SYSTEM AND METHOD PROVIDING DATA-DRIVEN USER AUTHENTICATION MISUSE DETECTION
First Claim
1. A computer-implemented method performed by a computing device, where the computing device includes at least a processor for executing instructions from a memory, the method comprising:
- for each of a plurality of user authentication attempts to the computing device by a user via user authentication log messages, collecting, via at least the processor, user authentication log data having user attribute values;
for each of the plurality of user authentication attempts, transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a common format;
for each of the plurality of user authentication attempts, augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;
updating, via at least the processor, a user behavior model filter, representing account usage patterns of the user, based at least in part on the event data structure for each of the plurality of user authentication attempts;
detecting, via at least the processor, a malicious authentication attempt to the computing device by a malicious user based on, at least in part, the user behavior model filter; and
generating an alarm message or signal in response to the detecting of the malicious authentication attempt to the computing device.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and other embodiments are disclosed for data-driven user authentication misuse detection. In one embodiment, for each of multiple authentication attempts to a computing device by a user via user authentication log messages: user authentication log data having user attribute values is collected; the user authentication log data is transformed into a tracer data structure having the user attribute values organized in a common format; the tracer data structure is augmented with timestamp data to generate an event data structure, where the timestamp data represents a time at which the user authentication log data is observed by the computing device; a user behavior model filter, representing account usage patterns of the user, is updated based at least in part on the event data structure. A malicious authentication attempt to the computing device by a malicious user is detected based on, at least in part, the user behavior model filter.
-
Citations
20 Claims
-
1. A computer-implemented method performed by a computing device, where the computing device includes at least a processor for executing instructions from a memory, the method comprising:
-
for each of a plurality of user authentication attempts to the computing device by a user via user authentication log messages, collecting, via at least the processor, user authentication log data having user attribute values; for each of the plurality of user authentication attempts, transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a common format; for each of the plurality of user authentication attempts, augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device; updating, via at least the processor, a user behavior model filter, representing account usage patterns of the user, based at least in part on the event data structure for each of the plurality of user authentication attempts; detecting, via at least the processor, a malicious authentication attempt to the computing device by a malicious user based on, at least in part, the user behavior model filter; and generating an alarm message or signal in response to the detecting of the malicious authentication attempt to the computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer system, comprising:
-
a processor; a rules database device configured to store tracer data structures having user authentication attributes organized in a common format; a message parsing module stored in a non-transitory computer-readable medium including instructions that when executed cause the processor to, for each of a plurality of user authentication attempts to the computer system via authentication log messages; collect user authentication log data having user attribute values, and transform the user authentication log data into a tracer data structure having the user attribute values in the common format at least in part by parsing the user authentication log data into the user attribute values. a tracer matching module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to, for each of the plurality of user authentication attempts; attempt to match the tracer data structure to an existing tracer data structure stored in the rules database device, and generate an event data structure by augmenting the tracer data structure with timestamp data, wherein the timestamp data represents a time at which the user authentication log data is observed by the computer system; an impossible event module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to detect an impossible event pattern within the authentication log messages by analyzing the event data structure for each of the plurality of authentication attempts; and a filter module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to detect a change in behavior of a user by applying a user behavior model, representing account usage patterns of the user, to the event data structure for each of the plurality of authentication attempts. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable medium storing instructions that, when executed by one or more processors of a computing device, cause the computing device to at least:
-
for each of a plurality of user authentication attempts to the computing device by a user via user authentication log messages, collect user authentication log data having user attribute values; for each of the plurality of user authentication attempts, transform the user authentication log data into a tracer data structure having the user attribute values organized in a common format; for each of the plurality of user authentication attempts, augment the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device; update a user behavior model filter, representing account usage patterns of the user, based at least in part on the event data structure for each of the plurality of user authentication attempts; detect a malicious authentication attempt to the computing device by a malicious user based on, at least in part, the user behavior model filter; and generate an alarm message or signal in response to the detecting of the malicious authentication attempt to the computing device. - View Dependent Claims (19, 20)
-
Specification