Extracting features for authentication events

US 10,599,857 B2
Filed: 08/29/2017
Issued: 03/24/2020
Est. Priority Date: 08/29/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:

receive a first time parameter value and a second time parameter value;

for a given authentication event at a first time between a plurality of devices in a network, identify a set of events, of the plurality of devices, that are temporally related to the given authentication event, wherein the set of events comprises events of a different type from the given authentication event, and wherein the plurality of devices include a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises;

defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time;

defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value;

identifying events of the first device in the first time interval before the first time, andidentifying events of the second device in the second time interval following the first time;

extract features from the set of events by aggregating event data of the set of events, wherein the aggregating of the event data comprises computing a metric based on the event data; and

provide the extracted features to a classifier that detects unauthorized authentication events.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some examples, for a given authentication event between a plurality of devices in a network, a system identifies a set of events, at the devices, that are temporally related to the given authentication event. The system extracts features from the set of events by aggregating event data of the set of events. The system provides the extracted features to a classifier that detects unauthorized authentication events.

43 Citations

View as Search Results

19 Claims

1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to:
- receive a first time parameter value and a second time parameter value;
  
  for a given authentication event at a first time between a plurality of devices in a network, identify a set of events, of the plurality of devices, that are temporally related to the given authentication event, wherein the set of events comprises events of a different type from the given authentication event, and wherein the plurality of devices include a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises;
  
  defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time;
  
  defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value;
  
  identifying events of the first device in the first time interval before the first time, andidentifying events of the second device in the second time interval following the first time;
  
  extract features from the set of events by aggregating event data of the set of events, wherein the aggregating of the event data comprises computing a metric based on the event data; and
  
  provide the extracted features to a classifier that detects unauthorized authentication events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the system to:
    - apply the classifier on the extracted features to determine whether the given authentication event is unauthorized.
  - 3. The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the system to:
    - train the classifier using the extracted features and feedback regarding classifications made by the classifier.
  - 4. The non-transitory machine-readable storage medium of claim 1, wherein the identifying of the set of events comprises identifying events within a time window that includes the first time, the first time interval, and the second time interval.
  - 5. The non-transitory machine-readable storage medium of claim 1, wherein the extracting of the features further comprises extracting features from the given authentication event.
  - 6. The non-transitory machine-readable storage medium of claim 1, wherein the set of events comprises at least one event selected from among:
    - starting a new process at a device, performing a domain name system (DNS) lookup between devices, a transfer of data between devices, a security event on a device, and a Hypertext Transfer Protocol (HTTP) request event.
  - 7. The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the system to identify the given authentication event by filtering a plurality of authentication events based on checking for a pattern in the plurality of authentication events.
  - 8. The non-transitory machine-readable storage medium of claim 7, wherein the pattern comprises information indicating a logon access over the network.
  - 9. The non-transitory machine-readable storage medium of claim 1, wherein the aggregating of the event data comprises aggregating event data of events every update time period.
  - 10. The non-transitory machine-readable storage medium of claim 1, wherein the aggregating of the event data further aggregates event data of the given authentication event.
  - 11. The non-transitory machine-readable storage medium of claim 1, wherein the aggregating of the event data comprises calculating at least one selected from among:
    - a count of events, an amount of data of events, a number of packets of events, and a statistical measure computed for events.
  - 12. The non-transitory machine-readable storage medium of claim 1, wherein the set of events is part of a stream of events that are continually processed for application by the classifier and to update the classifier.
  - 13. The non-transitory machine-readable storage medium of claim 1, wherein the computing of the metric comprises computing a statistical measure based on the event data.
  - 14. The non-transitory machine-readable storage medium of claim 1, wherein the first time parameter value and the second time parameter value are adjustable based on machine learning according to past classifications of the classifier.

15. A system comprising:
- a processor; and
  
  a non-transitory storage medium storing instructions executable on the processor to;
  
  receive a first time parameter value and a second time parameter value;
  
  filter authentication events according to a criterion to identify a given authentication event, wherein the filtering of the authentication events comprises checking the authentication events for a specified pattern, and removing an authentication event of the authentication events not matching the specified pattern to produce a subset of authentication events including the given authentication event at a first time;
  
  identify a set of events that are temporally related to the given authentication event, wherein the set of events includes events of a plurality of devices including a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises;
  
  defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time;
  
  defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value;
  
  identifying events of the first device in the first time interval before the first time, andidentifying events of the second device in the second time interval following the first time;
  
  extract features from the given authentication event and the set of events; and
  
  apply a classifier on the extracted features to determine whether the given authentication event is unauthorized.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the instructions are executable on the processor to:
    - receive feedback regarding the determination made by the classifier on the extracted features; and
      
      update the classifier based on the feedback.
  - 17. The system of claim 15, wherein the set of events comprises events of a different type from the given authentication event, wherein the extracting of the features from the given authentication event and the set of events comprises aggregating event data of the given authentication event and the set of events, and wherein the aggregating of the event data comprises computing a metric based on the event data.

18. A method comprising:
- filtering, by a system comprising a processor, authentication events according to a criterion to identify a given authentication event having a first time, the filtering reducing an amount of authentication events considered by the system for detecting unauthorized authentication events;
  
  receiving, by the system, a first time parameter value and a second time parameter value;
  
  identifying, by the system, a set of events that are temporally related to the given authentication event, wherein the set of events includes events of a plurality of devices including a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises;
  
  defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time;
  
  defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value;
  
  identifying events of the first device in the first time interval before the first time, andidentifying events of the second device in the second time interval following the first time;
  
  extracting, by the system, features from the given authentication event and the set of events by aggregating event data of the given authentication event and the set of events; and
  
  providing, by the system, the extracted features to a classifier that detects unauthorized authentication events.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the set of events comprises events of a different type from the given authentication event, and wherein the aggregating of the event data comprises computing a statistical metric based on the event data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Micro Focus LLC (Open Text Corporation)
Inventors
Kim, Mijung, Manadhata, Pratyusa K., Marwah, Manish
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Cheema, Ali H.

Application Number

US15/689,045
Publication Number

US 20190065762A1
Time in Patent Office

938 Days
Field of Search

726 1, 726 7, 726 23, 726 28, 713168, 713171, 713182, 707749, 382305, 719318, 714 26
US Class Current
CPC Class Codes

G06F 13/00   Interconnection of, or tran...

G06F 16/00   Information retrieval; Data...

G06F 16/2474   Sequence data queries, e.g....

G06F 16/355   Class or cluster creation o...

G06F 16/9535   Search customisation based ...

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/35   communicating wirelessly

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/604   Tools and structures for ma...

G06F 2221/2117   User registration

G06Q 10/10   Office automation; Time man...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

Extracting features for authentication events

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Extracting features for authentication events

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links