Systems and methods for detecting and blocking malicious network activity
First Claim
1. An authenticating device configured for network-authentication, comprising:
- a processor;
a memory in electronic communication with the processor;
instructions stored in the memory, the instructions being executable to;
intercept, at the authenticating device, an authentication request sent to an authentication application program interface (API), wherein the authenticating device comprises a domain controller configured with the authentication API and an agent module,wherein the agent module comprises;
a hook that intercepts the authentication request;
data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and
filter rules that filter the authentication request data that is sent to a central server;
send, from the authenticating device, the filtered authentication request data to the central server to identify malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment; and
determine, at the authenticating device, whether to block an invocation of the authentication API based on blocking rules received from the central server,wherein the agent module determines, for every authentication request intercepted in the authenticating device, whether to block a respective authentication request from invoking the authentication API without waiting for a response from the central server for the respective authentication request.
5 Assignments
0 Petitions
Accused Products
Abstract
An authenticating device configured for network authentication is described. The authenticating device includes a processor. The authenticating device also includes memory in electronic communication with the processor. The authenticating device further includes instructions stored in the memory. The instructions are executable to intercept an authentication request sent to an authentication application program interface (API). The instructions are also executable to send the authentication request to a central server to identify malicious activity patterns based on authentication activity of a plurality of authenticating devices in a network environment. The instructions are further executable to determine whether to block an invocation of the authentication API based on blocking rules received from the central server.
-
Citations
22 Claims
-
1. An authenticating device configured for network-authentication, comprising:
-
a processor; a memory in electronic communication with the processor; instructions stored in the memory, the instructions being executable to; intercept, at the authenticating device, an authentication request sent to an authentication application program interface (API), wherein the authenticating device comprises a domain controller configured with the authentication API and an agent module, wherein the agent module comprises; a hook that intercepts the authentication request; data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and filter rules that filter the authentication request data that is sent to a central server; send, from the authenticating device, the filtered authentication request data to the central server to identify malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment; and determine, at the authenticating device, whether to block an invocation of the authentication API based on blocking rules received from the central server, wherein the agent module determines, for every authentication request intercepted in the authenticating device, whether to block a respective authentication request from invoking the authentication API without waiting for a response from the central server for the respective authentication request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for network authentication by an authenticating device, comprising:
-
intercepting, at the authenticating device, an authentication request sent to an authentication application program interface (API), wherein the authenticating device comprises a domain controller configured with the authentication API and an agent module, wherein the agent module comprises; a hook that intercepts the authentication request; data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and filter rules that filter the authentication request data that is sent to a central server; sending, from the authenticating device, the authentication request to the central server to identify malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment; and determining, at the authenticating device, whether to block an invocation of the authentication API based on blocking rules received from the central server, wherein the agent module determines, for every authentication request intercepted in the authenticating device, whether to block a respective authentication request from invoking the authentication API without waiting for a response from the central server for the respective authentication request.
-
-
12. A central server, comprising:
-
a processor; a memory in electronic communication with the processor; instructions stored in the memory, the instructions being executable to; receive filtered authentication data from a first authenticating device that comprises a domain controller configured with an authentication API and an agent module, wherein the agent module comprises; a hook that intercepts an authentication request; data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and filter rules that filter the authentication request data to produce the filtered authentication data that is received by the central server; wherein, for every transmission of filtered authentication data received by the central server from the first authenticating device, the central server responds to the first authenticating device after the first authenticating device determines, using blocking rules locally stored at the first authenticating device, whether to block an authentication request associated with a respective transmission from invoking the authentication API in the first authenticating device; identify malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment; determine updated blocking rules based on identified malicious activity patterns, wherein the updated blocking rules instruct the first authenticating device about which authentication requests to block from invoking the authentication application program interface (API); and send the updated blocking rules to the first authenticating device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method by a central server, comprising:
-
receiving filtered authentication data from a first authenticating device that comprises a domain controller configured with an authentication API and an agent module, wherein the agent module comprises; a hook that intercepts an authentication request; data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and filter rules that filter the authentication request data to produce the filtered authentication data that is received by the central server; wherein, for every transmission of filtered authentication data received by the central server from the first authenticating device, the central server responds to the first authenticating device after the first authenticating device determines, using blocking rules locally stored at the first authenticating device, whether to block an authentication request associated with a respective transmission from invoking the authentication API in the first authenticating device; identifying malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment; determining updated blocking rules based on identified malicious activity patterns, wherein the updated blocking rules instruct the first authenticating device about which authentication requests to block from invoking the authentication application program interface (API); and sending the updated blocking rules to the first authenticating device.
-
Specification