System and method for providing data-driven user authentication misuse detection

US 10,491,630 B2
Filed: 12/06/2018
Issued: 11/26/2019
Est. Priority Date: 09/07/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by a computing device, where the computing device includes at least a processor for executing instructions from a memory, the method comprising:

for a user authentication attempt to access a secure computer resource that results in generation of a user authentication log message, collecting, via at least the processor, user authentication log data having user attribute values;

transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a defined format;

augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;

determining, via at least the processor, whether the tracer data structure matches an existing tracer data structure stored in a rules database;

if the tracer data structure does not match the existing tracer data structure, setting a novelty flag to establish a new tracer data structure in the rules database for generating a new user behavior model filter; and

if the tracer data structure matches the existing tracer data structure;

(i) applying, via at least the processor, an existing user behavior model filter representing account usage patterns of the user for detecting a malicious authentication attempt to access the secure computer resource by a malicious user, (ii) controlling issuance of an alarm message or signal as a warning to a remote computing device in response to detecting the malicious authentication attempt, and (iii) updating, via at least the processor, the existing user behavior model filter based, at least in part, on the event data structure.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and other embodiments are disclosed for data-driven user authentication misuse detection. In one embodiment, for a user authentication attempt to access a secure computer resource, user authentication log data having user attribute values is collected. The user authentication log data is transformed into a tracer data structure. The tracer data structure is augmented with timestamp data to generate an event data structure. It is determined whether the tracer data structure matches an existing tracer data structure stored in a rules database and, if not, a novelty flag is set to generate a new user behavior model filter. If the tracer data structure matches the existing tracer data structure: an existing user behavior model filter is applied, issuance of an alarm message or signal is controlled, and the existing user behavior model filter is updated based, at least in part, on the event data structure.

7 Citations

20 Claims

1. A computer-implemented method performed by a computing device, where the computing device includes at least a processor for executing instructions from a memory, the method comprising:
- for a user authentication attempt to access a secure computer resource that results in generation of a user authentication log message, collecting, via at least the processor, user authentication log data having user attribute values;
  
  transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a defined format;
  
  augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;
  
  determining, via at least the processor, whether the tracer data structure matches an existing tracer data structure stored in a rules database;
  
  if the tracer data structure does not match the existing tracer data structure, setting a novelty flag to establish a new tracer data structure in the rules database for generating a new user behavior model filter; and
  
  if the tracer data structure matches the existing tracer data structure;
  
  (i) applying, via at least the processor, an existing user behavior model filter representing account usage patterns of the user for detecting a malicious authentication attempt to access the secure computer resource by a malicious user, (ii) controlling issuance of an alarm message or signal as a warning to a remote computing device in response to detecting the malicious authentication attempt, and (iii) updating, via at least the processor, the existing user behavior model filter based, at least in part, on the event data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein transforming the user authentication log data into the tracer data structure includes parsing the user authentication log data into the user attribute values.
  - 3. The method of claim 1, wherein the defined format of the tracer data structure includes each of the attribute values paired with a corresponding attribute type organized in a format that is common to each of a plurality of user authentication attempts to access the secure computer resource.
  - 4. The method of claim 1, wherein if the tracer data structure matches the existing tracer data structure, a list of timestamps for the existing tracer data structure is updated with a new timestamp, wherein the list of timestamps represents a plurality of times at which the user authentication log data is observed by the computing device.
  - 5. The method of claim 1, wherein detecting the malicious authentication attempt further includes detecting an impossible event pattern within authentication log messages received by the computing device from the malicious user.
  - 6. The method of claim 1, wherein generating the new user behavior model filter comprises transforming the event data structure, and at least one additional event data structure derived from a second authentication attempt to access the secure computer resource, into features that describe authentication behavior characteristics of the user, without having to train the new user behavior model filter using truth-labeled training data, and without having apriori knowledge of user authentication misuse.
  - 7. The method of claim 1, further comprising controlling user specification of filter parameters associated with at least the user behavior model filter via a graphical user interface or an application program interface.
  - 8. The method of claim 1, wherein the user attribute values include at least one of a user name value, a client IP address value, a resource name value, a login status value, a timestamp value, an authentication scheme value, an authentication policy value, a partner value, a failure code value, a retry count value, a session value, and an authentication level value.

9. A computer system, comprising:
- a processor;
  
  a rules database device configured to store tracer data structures having user authentication attributes organized in a defined format;
  
  a message parsing module stored in a non-transitory computer-readable medium including instructions that when executed cause the processor to, for a user authentication attempt to access a secure computer resource that results in generation of a user authentication log message;
  
  collect user authentication log data including user attribute values from the user authentication log message, andtransform the user authentication log data into a tracer data structure having the user attribute values in the defined format by parsing the user authentication log data into the user attribute values;
  
  a tracer matching module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to;
  
  augment the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;
  
  determine whether the tracer data structure matches an existing tracer data structure stored in a rules database;
  
  a filter module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to;
  
  if the tracer data structure does not match the existing tracer data structure, set a novelty flag to establish a new tracer data structure in the rules database for generating a new user behavior model filter; and
  
  if the tracer data structure matches the existing tracer data structure;
  
  (i) apply an existing user behavior model filter representing account usage patterns of the user for detecting a malicious authentication attempt to access the secure computer resource by a malicious user, (ii) control issuance of an alarm message or signal as a warning to a remote computing device in response to detecting the malicious authentication attempt, and (iii) update the existing user behavior model filter based, at least in part, on the event data structure.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer system of claim 9, further comprising an explain module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to engage at least the filter module to:
    - determine a valid explanation for the malicious authentication attempt and generate a corresponding valid explanation message.
  - 11. The computer system of claim 9, wherein the user attribute values include at least one of a user name value, a client IP address value, a resource name value, a login status value, a timestamp value, an authentication scheme value, an authentication policy value, a partner value, a failure code value, a retry count value, a session value, and an authentication level value.
  - 12. The computer system of claim 9, wherein the defined format of the tracer data structure includes each of the attribute values paired with a corresponding attribute type organized in a format that is common to each of a plurality of user authentication attempts to access the secure computer resource.
  - 13. The computer system of claim 9, wherein the filter module further includes instructions that when executed cause the processor to detect the malicious authentication attempt based, at least in part, on an impossible event pattern within authentication log messages received by the computing device from the malicious user.
  - 14. The computer system of claim 9, further comprising a visual user interface module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to provide a graphical user interface that controls at least user specification of filter parameters associated with the filter module.
  - 15. The computer system of claim 14, further comprising a display screen configured to display and facilitate user interaction with at least the graphical user interface provided by the visual user interface module.
  - 16. The computer system of claim 9, wherein the filter module includes instructions that when executed cause the processor to generate the new user behavior model filter by transforming the event data structure, and at least one additional event data structure derived from a second authentication attempt to access the secure computer resource, into features that describe authentication behavior characteristics of the user, without having to train the new user behavior model filter using truth-labeled training data, and without having apriori knowledge of user authentication misuse.

17. A non-transitory computer-readable medium storing instructions that, when executed by one or more processors of a computing device, cause the computing device to at least:
- for a user authentication attempt to access a secure computer resource that results in generation of a user authentication log message, collecting, via at least the processor, user authentication log data having user attribute values;
  
  transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a defined format;
  
  augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;
  
  determining, via at least the processor, whether the tracer data structure matches an existing tracer data structure stored in a rules database;
  
  if the tracer data structure does not match the existing tracer data structure, setting a novelty flag to establish a new tracer data structure in the rules database for generating a new user behavior model filter; and
  
  if the tracer data structure matches the existing tracer data structure;
  
  (i) applying, via at least the processor, an existing user behavior model filter representing account usage patterns of the user for detecting a malicious authentication attempt to access the secure computer resource by a malicious user, (ii) controlling issuance of an alarm message or signal as a warning to a remote computing device in response to detecting the malicious authentication attempt, and (iii) updating, via at least the processor, the existing user behavior model filter based, at least in part, on the event data structure.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computing device to, if the tracer data structure matches the existing tracer data structure, update a list of timestamps for the existing tracer data structure with a new timestamp, wherein the list of timestamps represents a plurality of times when the user authentication log data was previously observed by the computing device.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the instructions further include instructions that, when executed by the one or more processors, causes the computing device to:
    - determine a valid explanation for the malicious authentication attempt and generate a corresponding valid explanation message.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computing device to at least generate the new user behavior model filter, at least in part, by transforming the event data structure, and at least one additional event data structure derived from a second authentication attempt to access the secure computer resource, into features that describe authentication behavior characteristics of the user, without having to train the new user behavior model filter using truth-labeled training data, and without having apriori knowledge of user authentication misuse.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Urmanov, Aleksey M., Wood, Alan P.
Primary Examiner(s)
Rahim, Monjur

Application Number

US16/211,819
Publication Number

US 20190109875A1
Time in Patent Office

355 Days
Field of Search

726 7
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/554   involving event detection a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/08   for authentication of entit...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

System and method for providing data-driven user authentication misuse detection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing data-driven user authentication misuse detection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links