SYSTEM AND METHOD PROVIDING DATA-DRIVEN USER AUTHENTICATION MISUSE DETECTION

US 20180069896A1
Filed: 09/07/2016
Published: 03/08/2018
Est. Priority Date: 09/07/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by a computing device, where the computing device includes at least a processor for executing instructions from a memory, the method comprising:

for each of a plurality of user authentication attempts to the computing device by a user via user authentication log messages, collecting, via at least the processor, user authentication log data having user attribute values;

for each of the plurality of user authentication attempts, transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a common format;

for each of the plurality of user authentication attempts, augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;

updating, via at least the processor, a user behavior model filter, representing account usage patterns of the user, based at least in part on the event data structure for each of the plurality of user authentication attempts;

detecting, via at least the processor, a malicious authentication attempt to the computing device by a malicious user based on, at least in part, the user behavior model filter; and

generating an alarm message or signal in response to the detecting of the malicious authentication attempt to the computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and other embodiments are disclosed for data-driven user authentication misuse detection. In one embodiment, for each of multiple authentication attempts to a computing device by a user via user authentication log messages: user authentication log data having user attribute values is collected; the user authentication log data is transformed into a tracer data structure having the user attribute values organized in a common format; the tracer data structure is augmented with timestamp data to generate an event data structure, where the timestamp data represents a time at which the user authentication log data is observed by the computing device; a user behavior model filter, representing account usage patterns of the user, is updated based at least in part on the event data structure. A malicious authentication attempt to the computing device by a malicious user is detected based on, at least in part, the user behavior model filter.

Citations

20 Claims

1. A computer-implemented method performed by a computing device, where the computing device includes at least a processor for executing instructions from a memory, the method comprising:
- for each of a plurality of user authentication attempts to the computing device by a user via user authentication log messages, collecting, via at least the processor, user authentication log data having user attribute values;
  
  for each of the plurality of user authentication attempts, transforming, via at least the processor, the user authentication log data into a tracer data structure having the user attribute values organized in a common format;
  
  for each of the plurality of user authentication attempts, augmenting, via at least the processor, the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;
  
  updating, via at least the processor, a user behavior model filter, representing account usage patterns of the user, based at least in part on the event data structure for each of the plurality of user authentication attempts;
  
  detecting, via at least the processor, a malicious authentication attempt to the computing device by a malicious user based on, at least in part, the user behavior model filter; and
  
  generating an alarm message or signal in response to the detecting of the malicious authentication attempt to the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the transforming includes parsing the user authentication log data into the user attribute values.
  - 3. The method of claim 1, wherein the common format of the tracer data structure includes each of the attribute values paired with a corresponding attribute type.
  - 4. The method of claim 1, further comprising attempting to match, via at least the processor, the tracer data structure with an existing tracer data structure stored in a rules database, where:
    - when a match occurs, a list of timestamps for the existing tracer data structure is updated with a new timestamp, wherein the list of timestamps represents times at which the user authentication log data is observed by the computing device; and
      
      when a match does not occur, the tracer data structure is stored as a new tracer data structure in the rules database and a novelty flag and a first timestamp associated with the new tracer data structure are set.
  - 5. The method of claim 1, wherein the detecting of the malicious authentication attempt includes detecting an impossible event pattern within authentication log messages received by the computing device from the malicious user.
  - 6. The method of claim 1, wherein the detecting of the malicious authentication attempt includes detecting a hypersonic travel pattern within authentication log messages received by the computing device from the malicious user, where the hypersonic travel pattern indicates a speed of travel of the malicious user, to physically authenticate from distant geographical locations, that is greater than a speed of sound traveling through air.
  - 7. The method of claim 1, further comprising initially generating the user behavior model filter, via at least the processor, at least in part by transforming an original set of event data structures, derived from an original set of authentication attempts by the user, into features that describe authentication behavior characteristics of the user, without having to train the user behavior model filter using truth-labeled training data, and without having apriori knowledge of user authentication misuse.
  - 8. The method of claim 1, further comprising controlling user specification of filter parameters associated with at least the user behavior model filter via a graphical user interface or an application program interface.
  - 9. The method of claim 1, further comprising transmitting the alarm message or signal to a third party computer for further investigation.
  - 10. The method of claim 1, wherein the user attribute values include at least one of a user name value, a client IP address value, a resource name value, a login status value, a timestamp value, an authentication scheme value, an authentication policy value, a partner value, a failure code value, a retry count value, a session value, and an authentication level value.

11. A computer system, comprising:
- a processor;
  
  a rules database device configured to store tracer data structures having user authentication attributes organized in a common format;
  
  a message parsing module stored in a non-transitory computer-readable medium including instructions that when executed cause the processor to, for each of a plurality of user authentication attempts to the computer system via authentication log messages;
  
  collect user authentication log data having user attribute values, andtransform the user authentication log data into a tracer data structure having the user attribute values in the common format at least in part by parsing the user authentication log data into the user attribute values.a tracer matching module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to, for each of the plurality of user authentication attempts;
  
  attempt to match the tracer data structure to an existing tracer data structure stored in the rules database device, andgenerate an event data structure by augmenting the tracer data structure with timestamp data, wherein the timestamp data represents a time at which the user authentication log data is observed by the computer system;
  
  an impossible event module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to detect an impossible event pattern within the authentication log messages by analyzing the event data structure for each of the plurality of authentication attempts; and
  
  a filter module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to detect a change in behavior of a user by applying a user behavior model, representing account usage patterns of the user, to the event data structure for each of the plurality of authentication attempts.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer system of claim 11, further comprising an explain module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to engage at least the filter module to:
    - determine a valid explanation for the impossible event pattern and generate a corresponding valid explanation message;
      
      orgenerate an alarm message indicating a malicious authentication attempt.
  - 13. The computer system of claim 11, wherein the user attribute values include at least one of a user name value, a client IP address value, a resource name value, a login status value, a timestamp value, an authentication scheme value, an authentication policy value, a partner value, a failure code value, a retry count value, a session value, and an authentication level value.
  - 14. The computer system of claim 11, wherein the common format of the tracer data structure includes each of the attribute values paired with a corresponding attribute type.
  - 15. The computer system of claim 11, wherein the impossible event pattern corresponds to a hypersonic travel pattern indicating a speed of travel of the user, to physically authenticate from distant geographical locations, that is greater than a speed of sound traveling through air.
  - 16. The computer system of claim 11, further comprising a visual user interface module stored in the non-transitory computer-readable medium including instructions that when executed cause the processor to provide a graphical user interface that controls at least user specification of filter parameters associated with the filter module.
  - 17. The computer system of claim 16, further comprising a display screen configured to display and facilitate user interaction with at least the graphical user interface provided by the visual user interface module.

18. A non-transitory computer-readable medium storing instructions that, when executed by one or more processors of a computing device, cause the computing device to at least:
- for each of a plurality of user authentication attempts to the computing device by a user via user authentication log messages, collect user authentication log data having user attribute values;
  
  for each of the plurality of user authentication attempts, transform the user authentication log data into a tracer data structure having the user attribute values organized in a common format;
  
  for each of the plurality of user authentication attempts, augment the tracer data structure with timestamp data to generate an event data structure, wherein the timestamp data represents a time at which the user authentication log data is observed by the computing device;
  
  update a user behavior model filter, representing account usage patterns of the user, based at least in part on the event data structure for each of the plurality of user authentication attempts;
  
  detect a malicious authentication attempt to the computing device by a malicious user based on, at least in part, the user behavior model filter; and
  
  generate an alarm message or signal in response to the detecting of the malicious authentication attempt to the computing device.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable medium of claim 18, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computing device to at least attempt to match the tracer data structure with an existing tracer data structure stored in a rules database, where:
    - when a match occurs, a list of timestamps for the existing tracer data structure is updated with a new timestamp, wherein the list of timestamps represents times at which the user authentication log data is observed by the computing device; and
      
      when a match does not occur, the tracer data structure is stored as a new tracer data structure in the rules database and a novelty flag and a first timestamp associated with the new tracer data structure are set.
  - 20. The non-transitory computer-readable medium of claim 18, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computing device to at least initially generate the user behavior model filter at least in part by transforming an original set of event data structures, derived from an original set of authentication attempts by the user, into features that describe authentication behavior characteristics of the user, without having to train the user behavior model filter using truth-labeled training data, and without having apriori knowledge of user authentication misuse.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
URMANOV, Aleksey M., WOOD, Alan P.

Granted Patent

US 10,165,005 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/554   involving event detection a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 2463/121   Timestamp

H04L 63/08   for authentication of entit...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

SYSTEM AND METHOD PROVIDING DATA-DRIVEN USER AUTHENTICATION MISUSE DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD PROVIDING DATA-DRIVEN USER AUTHENTICATION MISUSE DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links