System and method for providing data-driven user authentication misuse detection
First Claim
1. A computer-implemented method performed by a computing device, where the computing device includes at least a processor for executing instructions from a memory, the method comprising:
- for a user authentication attempt to access a secure computer resource that results in generation of a user authentication log message, collecting, via at least the processor, user authentication log data having user attribute values;
transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a defined format;
augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;
determining, via at least the processor, whether the tracer data structure matches an existing tracer data structure stored in a rules database;
if the tracer data structure does not match the existing tracer data structure, setting a novelty flag to establish a new tracer data structure in the rules database for generating a new user behavior model filter; and
if the tracer data structure matches the existing tracer data structure;
(i) applying, via at least the processor, an existing user behavior model filter representing account usage patterns of the user for detecting a malicious authentication attempt to access the secure computer resource by a malicious user, (ii) controlling issuance of an alarm message or signal as a warning to a remote computing device in response to detecting the malicious authentication attempt, and (iii) updating, via at least the processor, the existing user behavior model filter based, at least in part, on the event data structure.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and other embodiments are disclosed for data-driven user authentication misuse detection. In one embodiment, for a user authentication attempt to access a secure computer resource, user authentication log data having user attribute values is collected. The user authentication log data is transformed into a tracer data structure. The tracer data structure is augmented with timestamp data to generate an event data structure. It is determined whether the tracer data structure matches an existing tracer data structure stored in a rules database and, if not, a novelty flag is set to generate a new user behavior model filter. If the tracer data structure matches the existing tracer data structure: an existing user behavior model filter is applied, issuance of an alarm message or signal is controlled, and the existing user behavior model filter is updated based, at least in part, on the event data structure.
7 Citations
20 Claims
-
1. A computer-implemented method performed by a computing device, where the computing device includes at least a processor for executing instructions from a memory, the method comprising:
-
for a user authentication attempt to access a secure computer resource that results in generation of a user authentication log message, collecting, via at least the processor, user authentication log data having user attribute values; transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a defined format; augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device; determining, via at least the processor, whether the tracer data structure matches an existing tracer data structure stored in a rules database; if the tracer data structure does not match the existing tracer data structure, setting a novelty flag to establish a new tracer data structure in the rules database for generating a new user behavior model filter; and if the tracer data structure matches the existing tracer data structure;
(i) applying, via at least the processor, an existing user behavior model filter representing account usage patterns of the user for detecting a malicious authentication attempt to access the secure computer resource by a malicious user, (ii) controlling issuance of an alarm message or signal as a warning to a remote computing device in response to detecting the malicious authentication attempt, and (iii) updating, via at least the processor, the existing user behavior model filter based, at least in part, on the event data structure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer system, comprising:
-
a processor; a rules database device configured to store tracer data structures having user authentication attributes organized in a defined format; a message parsing module stored in a non-transitory computer-readable medium including instructions that when executed cause the processor to, for a user authentication attempt to access a secure computer resource that results in generation of a user authentication log message; collect user authentication log data including user attribute values from the user authentication log message, and transform the user authentication log data into a tracer data structure having the user attribute values in the defined format by parsing the user authentication log data into the user attribute values; a tracer matching module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to; augment the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device; determine whether the tracer data structure matches an existing tracer data structure stored in a rules database; a filter module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to; if the tracer data structure does not match the existing tracer data structure, set a novelty flag to establish a new tracer data structure in the rules database for generating a new user behavior model filter; and if the tracer data structure matches the existing tracer data structure;
(i) apply an existing user behavior model filter representing account usage patterns of the user for detecting a malicious authentication attempt to access the secure computer resource by a malicious user, (ii) control issuance of an alarm message or signal as a warning to a remote computing device in response to detecting the malicious authentication attempt, and (iii) update the existing user behavior model filter based, at least in part, on the event data structure. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium storing instructions that, when executed by one or more processors of a computing device, cause the computing device to at least:
-
for a user authentication attempt to access a secure computer resource that results in generation of a user authentication log message, collecting, via at least the processor, user authentication log data having user attribute values; transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a defined format; augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device; determining, via at least the processor, whether the tracer data structure matches an existing tracer data structure stored in a rules database; if the tracer data structure does not match the existing tracer data structure, setting a novelty flag to establish a new tracer data structure in the rules database for generating a new user behavior model filter; and if the tracer data structure matches the existing tracer data structure;
(i) applying, via at least the processor, an existing user behavior model filter representing account usage patterns of the user for detecting a malicious authentication attempt to access the secure computer resource by a malicious user, (ii) controlling issuance of an alarm message or signal as a warning to a remote computing device in response to detecting the malicious authentication attempt, and (iii) updating, via at least the processor, the existing user behavior model filter based, at least in part, on the event data structure. - View Dependent Claims (18, 19, 20)
-
Specification