COMPROMISED PASSWORD DETECTION BASED ON ABUSE AND ATTEMPTED ABUSE

US 20170214712A1
Filed: 01/25/2016
Published: 07/27/2017
Est. Priority Date: 01/25/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for improving account security based on identified suspicious patterns of activity, the method comprising:

obtaining a plurality of failed login records, each of the failed login records having a set of password data that is associated with at least one of a plurality of failed login attempts, wherein the plurality of failed login attempts is associated with at least one account identifier;

identifying a suspicious pattern of activity that corresponds to at least a portion of the failed login records, the suspicious pattern of activity being identified based at least in part on a recognition of a common set of password data that is in each of the at least a portion of the failed login records; and

storing a copy of the common set of password data as a bad set of password data into a password history log, the password history log being configured to store a plurality of bad sets of password data that are not to be associated with the at least one account identifier.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for analyzing a plurality of failed login records that correspond to failed login attempts detected by a computing system, to identify suspicious patterns of activity that can facilitate the supplementation of password blacklists for improving account security. To accomplish the foregoing, failed login records that include information associated with failed login attempts are obtained for analysis. The failed login records are analyzed to identify a set of failed login records that show initial characteristics of a suspicious pattern of activity. The information included in the set of failed login records are further analyzed to determine whether a suspicious pattern of activity is actually present. When a suspicious pattern of activity is identified in the set of failed login records, the passwords used in the failed login attempts are stored in password blacklists associated with the account identifier(s) with which the passwords were used.

46 Citations

View as Search Results

20 Claims

1. A computer-implemented method for improving account security based on identified suspicious patterns of activity, the method comprising:
- obtaining a plurality of failed login records, each of the failed login records having a set of password data that is associated with at least one of a plurality of failed login attempts, wherein the plurality of failed login attempts is associated with at least one account identifier;
  
  identifying a suspicious pattern of activity that corresponds to at least a portion of the failed login records, the suspicious pattern of activity being identified based at least in part on a recognition of a common set of password data that is in each of the at least a portion of the failed login records; and
  
  storing a copy of the common set of password data as a bad set of password data into a password history log, the password history log being configured to store a plurality of bad sets of password data that are not to be associated with the at least one account identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1,each of the failed login records further having failed login data that includes a location reference and a temporal reference that are both associated with the at least one of the plurality of failed login attempts.
  - 3. The method of claim 2, wherein the location reference is a network address and the temporal reference is a timestamp.
  - 4. The method of claim 2,the suspicious pattern of activity being identified based further in part on at least a portion of the failed login data in each of the at least a portion of the failed login records.
  - 5. The method of claim 4,the suspicious pattern of activity being at least one of geographic or behavioral,wherein the suspicious pattern of activity is geographic based at least on a determined unlikelihood that the location reference in each of the at least a portion of the failed login records is associated with an authorized user of the account identifier, andwherein the suspicious pattern of activity is behavioral based at least on the temporal reference in each of the at least a portion of the failed login records.
  - 6. The method of claim 1, wherein the set of password data that is associated with one of the plurality of failed login attempts is a hash of a password that is associated with the one of the plurality of failed login attempts.
  - 7. The method of claim 1, further comprising:
    - in accordance with storing the copy of the common set of password data as the bad set of password data, encrypting the copy of the common set of password data,wherein each bad set of password data in the plurality of bad sets of password data is encrypted.
  - 8. The method of claim 1, further comprising:
    - storing a label in association with the bad set of password data, the label referencing a first security schema from a plurality of security schemas,the password history log being further configured to store in association with each of the plurality of bad sets of password data a corresponding label that references one of the plurality of security schemas.
  - 9. The method of claim 1, further comprising:
    - determining that a new set of password data obtained for association with the at least one account identifier is not to be associated with the at least one account identifier in accordance with the new set of password data being at least substantially similar to at least one of the plurality of bad sets of password data stored in the password history log.
  - 10. The method of claim 9, further comprising:
    - storing a copy of the new set of password data into the password history log in accordance with determining that the new set of password data is substantially similar to at least one of the plurality of bad sets of password data stored in the password history log.

11. A non-transitory computer storage medium storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to perform operations comprising:
- obtaining a plurality of failed login records, each of the failed login records having a set of password data and failed login data that are both associated with at least one of a plurality of failed login attempts, wherein the plurality of failed login attempts is associated with at least one account identifier;
  
  identifying a suspicious pattern of activity that corresponds to at least a portion of the failed login records, the suspicious pattern of activity being identified based at least in part on a recognition of a common piece of failed login data that is in each of the at least a portion of the failed login records; and
  
  storing a copy of the set of password data from each of the at least a portion of the failed login records as at least one bad set of password data into a password history log, the password history log being configured to store a plurality of bad sets of password data that are not to be associated with the at least one account identifier.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer storage medium of claim 11,the failed login data including a location reference and a temporal reference that both correspond to the at least one of the plurality of failed login attempts.
  - 13. The computer storage medium of claim 12, wherein the location reference is a network address and the temporal reference is a timestamp.
  - 14. The computer storage medium of claim 12,the suspicious pattern of activity being at least one of geographic or behavioral,wherein the suspicious pattern of activity is geographic based at least on the location references in the at least a portion of the failed login records, and wherein the suspicious pattern of activity is behavioral based at least on the temporal references in the at least a portion of the failed login records.
  - 15. The computerized system of claim 14, wherein the suspicious pattern of activity is behavioral based further on a number of failed login records in the at least a portion of the failed login records.

16. A computerized system comprising:
- one or more processors; and
  
  one or more computer storage media storing computer-usable instructions that, when used by the one or more processors, cause the one or more processors to;
  
  obtain a plurality of failed login records, each of the failed login records having a set of password data that is associated with at least one of a plurality of failed login attempts, wherein the plurality of failed login attempts is associated with at least one account identifier;
  
  identify a suspicious pattern of activity that corresponds to at least a portion of the failed login records, the suspicious pattern of activity being identified based at least in part on a pattern recognition method that includes one of;
  
  a common set of password data being in each of the at least a portion of the failed login records, ora common piece of failed login data that is in each of the at least a portion of the failed login records; and
  
  based on the pattern recognition method, store into a password history log, as at least one bad set of password data, one of;
  
  a copy of the common set of password data, ora copy of the set of password data from each of the at least a portion of the failed login records having the common piece of failed login data,the password history log being configured to store a plurality of bad sets of password data that are not to be associated with the at least one account identifier.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computerized system of claim 16,the one or more computer storage media storing computer-usable instructions that, when used by the one or more processors, further cause the one or more processors to:
    - store into the password history log, in association with each at least one bad set of password data, a label referencing one security schema from a plurality of security schemas,the password history log being further configured to store, in association with each of the plurality of bad sets of password data, a corresponding label that references one of the plurality of security schemas.
  - 18. The computerized system of claim 16,the one or more computer storage media storing computer-usable instructions that, when used by the one or more processors, further cause the one or more processors to:
    - determine that a new set of password data obtained for association with the at least one account identifier is not to be associated with the at least one account identifier based on the password history log.
  - 19. The computerized system of claim 16,the suspicious pattern of activity being at least one of geographic or behavioral.
  - 20. The computerized system of claim 19,wherein the suspicious pattern of activity is geographic based at least on a determined unlikelihood that the location reference in each of the at least a portion of the failed login records is associated with an authorized user of the account identifier, andwherein the suspicious pattern of activity is behavioral based at least on the temporal reference in each of the at least a portion of the failed login records.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
AOL Inc. (Apollo Global Management, Inc.)
Inventors
MAXWELL, LACHLAN A., McQUEEN, DONALD J., WAKEFIELD, III, WILLIAM C.

Granted Patent

US 10,270,801 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/46   by designing passwords or c...

H04L 63/083   using passwords cryptograph...

H04L 63/107   wherein the security polici...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

COMPROMISED PASSWORD DETECTION BASED ON ABUSE AND ATTEMPTED ABUSE

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

COMPROMISED PASSWORD DETECTION BASED ON ABUSE AND ATTEMPTED ABUSE

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links