Stolen credential use prevention on a web service

US 10,523,686 B1
Filed: 03/25/2016
Issued: 12/31/2019
Est. Priority Date: 03/26/2015
Status: Active Grant

First Claim

Patent Images

1. A method to facilitate securing web services from unauthorized access, the method comprising:

monitoring user interactions with a web service;

generating sets of the user interactions per originator by grouping the user interactions per originator based on origination information associated with the user interactions, wherein the origination information includes network data and application information associated with applications used to conduct the user interactions with the web service that uniquely identify each originator;

processing the sets of the user interactions that are grouped per originator to identify credentials used to access the web service per originator;

comparing the credentials used to access the web service per originator with compromised credentials stored in a database to identify one or more user accounts of the web service associated with an originator that used the compromised credentials found in the database;

determining whether the originator used multiple ones of the compromised credentials stored in the database to attempt to access the one or more user accounts of the web service;

responsive to determining that the originator used the multiple ones of the compromised credentials, blocking the originator from access to the web service; and

applying security measures for at least the one or more user accounts of the web service associated with the originator that used the compromised credentials found in the database.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to facilitate securing web services from unauthorized access are disclosed herein. In at least one implementation, user interactions with a web service are monitored, and sets of the user interactions are generated per originator based on origination information associated with the user interactions. The sets of the user interactions are processed to identify credentials used to access the web service per originator. The credentials used to access the web service per originator are compared with compromised credentials stored in a database to identify one or more user accounts of the web service associated with an originator that used the compromised credentials found in the database. Security measures are applied for at least the one or more user accounts of the web service associated with the originator that used the compromised credentials found in the database.

17 Citations

View as Search Results

20 Claims

1. A method to facilitate securing web services from unauthorized access, the method comprising:
- monitoring user interactions with a web service;
  
  generating sets of the user interactions per originator by grouping the user interactions per originator based on origination information associated with the user interactions, wherein the origination information includes network data and application information associated with applications used to conduct the user interactions with the web service that uniquely identify each originator;
  
  processing the sets of the user interactions that are grouped per originator to identify credentials used to access the web service per originator;
  
  comparing the credentials used to access the web service per originator with compromised credentials stored in a database to identify one or more user accounts of the web service associated with an originator that used the compromised credentials found in the database;
  
  determining whether the originator used multiple ones of the compromised credentials stored in the database to attempt to access the one or more user accounts of the web service;
  
  responsive to determining that the originator used the multiple ones of the compromised credentials, blocking the originator from access to the web service; and
  
  applying security measures for at least the one or more user accounts of the web service associated with the originator that used the compromised credentials found in the database.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein applying the security measures for at least the one or more user accounts of the web service associated with the originator comprises increasing a level of authentication required for the one or more user accounts to access the web service.
  - 3. The method of claim 1 further comprising:
    - automatically mining one or more credential data resources to identify the compromised credentials;
      
      tagging, on a per source basis, the compromised credentials to identify the one or more credential data resources from which the compromised credentials were obtained; and
      
      automatically populating the database with the compromised credentials identified by the mining.
  - 4. The method of claim 1 wherein applying the security measures for at least the one or more user accounts of the web service associated with the originator comprises sending automatic password reset notifications to owners of the one or more user accounts.
  - 5. The method of claim 1 further comprising determining other user accounts of the web service having passwords found in a same credential data source as the compromised credentials used by the one or more user accounts associated with the originator that used the compromised credentials, and responsively sending automatic password reset notifications to owners of the other user accounts.
  - 6. The method of claim 1 further comprising receiving a credential query transmitted from an authorized user of the web service, responsively comparing legitimate credentials of the authorized user received in the credential query with the compromised credentials in the database, and transferring a notification for delivery to the authorized user that indicates whether or not the legitimate credentials of the authorized user appear in the database of compromised credentials.

7. An apparatus comprising:
- one or more processors;
  
  one or more non-transitory computer-readable storage media; and
  
  program instructions stored on the one or more non-transitory computer-readable storage media that, when executed by the one or more processors, direct a system to at least;
  
  monitor user interactions with a web service;
  
  generate sets of the user interactions per originator by grouping the user interactions per originator based on origination information associated with the user interactions, wherein the origination information includes network data and application information associated with applications used to conduct the user interactions with the web service that uniquely identify each originator;
  
  process the sets of the user interactions that are grouped per originator to identify credentials used to access the web service per originator;
  
  compare the credentials used to access the web service per originator with compromised credentials stored in a database to identify one or more user accounts of the web service associated with an originator that used the compromised credentials found in the database;
  
  determine whether the originator used multiple ones of the compromised credentials to attempt to access the one or more user accounts of the web service;
  
  responsive to determining that the originator used the multiple ones of the compromised credentials, block the originator from access to the web service; and
  
  apply security measures for at least the one or more user accounts of the web service associated with the originator that used the compromised credentials found in the database.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The apparatus of claim 7 wherein the one or more processors further direct the system to:
    - mine one or more credential data resources to identify the compromised credentials;
      
      tag, on a per source basis, the compromised credentials to identify the one or more credential data resources from which the compromised credentials were obtained; and
      
      automatically populate the database with the compromised credentials identified by the mining.
  - 9. The apparatus of claim 7 wherein the program instructions direct the system to apply the security measures for at least the one or more user accounts of the web service associated with the originator by directing the system to increase a level of authentication required for the one or more user accounts to access the web service.
  - 10. The apparatus of claim 7 wherein the program instructions direct the system to block the originator from access to the web service by directing the system to block access to the web service for all access attempts associated with the originator.
  - 11. The apparatus of claim 7 wherein the program instructions direct the system to apply the security measures for at least the one or more user accounts of the web service associated with the originator by directing the system to send automatic password reset notifications to owners of the one or more user accounts.
  - 12. The apparatus of claim 7 wherein the program instructions further direct the system to determine other user accounts of the web service having passwords found in a same credential data source as the compromised credentials used by the one or more user accounts associated with the originator that used the compromised credentials, and responsively send automatic password reset notifications to owners of the other user accounts.
  - 13. The apparatus of claim 7 wherein the program instructions further direct the system to receive a credential query transmitted from an authorized user of the web service, responsively compare legitimate credentials of the authorized user received in the credential query with the compromised credentials in the database, and transfer a notification for delivery to the authorized user that indicates whether or not the legitimate credentials of the authorized user appear in the database of compromised credentials.

14. One or more non-transitory computer-readable storage media having program instructions stored thereon to facilitate securing web services from unauthorized access, wherein the program instructions, when executed by a processing system, direct the processing system to at least:
- monitor user interactions with a web service;
  
  generate sets of the user interactions per originator by grouping the user interactions per originator based on origination information associated with the user interactions, wherein the origination information includes network data and application information associated with applications used to conduct the user interactions with the web service that uniquely identify each originator;
  
  process the sets of the user interactions that are grouped per originator to identify credentials used to access the web service per originator;
  
  compare the credentials used to access the web service per originator with compromised credentials stored in a database to identify one or more user accounts of the web service associated with an originator that used the compromised credentials found in the database;
  
  determine whether the originator used multiple ones of the compromised credentials to attempt to access the one or more user accounts of the web service;
  
  responsive to determining that the originator used the multiple ones of the compromised credentials, block the originator from access to the web service; and
  
  apply security measures for at least the one or more user accounts of the web service associated with the originator that used the compromised credentials found in the database.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The one or more non-transitory computer-readable storage media of claim 14 wherein the processing system is operatively coupled to the one or more non-transitory computer-readable storage media and the processing system reads and executes the program instructions.
  - 16. The one or more non-transitory computer-readable storage media of claim 14 wherein the program instructions direct the processing system to apply the security measures for at least the one or more user accounts of the web service associated with the originator by directing the processing system to increase a level of authentication required for the one or more user accounts to access the web service.
  - 17. The one or more non-transitory computer-readable storage media of claim 14 wherein the program instructions direct the processing system to block the originator from access to the web service by directing the processing system to block access to the web service for all access attempts associated with the originator.
  - 18. The one or more non-transitory computer-readable storage media of claim 14 wherein the program instructions direct the processing system to apply the security measures for at least the one or more user accounts of the web service associated with the originator by directing the processing system to send automatic password reset notifications to owners of the one or more user accounts.
  - 19. The one or more non-transitory computer-readable storage media of claim 14 wherein the program instructions further direct the processing system to determine other user accounts of the web service having passwords found in a same credential data source as the compromised credentials used by the one or more user accounts associated with the originator that used the compromised credentials, and responsively send automatic password reset notifications to owners of the other user accounts.
  - 20. The one or more non-transitory computer-readable storage media of claim 14 wherein the program instructions further direct the processing system to receive a credential query transmitted from an authorized user of the web service, responsively compare legitimate credentials of the authorized user received in the credential query with the compromised credentials in the database, and transfer a notification for delivery to the authorized user that indicates whether or not the legitimate credentials of the authorized user appear in the database of compromised credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cequence Security, Inc.
Original Assignee
Cequence Security, Inc.
Inventors
Mehta, Shreyans, Talwalkar, Ameya, Barrett, Michael, Weisman, David
Primary Examiner(s)
Traore, Fatoumata

Application Number

US15/081,184
Time in Patent Office

1,376 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

Stolen credential use prevention on a web service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Stolen credential use prevention on a web service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links