factor; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for detection of compromised credentials as a network service are disclosed. In some embodiments, a system, process, and/or computer program product for detection of compromised credentials as a network service includes monitoring a plurality of sessions at a firewall, logging a plurality of failed or timed out attempts to authenticate at the firewall in a log, analyzing the log for a pattern of failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication, and determining that a set of credentials for authentication have been compromised based on the analysis of the log.
-
Citations
22 Claims
-
1. A system, comprising:
-
a processor configured to; monitor a plurality of sessions at a firewall; log a plurality of failed or timed out attempts to authenticate at the firewall in a log; analyze the log for a pattern of the failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication; determine that a set of credentials for authentication have been compromised based on the analysis of the log, wherein the log includes a first threshold number of successful authentication events for a first authentication factor followed by a second threshold number of timed-out authentication events for a second authentication factor, wherein the first authentication factor is distinct from the second authentication factor, and wherein the second threshold number of timed-out authentication events for the second authentication factor correspond to timed-out authentication attempts based on an authentication timeout setting associated with the second authentication factor; and perform a responsive action based on determining that the set of credentials for authentication have been compromised based on the analysis of the log that determines that a number of monitored authentication success events for the first authentication factor exceeds the first threshold number of successful authentication events for the first authentication factor and that a number of monitored authentication failure events for the second authentication factor exceeds the second threshold number of timed-out authentication events for the second authentication factor; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21, 22)
-
-
11. A method, comprising:
-
monitoring a plurality of sessions at a firewall; logging a plurality of failed or timed out attempts to authenticate at the firewall in a log; analyzing the log for a pattern of the failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication; determining that a set of credentials for authentication have been compromised based on the analysis of the log, wherein the log includes a first threshold number of successful authentication events for a first authentication factor followed by a second threshold number of timed-out authentication events for a second authentication factor, wherein the first authentication factor is distinct from the second authentication factor, and wherein the second threshold number of timed-out authentication events for the second authentication factor correspond to timed-out authentication attempts based on an authentication timeout setting associated with the second authentication factor; and performing a responsive action based on determining that the set of credentials for authentication have been compromised based on the analysis of the log that determines that a number of monitored authentication success events for the first authentication factor exceeds the first threshold number of successful authentication events for the first authentication factor and that a number of monitored authentication failure events for the second authentication factor exceeds the second threshold number of timed-out authentication events for the second authentication factor. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer program product, the computer program product being embodied in a non-transitory, tangible computer readable storage medium and comprising computer instructions for:
-
monitoring a plurality of sessions at a firewall; logging a plurality of failed or timed out attempts to authenticate at the firewall in a log; analyzing the log for a pattern of the failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication; determining that a set of credentials for authentication have been compromised based on the analysis of the log, wherein the log includes a first threshold number of successful authentication events for a first authentication factor followed by a second threshold number of timed-out authentication events for a second authentication factor, wherein the first authentication factor is distinct from the second authentication factor, and wherein the second threshold number of timed-out authentication events for the second authentication factor correspond to timed-out authentication attempts based on an authentication timeout setting associated with the second authentication factor; and performing a responsive action based on determining that the set of credentials for authentication have been compromised based on the analysis of the log that determines that a number of monitored authentication success events for the first authentication factor exceeds the first threshold number of successful authentication events for the first authentication factor and that a number of monitored authentication failure events for the second authentication factor exceeds the second threshold number of timed-out authentication events for the second authentication factor. - View Dependent Claims (17, 18, 19, 20)
-
Specification