Systems and methods for IP-based intrusion detection
First Claim
1. A method comprising:
- receiving, at a server computer, a first login request, the first login request comprising a username and a password;
identifying a first internet protocol (IP) address and a first request time associated with the first login request;
analyzing a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time;
determining that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold;
determining that a number of usernames associated with the total number of login requests is above a username threshold;
comparing each username with each other username to determine a difference value for each username pair, wherein the difference value for each username pair comprises a sum of each character change, character addition, and character subtraction required to transform a first username of each username pair into a second username of each username pair; and
for each username pair identified as similar usernames having a difference value less than a threshold difference value, counting the similar usernames as a single username for the number of usernames as compared to the username threshold;
determining that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and
in response to determining the login success ratio is below the threshold login success ratio and determining that the number of unique usernames is above the unique username threshold, automatically performing a security action using the server computer.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for account security are provided. In one example embodiment, a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address and a first request time associated with the first login request. A login history comprising login request data for the server computer is analyzed to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. In response to determining a login success ratio is below a threshold login success ratio and a number of unique usernames in the analyzed data is above the unique username threshold, the system automatically performs a security action.
-
Citations
19 Claims
-
1. A method comprising:
-
receiving, at a server computer, a first login request, the first login request comprising a username and a password; identifying a first internet protocol (IP) address and a first request time associated with the first login request; analyzing a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time; determining that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold; determining that a number of usernames associated with the total number of login requests is above a username threshold; comparing each username with each other username to determine a difference value for each username pair, wherein the difference value for each username pair comprises a sum of each character change, character addition, and character subtraction required to transform a first username of each username pair into a second username of each username pair; and for each username pair identified as similar usernames having a difference value less than a threshold difference value, counting the similar usernames as a single username for the number of usernames as compared to the username threshold; determining that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and in response to determining the login success ratio is below the threshold login success ratio and determining that the number of unique usernames is above the unique username threshold, automatically performing a security action using the server computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising one or more server computers configured to:
-
receive a first login request, the first login request comprising a first username and a password; identify a first internet protocol (IP) address and a first request time associated with the first login request; analyze a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time; determine that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold; determine a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; determine that a number of usernames associated with the total number of login requests is above a unique username threshold; compare each username with each other username to determine a difference value for each username pair, wherein the difference value for each username pair comprises a sum of each character change, character addition, and character subtraction required to transform a first username of each username pair into a second username of each username pair; and for each username pair identifying similar usernames having a difference value less than a threshold difference value, counting the similar usernames as a single username for the number of usernames when comparing to the username threshold; and in response to determining that the login success ratio is below the threshold login success ratio and determining that the number of unique usernames is above the unique username threshold, automatically perform a security action using the server computer. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A non-transitory computer readable medium comprising computer readable instructions that, when executed by one or more processors, cause one or more server computers to:
-
receive a first login request, the first login request comprising a username and a password; identify a first internet protocol (IP) address and a first request time associated with the first login request; analyze a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time; set a first security flag in response to a determination that a total number of login requests from the first IP address within a threshold time period is above the credential security threshold; set a second security flag in response to a second determination that a number of usernames associated with the total number of login requests is above a username threshold; compare each username with each other username to determine a difference value for each username pair, wherein the difference value for each username pair comprises a sum of each character change, character addition, and character subtraction required to transform a first username of each username pair into a second username of each username pair; and for each username pair identified as similar usernames having a difference value less than a threshold difference value, count the similar usernames as a single username for the number of usernames as comparing to the username threshold; and automatically initiate a security action in response to the first security flag and the second security flag. - View Dependent Claims (19)
-
Specification