Detection of compromised credentials as a network service

US 10,367,784 B2
Filed: 09/30/2016
Issued: 07/30/2019
Est. Priority Date: 09/30/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor a plurality of sessions at a firewall;

log a plurality of failed or timed out attempts to authenticate at the firewall in a log;

analyze the log for a pattern of the failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication;

determine that a set of credentials for authentication have been compromised based on the analysis of the log, wherein the log includes a first threshold number of successful authentication events for a first authentication factor followed by a second threshold number of timed-out authentication events for a second authentication factor, wherein the first authentication factor is distinct from the second authentication factor, and wherein the second threshold number of timed-out authentication events for the second authentication factor correspond to timed-out authentication attempts based on an authentication timeout setting associated with the second authentication factor; and

perform a responsive action based on determining that the set of credentials for authentication have been compromised based on the analysis of the log that determines that a number of monitored authentication success events for the first authentication factor exceeds the first threshold number of successful authentication events for the first authentication factor and that a number of monitored authentication failure events for the second authentication factor exceeds the second threshold number of timed-out authentication events for the second authentication factor; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detection of compromised credentials as a network service are disclosed. In some embodiments, a system, process, and/or computer program product for detection of compromised credentials as a network service includes monitoring a plurality of sessions at a firewall, logging a plurality of failed or timed out attempts to authenticate at the firewall in a log, analyzing the log for a pattern of failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication, and determining that a set of credentials for authentication have been compromised based on the analysis of the log.

Citations

22 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor a plurality of sessions at a firewall;
  
  log a plurality of failed or timed out attempts to authenticate at the firewall in a log;
  
  analyze the log for a pattern of the failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication;
  
  determine that a set of credentials for authentication have been compromised based on the analysis of the log, wherein the log includes a first threshold number of successful authentication events for a first authentication factor followed by a second threshold number of timed-out authentication events for a second authentication factor, wherein the first authentication factor is distinct from the second authentication factor, and wherein the second threshold number of timed-out authentication events for the second authentication factor correspond to timed-out authentication attempts based on an authentication timeout setting associated with the second authentication factor; and
  
  perform a responsive action based on determining that the set of credentials for authentication have been compromised based on the analysis of the log that determines that a number of monitored authentication success events for the first authentication factor exceeds the first threshold number of successful authentication events for the first authentication factor and that a number of monitored authentication failure events for the second authentication factor exceeds the second threshold number of timed-out authentication events for the second authentication factor; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21, 22)
- - 2. The system recited in claim 1, wherein the firewall performs multifactor authentication as a network service.
  - 3. The system recited in claim 1, wherein the log is an authentication log that includes logged authentication related events.
  - 4. The system recited in claim 1, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor.
  - 5. The system recited in claim 1, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor and a single endpoint.
  - 6. The system recited in claim 1, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor and a plurality of endpoints.
  - 7. The system recited in claim 1, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the second authentication factor.
  - 8. The system recited in claim 1, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the second authentication factor and a single endpoint.
  - 9. The system recited in claim 1, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the second authentication factor and a plurality of endpoints.
  - 10. The system recited in claim 1, wherein the processor is further configured to:
    - generate an alert or log a warning based on determining that an endpoint has been compromised based on the analysis of the log.
  - 21. The system recited in claim 1, wherein the processor is further configured to:
    - update a user ID record in the log with at least two timestamps per authentication profile in the event of a successful completion of the first authentication factor, including a first timestamp at which the first authentication factor was successfully completed and a second timestamp at which the second authentication factor was successfully completed or failed.
  - 22. The system recited in claim 1, wherein the log is an authentication log that includes logged authentication related events, and wherein the processor is further configured to:
    - correlate a plurality of authentication log events with a plurality of system log events to automatically identify a set of compromised credentials and a compromised endpoint that is attempting to request access using the set of compromised credentials.

11. A method, comprising:
- monitoring a plurality of sessions at a firewall;
  
  logging a plurality of failed or timed out attempts to authenticate at the firewall in a log;
  
  analyzing the log for a pattern of the failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication;
  
  determining that a set of credentials for authentication have been compromised based on the analysis of the log, wherein the log includes a first threshold number of successful authentication events for a first authentication factor followed by a second threshold number of timed-out authentication events for a second authentication factor, wherein the first authentication factor is distinct from the second authentication factor, and wherein the second threshold number of timed-out authentication events for the second authentication factor correspond to timed-out authentication attempts based on an authentication timeout setting associated with the second authentication factor; and
  
  performing a responsive action based on determining that the set of credentials for authentication have been compromised based on the analysis of the log that determines that a number of monitored authentication success events for the first authentication factor exceeds the first threshold number of successful authentication events for the first authentication factor and that a number of monitored authentication failure events for the second authentication factor exceeds the second threshold number of timed-out authentication events for the second authentication factor.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor.
  - 13. The method of claim 11, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor and a single endpoint.
  - 14. The method of claim 11, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor and a plurality of endpoints.
  - 15. The method of claim 11, further comprising:
    - generating an alert or logging a warning based on determining that an endpoint has been compromised based on the analysis of the log.

16. A computer program product, the computer program product being embodied in a non-transitory, tangible computer readable storage medium and comprising computer instructions for:
- monitoring a plurality of sessions at a firewall;
  
  logging a plurality of failed or timed out attempts to authenticate at the firewall in a log;
  
  analyzing the log for a pattern of the failed or timed out attempts to authenticate at the firewall to identify potentially compromised credentials for authentication;
  
  determining that a set of credentials for authentication have been compromised based on the analysis of the log, wherein the log includes a first threshold number of successful authentication events for a first authentication factor followed by a second threshold number of timed-out authentication events for a second authentication factor, wherein the first authentication factor is distinct from the second authentication factor, and wherein the second threshold number of timed-out authentication events for the second authentication factor correspond to timed-out authentication attempts based on an authentication timeout setting associated with the second authentication factor; and
  
  performing a responsive action based on determining that the set of credentials for authentication have been compromised based on the analysis of the log that determines that a number of monitored authentication success events for the first authentication factor exceeds the first threshold number of successful authentication events for the first authentication factor and that a number of monitored authentication failure events for the second authentication factor exceeds the second threshold number of timed-out authentication events for the second authentication factor.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product recited in claim 16, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor.
  - 18. The computer program product recited in claim 16, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor and a single endpoint.
  - 19. The computer program product recited in claim 16, wherein the pattern of the failed or timed out attempts to authenticate for a first user at the firewall corresponds to the first authentication factor and a plurality of endpoints.
  - 20. The computer program product recited in claim 16, further comprising computer instructions for:
    - generating an alert or logging a warning based on determining that an endpoint has been compromised based on the analysis of the log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Murthy, Ashwath Sreenivasa
Primary Examiner(s)
Lanier, Benjamin E

Application Number

US15/281,939
Publication Number

US 20180097840A1
Time in Patent Office

1,033 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/1425 Traffic logging, e.g. anoma...

Detection of compromised credentials as a network service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of compromised credentials as a network service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links