Extracting features for authentication events
First Claim
Patent Images
1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
- receive a first time parameter value and a second time parameter value;
for a given authentication event at a first time between a plurality of devices in a network, identify a set of events, of the plurality of devices, that are temporally related to the given authentication event, wherein the set of events comprises events of a different type from the given authentication event, and wherein the plurality of devices include a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises;
defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time;
defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value;
identifying events of the first device in the first time interval before the first time, andidentifying events of the second device in the second time interval following the first time;
extract features from the set of events by aggregating event data of the set of events, wherein the aggregating of the event data comprises computing a metric based on the event data; and
provide the extracted features to a classifier that detects unauthorized authentication events.
6 Assignments
0 Petitions
Accused Products
Abstract
In some examples, for a given authentication event between a plurality of devices in a network, a system identifies a set of events, at the devices, that are temporally related to the given authentication event. The system extracts features from the set of events by aggregating event data of the set of events. The system provides the extracted features to a classifier that detects unauthorized authentication events.
43 Citations
19 Claims
-
1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
-
receive a first time parameter value and a second time parameter value; for a given authentication event at a first time between a plurality of devices in a network, identify a set of events, of the plurality of devices, that are temporally related to the given authentication event, wherein the set of events comprises events of a different type from the given authentication event, and wherein the plurality of devices include a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises; defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time; defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value; identifying events of the first device in the first time interval before the first time, and identifying events of the second device in the second time interval following the first time; extract features from the set of events by aggregating event data of the set of events, wherein the aggregating of the event data comprises computing a metric based on the event data; and provide the extracted features to a classifier that detects unauthorized authentication events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a processor; and a non-transitory storage medium storing instructions executable on the processor to; receive a first time parameter value and a second time parameter value; filter authentication events according to a criterion to identify a given authentication event, wherein the filtering of the authentication events comprises checking the authentication events for a specified pattern, and removing an authentication event of the authentication events not matching the specified pattern to produce a subset of authentication events including the given authentication event at a first time; identify a set of events that are temporally related to the given authentication event, wherein the set of events includes events of a plurality of devices including a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises; defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time; defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value; identifying events of the first device in the first time interval before the first time, and identifying events of the second device in the second time interval following the first time; extract features from the given authentication event and the set of events; and apply a classifier on the extracted features to determine whether the given authentication event is unauthorized. - View Dependent Claims (16, 17)
-
-
18. A method comprising:
- filtering, by a system comprising a processor, authentication events according to a criterion to identify a given authentication event having a first time, the filtering reducing an amount of authentication events considered by the system for detecting unauthorized authentication events;
receiving, by the system, a first time parameter value and a second time parameter value; identifying, by the system, a set of events that are temporally related to the given authentication event, wherein the set of events includes events of a plurality of devices including a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises; defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time; defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value; identifying events of the first device in the first time interval before the first time, and identifying events of the second device in the second time interval following the first time; extracting, by the system, features from the given authentication event and the set of events by aggregating event data of the given authentication event and the set of events; and providing, by the system, the extracted features to a classifier that detects unauthorized authentication events. - View Dependent Claims (19)
- filtering, by a system comprising a processor, authentication events according to a criterion to identify a given authentication event having a first time, the filtering reducing an amount of authentication events considered by the system for detecting unauthorized authentication events;
Specification