Method and apparatus to facilitate individual and global lockouts to network applications

US 7,032,026 B1
Filed: 01/10/2002
Issued: 04/18/2006
Est. Priority Date: 08/31/2001
Status: Active Grant

First Claim

Patent Images

1. A method to facilitate locking an adversary out of a network application, comprising:

receiving at a server a request, including an authentication credential, to access the network application, wherein the authentication credential includes a user identifier and a specific network address of a user device;

if the user identifier has been locked out from the specific network address,denying access to the network application; and

if the authentication credential is valid, allowing access to the network application, otherwise,logging a failed attempt in the audit log,imposing a lockout for the user identifier from only the specific network address after a threshold number of failed attempts from the specific network address,if a threshold number of specific network addresses are locked out for the user identifier, imposing a global lockout for the user identifier, anddenying access to the network application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates locking an adversary out of a network application. The system operates by receiving a request at a server, which includes an authentication credential, to access the network application. This authentication credential includes a user identifier associated with a user and an address of a user device. The system examines an audit log to determine if the user identifier has been locked out from the address of the user device. If so, the system denies access to the network application. Otherwise, the system checks the authentication credential for validity. If the authentication credential is valid, the system allows access to the network application. Otherwise, the system logs a failed attempt in the audit log and denies access to the network application. After a threshold number of failed attempts, the user identifier is locked out from the network address.

Citations

14 Claims

1. A method to facilitate locking an adversary out of a network application, comprising:
- receiving at a server a request, including an authentication credential, to access the network application, wherein the authentication credential includes a user identifier and a specific network address of a user device;
  
  if the user identifier has been locked out from the specific network address,denying access to the network application; and
  
  if the authentication credential is valid, allowing access to the network application, otherwise,logging a failed attempt in the audit log,imposing a lockout for the user identifier from only the specific network address after a threshold number of failed attempts from the specific network address,if a threshold number of specific network addresses are locked out for the user identifier, imposing a global lockout for the user identifier, anddenying access to the network application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - removing a lockout after a predetermined period of time.
  - 3. The method of claim 1, further comprising:
    - manually removing a lockout by an administrator of the server.
  - 4. The method of claim 1, wherein the authentication credential includes a user name and a password.
  - 5. The method of claim 4, wherein checking the authentication credential for validity involves:
    - verifying that an administrator has authorized access to the network application for a combination of the user name and the password; and
      
      determining if the request violates an access rule in a rule table.
  - 6. The method of claim 5, wherein the access rule can specify:
    - an allowed time-of-day;
      
      an allowed number of access attempts;
      
      an allowed network address; and
      
      an allowed network domain.
  - 7. The method of claim 1, wherein the network address includes an Internet Protocol address.

8. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method to facilitate locking an adversary out of a network application, the method comprising:
- receiving at a server a request, including an authentication credential, to access the network application, wherein the authentication credential includes a user identifier and a specific network address of a user device;
  
  if the user identifier has been locked out from the specific network address,denying access to the network application; and
  
  if the authentication credential is valid, allowing access to the network application, otherwise,logging a failed attempt in the audit log,imposing a lockout for the user identifier from only the specific network address after a threshold number of failed attempts from the specific network address,if a threshold number of network addresses are locked out for the user identifier, imposing a global lockout for the user identifier, anddenying access to the network application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, the method further comprising:
    - removing a lockout after a predetermined period of time.
  - 10. The computer-readable storage medium of claim 8, the method further comprising:
    - manually removing a lockout by an administrator of the server.
  - 11. The computer-readable storage medium of claim 8, wherein the authentication credential includes a user name and a password.
  - 12. The computer-readable storage medium of claim 11, wherein checking the authentication credential for validity involves:
    - verifying that an administrator has authorized access to the network application for a combination of the user name and the password; and
      
      determining if the request violates an access rule in a rule table.
  - 13. The computer-readable storage medium of claim 12, wherein the access rule can specify:
    - an allowed time-of-day;
      
      an allowed number of access attempts;
      
      an allowed network address; and
      
      an allowed network domain.
  - 14. The computer-readable storage medium of claim 8, wherein the network address includes an Internet Protocol address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Bhatia, Gaurav, Swaminathan, Arun, Biswas, Kamalendu
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
Coffy, Emmanuel

Application Number

US10/043,800
Time in Patent Office

1,559 Days
Field of Search

709/218, 709/223, 709/229, 709/201, 709/203, 709/219, 709/225
US Class Current

709/229
CPC Class Codes

H04L 63/083 using passwords cryptograph...

H04L 63/0876 based on the identity of th...

Method and apparatus to facilitate individual and global lockouts to network applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to facilitate individual and global lockouts to network applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links