Network-based detection of authentication failures
First Claim
Patent Images
1. A method, comprising:
- monitoring both (i) communication traffic that is exchanged with a client over a computer network, and (ii) software processes running in a memory of the client;
identifying in at least part of the monitored communication traffic one or more authentication attempts that were initiated by the client and have failed; and
distinguishing whether the failed authentication attempts are innocent or caused by a hostile activity in the computer network, by investigating, using memory introspection in the memory of the client, a software process that initiated the failed authentication attempts.
4 Assignments
0 Petitions
Accused Products
Abstract
A method includes monitoring communication traffic that is exchanged over a computer network. One or more authentication attempts that have failed are identified in at least part of the monitored communication traffic. Hostile activity is detected in the computer network by analyzing the failed authentication attempts.
-
Citations
23 Claims
-
1. A method, comprising:
-
monitoring both (i) communication traffic that is exchanged with a client over a computer network, and (ii) software processes running in a memory of the client; identifying in at least part of the monitored communication traffic one or more authentication attempts that were initiated by the client and have failed; and distinguishing whether the failed authentication attempts are innocent or caused by a hostile activity in the computer network, by investigating, using memory introspection in the memory of the client, a software process that initiated the failed authentication attempts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
at least one interface for connecting to a computer network; and one or more processors, which are configured to monitor both (i) communication traffic that is exchanged with a client over the computer network and (ii) software processes running in a memory of the client, to identify in at least part of the monitored communication traffic one or more authentication attempts that were initiated by the client and have failed, and to distinguish whether the failed authentication attempts are innocent or caused by a hostile activity in the computer network, by investigating, using memory introspection in the memory of the client, a software process that initiated the failed authentication attempts. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer software product, the product comprising a tangible non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by one or more processors, cause the processors to monitor both (i) communication traffic that is exchanged with a client over the computer network and (ii) software processes running in a memory of the client, to identify in at least part of the monitored communication traffic one or more authentication attempts that were initiated by the client and have failed, and to distinguish whether the failed authentication attempts are innocent or caused by a hostile activity in the computer network, by investigating, using memory introspection in the memory of the client, a software process that initiated the failed authentication attempts.
Specification