Intrusion detection based on login attempts
First Claim
Patent Images
1. A system comprising:
- one or more processors; and
a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to;
identify an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers;
determine a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers;
determine a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server;
determine one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period;
determine an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and
cause an alert to be outputted in response to a determination that the outlier score satisfies a threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
An attempt by a user to login to a destination server is identified from a source server. A destination score is determined based on the count of attempts by the user to login to the destination server and the count of attempts by the user to login to all destination servers. A source given destination score is determined based on the count of attempts by the user to login from the source server to the destination server, and the count of attempts by the user to login to the destination server. An outlier score is determined based on values associated with the destination score and the source given destination score. An alert is output if the outlier score satisfies a threshold.
143 Citations
18 Claims
-
1. A system comprising:
-
one or more processors; and a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to; identify an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers; determine a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers; determine a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server; determine one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period; determine an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and cause an alert to be outputted in response to a determination that the outlier score satisfies a threshold. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product comprising a non-transitory computer-readable medium having computer-readable program code embodied thereon to be executed by one or more processors, the program code including instructions to:
-
identify an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers; determine a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers; determine a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server; determine one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period; determine an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and cause an alert to be outputted in response to a determination that the outlier score satisfies a threshold. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
identifying an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers; determining a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers; determining a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server; determining one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period; determining an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and causing an alert to be outputted in response to a determination that the outlier score satisfies a threshold. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification