Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks
First Claim
1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for detecting potentially malicious activity, comprising:
- receiving data associated with a plurality of authentication messages, wherein at least some of the received data includes secure ticket data, the authentication messages having been communicated over a network;
analyzing the received data associated with the plurality of authentication messages;
determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages, wherein a characteristic from the plurality of characteristics includes the secure ticket data;
receiving data associated with a new authentication message communicated over the network;
determining a plurality of characteristics of the data associated with the new authentication message;
comparing at least one determined characteristic of the new authentication message data with at least one of;
a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; and
generating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network.
1 Assignment
0 Petitions
Accused Products
Abstract
Described herein are systems and methods for performing potentially malicious activity detection operations. Embodiments may include receiving data associated with a plurality of authentication messages; analyzing the received data associated with the plurality of authentication messages; determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages; receiving data associated with a new authentication message communicated over the network; determining a plurality of characteristics of the data associated with the new authentication message; comparing at least one determined characteristic of the new authentication message data with at least one of: a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; and generating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network.
59 Citations
30 Claims
-
1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for detecting potentially malicious activity, comprising:
-
receiving data associated with a plurality of authentication messages, wherein at least some of the received data includes secure ticket data, the authentication messages having been communicated over a network; analyzing the received data associated with the plurality of authentication messages; determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages, wherein a characteristic from the plurality of characteristics includes the secure ticket data; receiving data associated with a new authentication message communicated over the network; determining a plurality of characteristics of the data associated with the new authentication message; comparing at least one determined characteristic of the new authentication message data with at least one of;
a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; andgenerating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A network system configured for detecting potentially malicious activity, the network system comprising:
-
at least one computer-readable memory storing instructions; and at least one processor configured to execute the instructions to; receive data associated with a plurality of authentication messages, wherein at least some of the received data includes secure ticket data, the authentication messages having been communicated over a network; analyze the received data associated with the plurality of authentication messages; determine, based on the analysis, a plurality of characteristics of the data associated with the authentication messages, wherein a characteristic from the plurality of characteristics includes the secure ticket data; receive data associated with a new authentication message communicated over the network; determine a plurality of characteristics of the data associated with the new authentication message; compare at least one determined characteristic of the new authentication message data with at least one of;
a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; andgenerate, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer-implemented method for performing potentially malicious activity detection operations, comprising:
-
receiving data associated with a plurality of authentication messages, wherein at least some of the received data includes secure ticket data, the authentication messages having been communicated over a network; analyzing the received data associated with the plurality of authentication messages; determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages, wherein a characteristic from the plurality of characteristics includes the secure ticket data; receiving data associated with a new authentication message communicated over the network; determining a plurality of characteristics of the data associated with the new authentication message; comparing at least one determined characteristic of the new authentication message data with at least one of;
a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; andgenerating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network. - View Dependent Claims (28, 29, 30)
-
Specification