Systems and methods for IP-based intrusion detection
First Claim
1. A method comprising:
- receiving, at a server computer, a first plurality of login requests, each comprising a username and a password;
identifying a first internet protocol (IP) address and a first request time associated with each of the first plurality of login requests;
determining that a total number of login requests from the first IP address within a threshold time period is above a credential security threshold;
determining that a number of usernames associated with the first plurality of login requests is above a username threshold;
determining that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and
in response to determining the login success ratio is below the threshold login success ratio and determining that the number of usernames is above the username threshold, automatically performing a security action using the server computer;
wherein determining the number of usernames associated with the total number of login requests comprises;
comparing each username with each other username to determine a difference value for each username pair, wherein the difference value for each username pair comprises a sum of each character change, character addition, and character subtraction required to transform a first username of each username pair into a second username of each username pair; and
for each username pair identified as similar usernames having a difference value less than a threshold difference value, counting the similar usernames as a single username for the number of usernames as compared to the username threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for account security are provided. In one example embodiment, a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address and a first request time associated with the first login request. A login history comprising login request data for the server computer is analyzed to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. In response to determining a login success ratio is below a threshold login success ratio and a number of unique usernames in the analyzed data is above the unique username threshold, the system automatically performs a security action.
18 Citations
20 Claims
-
1. A method comprising:
-
receiving, at a server computer, a first plurality of login requests, each comprising a username and a password; identifying a first internet protocol (IP) address and a first request time associated with each of the first plurality of login requests; determining that a total number of login requests from the first IP address within a threshold time period is above a credential security threshold; determining that a number of usernames associated with the first plurality of login requests is above a username threshold; determining that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and in response to determining the login success ratio is below the threshold login success ratio and determining that the number of usernames is above the username threshold, automatically performing a security action using the server computer; wherein determining the number of usernames associated with the total number of login requests comprises; comparing each username with each other username to determine a difference value for each username pair, wherein the difference value for each username pair comprises a sum of each character change, character addition, and character subtraction required to transform a first username of each username pair into a second username of each username pair; and for each username pair identified as similar usernames having a difference value less than a threshold difference value, counting the similar usernames as a single username for the number of usernames as compared to the username threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
one or more servers comprising memory and one or more processors coupled to the memory and configured to; receive first plurality of login requests, each comprising a username and a password; identify a first internet protocol (IP) address and a first request time associated with each of the first plurality of login requests; determine that a total number of login requests from the first IP address within a threshold time period is above a credential security threshold; determine that a number of usernames associated with the first plurality of login requests is above a username threshold; determine that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and in response to determining the login success ratio is below the threshold login success ratio and determining that the number of usernames is above the username threshold, automatically performing a security action using the server computer; wherein the one or more server computers are further configured to; compare a first username with each username of the plurality of usernames to identify a set of similar usernames; and merge a set of login requests associated with the set of similar usernames into a merged login request in a login history; wherein identifying the set of similar usernames comprises determining that each username of the set of similar usernames is within a threshold number of character changes of the first username; and wherein the one or more server computers are further configured to; identify a plurality of accounts, wherein each account of the plurality of accounts is associated with a successful login from the IP address during the threshold time period; identify, for each account of the plurality of accounts, an associated set of user actions taken during the threshold time period; determine a location associated with the IP address; identify, for each account of the plurality of accounts, a difference between the IP address and a registration IP address associated with a creation of each account, wherein the custom security action for each account is further based on the difference between the IP address and the registration IP address associated with the creation of each account; determine a total number of locations associated with registration of the plurality of usernames; identify, for each successful login, a user agent value associated with a requesting client device; and identify, for each account of the plurality of accounts from the login history, a user agent value history, associated with historical requesting client devices. - View Dependent Claims (11, 12)
-
-
13. A non-transitory computer readable storage medium comprising instructions that, when executed by one or more processors of a server computer, cause the server computer to perform a method comprising:
-
receiving a first plurality of login requests, each comprising a username and a password; identifying a first Internet protocol (IP) address and a first request time associated with each of the first plurality of login requests; determining that a total number of login requests from the first IP address within a threshold time period is above a credential security threshold; determining that a number of usernames associated with the first plurality of login requests is above a username threshold; determining that a login success ratio is below a threshold login success ratio after determining that the total number of login requests from the first IP address is above the credential security threshold; and in response to determining the login success ratio is below the threshold login success ratio and determining that the number of usernames is above the username threshold, automatically performing a security action using the server computer; wherein determining the number of usernames associated with the total number of login requests comprises; comparing each username with each other username to determine a difference value for each username pair, wherein the difference value for each username pair comprises a sum of each character change, character addition, and character subtraction required to transform a first username of each username pair into a second username of each username pair; and for each username pair identified as similar usernames having a difference value less than a threshold difference value, counting the similar usernames as a single username for the number of usernames as compared to the username threshold. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification