Network-based detection of authentication failures

US 9,667,637 B2
Filed: 05/31/2015
Issued: 05/30/2017
Est. Priority Date: 06/09/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

monitoring both (i) communication traffic that is exchanged with a client over a computer network, and (ii) software processes running in a memory of the client;

identifying in at least part of the monitored communication traffic one or more authentication attempts that were initiated by the client and have failed; and

distinguishing whether the failed authentication attempts are innocent or caused by a hostile activity in the computer network, by investigating, using memory introspection in the memory of the client, a software process that initiated the failed authentication attempts.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.

Citations

23 Claims

1. A method, comprising:
- monitoring both (i) communication traffic that is exchanged with a client over a computer network, and (ii) software processes running in a memory of the client;
  
  identifying in at least part of the monitored communication traffic one or more authentication attempts that were initiated by the client and have failed; and
  
  distinguishing whether the failed authentication attempts are innocent or caused by a hostile activity in the computer network, by investigating, using memory introspection in the memory of the client, a software process that initiated the failed authentication attempts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein at least part of the communication traffic traverses a virtual switching fabric in a hypervisor of a node of the computer network, and wherein monitoring the communication traffic comprises running in the hypervisor a software agent that monitors the at least part of the communication traffic.
  - 3. The method according to claim 1, wherein monitoring the communication traffic comprises passing at least part of the communication traffic in-line through an analysis unit.
  - 4. The method according to claim 1, wherein monitoring the communication traffic comprises instructing a virtual or physical network element in the computer network to mirror at least part of the communication traffic for monitoring.
  - 5. The method according to claim 4, wherein the computer network comprises a Software-Defined Network (SDN), and wherein instructing the virtual or physical network element is performed using an SDN protocol.
  - 6. The method according to claim 1, wherein monitoring the communication traffic comprises running in the client a software agent that monitors the at least part of the communication traffic.
  - 7. The method according to claim 1, wherein identifying the authentication attempts that have failed comprises identifying in the communication traffic an authentication response message, extracting a field value from the authentication response message, and detecting a failed authentication attempt based on the extracted field value.
  - 8. The method according to claim 7, wherein extracting the field value comprises extracting an authentication result reported in the authentication response message.
  - 9. The method according to claim 1, wherein identifying the authentication attempts that have failed comprises deducing a failure of an authentication attempt from a count of packets exchanged during the authentication attempt.
  - 10. The method according to claim 1, wherein detecting the hostile activity comprises accumulating multiple failed authentication attempts, and evaluating a detection criterion over the multiple failed authentication attempts.
  - 11. The method according to claim 1, and comprising obtaining additional information relating to failed authentication attempts from an authentication server, wherein detecting the hostile activity comprises identifying the hostile activity based on both the failed authentication attempts identified in the communication traffic, and the additional information.

12. A system, comprising:
- at least one interface for connecting to a computer network; and
  
  one or more processors, which are configured to monitor both (i) communication traffic that is exchanged with a client over the computer network and (ii) software processes running in a memory of the client, to identify in at least part of the monitored communication traffic one or more authentication attempts that were initiated by the client and have failed, and to distinguish whether the failed authentication attempts are innocent or caused by a hostile activity in the computer network, by investigating, using memory introspection in the memory of the client, a software process that initiated the failed authentication attempts.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system according to claim 12, wherein at least part of the communication traffic traverses a virtual switching fabric in a hypervisor of one of the processors, and wherein the one of the processors is configured to run in the hypervisor a software agent that monitors the at least part of the communication traffic.
  - 14. The system according to claim 12, wherein at least one of the processors is configured to monitor at least part of the communication traffic passing in-line through an analysis unit.
  - 15. The system according to claim 12, wherein at least one of the processors is configured to instruct a virtual or physical network element in the computer network to mirror at least part of the communication traffic for monitoring.
  - 16. The system according to claim 15, wherein the computer network comprises a Software-Defined Network (SDN), and wherein at least one of the processors is configured to instruct the virtual or physical network element using an SDN protocol.
  - 17. The system according to claim 12, wherein at least one of the processors is comprised in the client, and is configured to run a software agent that monitors the at least part of the communication traffic.
  - 18. The system according to claim 12, wherein at least one of the processors is configured to identify the authentication attempts that have failed by identifying in the communication traffic an authentication response message, extracting a field value from the authentication response message, and detecting a failed authentication attempt based on the extracted field value.
  - 19. The system according to claim 18, wherein the field value comprises an authentication result reported in the authentication response message.
  - 20. The system according to claim 12, wherein at least one of the processors is configured to identify the authentication attempts that have failed by deducing a failure of an authentication attempt from a count of packets exchanged during the authentication attempt.
  - 21. The system according to claim 12, wherein at least one of the processors is configured to accumulate multiple failed authentication attempts, and to evaluate a detection criterion over the multiple failed authentication attempts.
  - 22. The system according to claim 12, wherein at least one of the processors is configured to obtain additional information relating to failed authentication attempts from an authentication server, and to identify the hostile activity based on both the failed authentication attempts identified in the communication traffic, and the additional information.

23. A computer software product, the product comprising a tangible non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by one or more processors, cause the processors to monitor both (i) communication traffic that is exchanged with a client over the computer network and (ii) software processes running in a memory of the client, to identify in at least part of the monitored communication traffic one or more authentication attempts that were initiated by the client and have failed, and to distinguish whether the failed authentication attempts are innocent or caused by a hostile activity in the computer network, by investigating, using memory introspection in the memory of the client, a software process that initiated the failed authentication attempts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
GuardiCore Ltd. (Akamai Technologies, Inc.)
Inventors
Zeitlin, Ariel, Gurvich, Pavel, Ziv, Ofri, Tal, Itamar
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/726,544
Publication Number

US 20150358338A1
Time in Patent Office

730 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

Network-based detection of authentication failures

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Network-based detection of authentication failures

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links