Distributed real-time network protection for authentication systems

US 8,887,279 B2
Filed: 03/31/2011
Issued: 11/11/2014
Est. Priority Date: 03/31/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method for centrally managing information about security events detected by a group of protected web-connected resources, the method comprising:

receiving a plurality of security event reports from one or more deployment components by a first computer, wherein each of the deployment components is coupled to a native service local to one of a plurality of web-connected resources of a plurality of additional, separate computers;

based on the received security event reports, determining by the first computer a threat level indicator across the plurality of web-connected resources using one or more analyses and metrics;

transmitting the determined threat level indicator to each of the web-connected resources of a plurality of the additional, separate computers;

receiving the threat level indicator by each of the web-connected resources of the plurality of additional, separate computers; and

one or more of the native services of the plurality of additional, separate computers selecting and performing a security breach abatement action according to the received threat level indicator, wherein the selecting is performed by the native service according to a Security Policy local to each corresponding additional, separate computer;

wherein the threat indicator excludes instructions for security breach abatement.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Information about security events detected by a group of protected web-connected resources is centrally managed in order to detect distributed attacks and slow paced attacks by providing to a plurality of web-connected resources a deployment component which couples to a native authorization service of each web-connected resource; receiving a plurality of security event reports from one or more of the deployment components by a command and control center computer; based on collected information from the plurality of security event reports, determining a threat level indicator across the plurality of web-connected resources using one or more analyses and metrics; and transmitting the threat level indicator to each of the web-connected resources.

28 Citations

View as Search Results

20 Claims

1. A method for centrally managing information about security events detected by a group of protected web-connected resources, the method comprising:
- receiving a plurality of security event reports from one or more deployment components by a first computer, wherein each of the deployment components is coupled to a native service local to one of a plurality of web-connected resources of a plurality of additional, separate computers;
  
  based on the received security event reports, determining by the first computer a threat level indicator across the plurality of web-connected resources using one or more analyses and metrics;
  
  transmitting the determined threat level indicator to each of the web-connected resources of a plurality of the additional, separate computers;
  
  receiving the threat level indicator by each of the web-connected resources of the plurality of additional, separate computers; and
  
  one or more of the native services of the plurality of additional, separate computers selecting and performing a security breach abatement action according to the received threat level indicator, wherein the selecting is performed by the native service according to a Security Policy local to each corresponding additional, separate computer;
  
  wherein the threat indicator excludes instructions for security breach abatement.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as set forth in claim 1 wherein a security event report relates to a failed login attempt.
  - 3. The method as set forth in claim 1 wherein analyses and metrics include a match to a pattern indicative of an organized attack across the plurality of web-connected resources.
  - 4. The method as set forth in claim 1 further comprising enacting a security action across the plurality of web-connected resources responsive to an escalation of the threat level indication.
  - 5. The method as set forth in claim 4 wherein the security action comprises one or more actions selected from the group consisting of reducing failed login attempts allowed before an account lockout is enabled, reducing authentication methods allowed before an account lockout is enabled, and locking down the plurality of web-connected resources.
  - 6. The method as set forth in claim 1, wherein the deployment components comprise client components to communicate with the computer and an adapter component to interface the client component to a specific native authorization and security service of a protected web-connected resource.
  - 7. The method as set forth in claim 1 wherein the web-connected resources comprise at least one device selected from the group consisting of a web server, a web browser, a web-enabled phone, and a special purpose web device.

8. A computer program product for centrally managing information about security events detected by a group of protected web-connected resources, the computer program product comprising:
- a plurality of computer readable tangible storage memory devices;
  
  first program instruction stored by one of the memory device to receive a plurality of security event reports from one or more deployment components by a first computer, wherein each of the deployment components is coupled to a native service local to one of a plurality of web-connected resources of a plurality of additional, separate computers;
  
  second program instruction stored by one of the memory device to, based on the received security event reports, determine by the first computer a threat level indicator across the plurality of web-connected resources using one or more analyses and metrics;
  
  third program instruction stored by one of the memory device to transmit the determined threat level indicator to each of the web-connected resources of the plurality of the additional, separate computers;
  
  fourth program instructions stored by one of the memory device to receive the threat level indicator by each of the web-connected resources of the plurality of the additional, separate computers; and
  
  fifth program instructions stored by one of the memory device for one or more of the native services of the plurality of the additional, separate computers to select and perform a security breach abatement action according to the received threat level indicator, wherein the selecting is performed by the native service and according to a Security Policy local to each corresponding additional, separate computer;
  
  wherein he threat indicator excludes instructions for security breach abatement.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product as set forth in claim 8 wherein the first program instruction receive a security event report comprising a failed login attempt.
  - 10. The computer program product as set forth in claim 8 wherein the second program instruction comprise program instruction to a match to a pattern indicative of an organized attack across the plurality of web-connected resources.
  - 11. The computer program product as set forth in claim 8 further comprising sixth program instruction stored by the memory device to enact a security action across the plurality of web-connected resources responsive to an escalation of the threat level indication.
  - 12. The computer program product as set forth in claim 11 wherein the enacted security action comprises one or more actions selected from the group consisting of reducing failed login attempts allowed before an account lockout is enabled, reducing authentication methods allowed before an account lockout is enabled, and locking down the plurality of web-connected resources.
  - 13. The computer program product as set forth in claim 8, wherein the deployment components comprise client components to communicate with the computer and an adapter component to interface the client component to a specific native authorization and security service of a protected web-connected resource.
  - 14. The computer program product as set forth in claim 8 wherein the deployment components of at least one device selected from the group consisting of a web server, a web browser, a web-enabled phone, and a special purpose web device.

15. A system for centrally managing information about security events detected by a group of protected web-connected resources, the system comprising:
- a hardware portion of a first computing platform to perform a logical process;
  
  a plurality of web-connected resources of a plurality of additional, separate computers, each of which is coupled to a native authorization service of each web-connected resource;
  
  a report input portion of the first computing platform to receive a plurality of security event reports from one or more of the deployment components by, wherein each of the deployment components is coupled to a native service local to one of a plurality of web-connected resources of the plurality of the additional, separate computers;
  
  a threat level analyzer portion of the first computing platform to, based on the security event reports, determine a threat level indicator across the plurality of web-connected resources using one or more analyses and metrics;
  
  an indicator output to transmit the threat level indicator from the first computing platform to each of the web-connected resources of the plurality of the additional, separate computers; and
  
  one or more of the native services of the plurality of additional, separate computers selecting and performing a security breach abatement action according to the received threat level indicator, wherein the selecting is performed by the native service according to a Security Policy local to each corresponding additional, separate computer;
  
  wherein the threat indicator excludes instructions for security breach abatement.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system as set forth in claim 15 wherein the report input is configured to receive a report of a failed login attempt.
  - 17. The system as set forth in claim 15 wherein the threat level analyzer is configured to match to a pattern indicative of an organized attack across the plurality of web-connected resources.
  - 18. The system as set forth in claim 15 further comprising a security action portion of the computing platform to enact a security action across the plurality of web-connected resources responsive to an escalation of the threat level indication.
  - 19. The system as set forth in claim 18 wherein the security action comprises one or more actions selected from the group consisting of reducing failed login attempts allowed before an account lockout is enabled, reducing authentication methods allowed before an account lockout is enabled, and locking down the plurality of web-connected resources.
  - 20. The system as set forth in claim 15, wherein the deployment components comprise client components to communicate with the computer and an adapter component to interface the client component to a specific native authorization and security service of a protected web-connected resource, and where the web-connected resources comprise at least one device selected from the group consisting of a web server, a web browser, a web-enabled phone, and a special purpose web device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dheap, Vijay, Whitley, Michael David
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US13/077,548
Publication Number

US 20120254947A1
Time in Patent Office

1,321 Days
Field of Search

726/4, 726/23, 726/25, 726/1
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Distributed real-time network protection for authentication systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed real-time network protection for authentication systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links