Intrusion detection based on login attempts

US 10,397,249 B2
Filed: 01/18/2017
Issued: 08/27/2019
Est. Priority Date: 01/18/2017
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to;

identify an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers;

determine a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers;

determine a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server;

determine one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period;

determine an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and

cause an alert to be outputted in response to a determination that the outlier score satisfies a threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attempt by a user to login to a destination server is identified from a source server. A destination score is determined based on the count of attempts by the user to login to the destination server and the count of attempts by the user to login to all destination servers. A source given destination score is determined based on the count of attempts by the user to login from the source server to the destination server, and the count of attempts by the user to login to the destination server. An outlier score is determined based on values associated with the destination score and the source given destination score. An alert is output if the outlier score satisfies a threshold.

143 Citations

18 Claims

1. A system comprising:
- one or more processors; and
  
  a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to;
  
  identify an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers;
  
  determine a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers;
  
  determine a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server;
  
  determine one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period;
  
  determine an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and
  
  cause an alert to be outputted in response to a determination that the outlier score satisfies a threshold.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein at least one of the count of attempts by the user to login to the destination server and the count of attempts by the user to login from the source server comprise a corresponding pseudo count that has a value less than one.
  - 3. The system of claim 1, comprising further instructions, which when executed, cause the one or more processors to:
    - determine another destination score based on a count of attempts by the user to login to any destination server on the enterprise computer network comprising a set of features of the destination server, and the count of attempts by the user to login to all destination servers; and
      
      determine another source given destination score based on a count of attempts by the user to login from any source server on the enterprise computer network comprising a set of features of the source server to any destination server comprising another set of features of the destination server, and a count of attempts by the user to login to any destination server comprising the other set of features of the destination server.
  - 4. The system of claim 1, comprising further instructions, which when executed, cause the one or more processors to determine a temporal score based on an average count of attempts of the user to login to all destination servers during a historical time period and a count of attempts of the user to login to all destination servers during a current time period, the historical time period and the current time period being based on a contextually equivalent day of week and time of day, wherein the outlier score is further based on the temporal score.
  - 5. The system of claim 1, wherein the extended time period being relatively longer than the time period.
  - 6. The system of claim 1, comprising further instructions, which when executed, cause the one or more processors to cause a comparative outlier alert to be outputted based on comparing a mathematical average of the outlier score during a time period with a mathematical average of the outlier score during an extended time period, the extended time period being relatively longer than the time period.

7. A computer program product comprising a non-transitory computer-readable medium having computer-readable program code embodied thereon to be executed by one or more processors, the program code including instructions to:
- identify an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers;
  
  determine a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers;
  
  determine a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server;
  
  determine one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period;
  
  determine an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and
  
  cause an alert to be outputted in response to a determination that the outlier score satisfies a threshold.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, wherein at least one of the count of attempts by the user to login to the destination server and the count of attempts by the user to login from the source server comprise a corresponding pseudo count that has a value less than one.
  - 9. The computer program product of claim 7, wherein the program code comprises further instructions to:
    - determine another destination score based on a count of attempts by the user to login to any destination server on the enterprise computer network comprising a set of features of the destination server, and the count of attempts by the user to login to all destination servers; and
      
      determine another source given destination score based on a count of attempts by the user to login from any source server on the enterprise computer network comprising a set of features of the source server to any destination server comprising another set of features of the destination server, and a count of attempts by the user to login to any destination server comprising the other set of features of the destination server.
  - 10. The computer program product of claim 7, wherein the program code comprises further instructions to determine a temporal score based on an average count of attempts of the user to login to all destination servers during a historical time period and a count of attempts of the user to login to all destination servers during a current time period, the historical time period and the current time period being based on a contextually equivalent day of week and time of day, wherein the outlier score is further based on the temporal score.
  - 11. The computer program product of claim 7, wherein the extended time period being relatively longer than the time period.
  - 12. The computer program product of claim 7, wherein the program code comprises further instructions to cause a comparative outlier alert to be outputted based on comparing a mathematical average of the outlier score during a time period with a mathematical average of the outlier score during an extended time period, the extended time period being relatively longer than the time period.

13. A method comprising:
- identifying an attempt by a user to login to a destination server from a source server, the destination and source server coupled to an enterprise computer network having a plurality of destination servers;
  
  determining a destination score based on a count of attempts by the user to login to the destination server, and a count of attempts by the user to login to all of the destination servers;
  
  determining a source given destination score based on a count of attempts by the user to login from the source server to the destination server, and a count of attempts by the user to login to the destination server;
  
  determining one of a success rate score based on a success rate of attempts by the user to login to all of the destination servers and a login attempt frequency score based on a frequency of attempts by the user to login to all of the destination servers, the attempts being made during a time period and an extended time period;
  
  determining an outlier score based on values associated with the destination score, the source given destination score and one of the success rate score and the login attempt frequency score; and
  
  causing an alert to be outputted in response to a determination that the outlier score satisfies a threshold.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein at least one of the count of attempts by the user to login to the destination server and the count of attempts by the user to login from the source server comprise a corresponding pseudo count that has a value less than one.
  - 15. The method of claim 13, wherein the method further comprises:
    - determining another destination score based on a count of attempts by the user to login to any destination server on the enterprise computer network comprising a set of features of the destination server, and the count of attempts by the user to login to all destination servers; and
      
      determining another source given destination score based on a count of attempts by the user to login from any source server on the enterprise computer network comprising a set of features of the source server to any destination server comprising another set of features of the destination server, and a count of attempts by the user to login to any destination server comprising the other set of features of the destination server.
  - 16. The method of claim 13, wherein the method further comprises determining a temporal score based on an average count of attempts of the user to login to all destination servers during a historical time period and a count of attempts of the user to login to all destination servers during a current time period, the historical time period and the current time period being based on a contextually equivalent day of week and time of day, wherein the outlier score is further based on the temporal score.
  - 17. The method of claim 13, wherein the extended time period being relatively longer than the time period.
  - 18. The method of claim 13, wherein the method further comprisescausing a comparative outlier alert to be outputted based on comparing a mathematical average of the outlier score during a time period with a mathematical average of the outlier score during an extended time period, the extended time period being relatively longer than the time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gurkok, Cem, Jagota, Arun Kumar, Ramineni, Navin K.
Primary Examiner(s)
Bechtel, Kevin

Application Number

US15/408,483
Publication Number

US 20180205748A1
Time in Patent Office

951 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

Intrusion detection based on login attempts

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

143 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Intrusion detection based on login attempts

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others