Systems and methods for detecting and blocking malicious network activity

US 9,807,104 B1
Filed: 04/29/2016
Issued: 10/31/2017
Est. Priority Date: 04/29/2016
Status: Active Grant

First Claim

Patent Images

1. An authenticating device configured for network-authentication, comprising:

a processor;

a memory in electronic communication with the processor;

instructions stored in the memory, the instructions being executable to;

intercept, at the authenticating device, an authentication request sent to an authentication application program interface (API), wherein the authenticating device comprises a domain controller configured with the authentication API and an agent module,wherein the agent module comprises;

a hook that intercepts the authentication request;

data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and

filter rules that filter the authentication request data that is sent to a central server;

send, from the authenticating device, the filtered authentication request data to the central server to identify malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment; and

determine, at the authenticating device, whether to block an invocation of the authentication API based on blocking rules received from the central server,wherein the agent module determines, for every authentication request intercepted in the authenticating device, whether to block a respective authentication request from invoking the authentication API without waiting for a response from the central server for the respective authentication request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authenticating device configured for network authentication is described. The authenticating device includes a processor. The authenticating device also includes memory in electronic communication with the processor. The authenticating device further includes instructions stored in the memory. The instructions are executable to intercept an authentication request sent to an authentication application program interface (API). The instructions are also executable to send the authentication request to a central server to identify malicious activity patterns based on authentication activity of a plurality of authenticating devices in a network environment. The instructions are further executable to determine whether to block an invocation of the authentication API based on blocking rules received from the central server.

Citations

22 Claims

1. An authenticating device configured for network-authentication, comprising:
- a processor;
  
  a memory in electronic communication with the processor;
  
  instructions stored in the memory, the instructions being executable to;
  
  intercept, at the authenticating device, an authentication request sent to an authentication application program interface (API), wherein the authenticating device comprises a domain controller configured with the authentication API and an agent module,wherein the agent module comprises;
  
  a hook that intercepts the authentication request;
  
  data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and
  
  filter rules that filter the authentication request data that is sent to a central server;
  
  send, from the authenticating device, the filtered authentication request data to the central server to identify malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment; and
  
  determine, at the authenticating device, whether to block an invocation of the authentication API based on blocking rules received from the central server,wherein the agent module determines, for every authentication request intercepted in the authenticating device, whether to block a respective authentication request from invoking the authentication API without waiting for a response from the central server for the respective authentication request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The authenticating device of claim 1, wherein when the blocking rules instruct the authenticating device to block the authentication request, the instructions are further executable to:
    - block the authentication request from calling the authentication API; and
      
      send an access denied message to a calling device.
  - 3. The authenticating device of claim 1, wherein when the blocking rules instruct the authenticating device to permit the authentication request, the instructions are further executable to:
    - allow the authentication request to call the authentication API.
  - 4. The authenticating device of claim 1, wherein the agent module also sends the authentication request to the central server for centralized blocking rule creation, wherein if an authentication request is blocked then a message is sent to the central server for centralized reporting or alerting IT personnel about blocked operations.
  - 5. The authenticating device of claim 1, wherein the authentication API is a Kerberos protocol API or NT LAN Manager (NTLM) protocol API in a Microsoft Windows environment.
  - 6. The authenticating device of claim 1, wherein the instructions are further executable to determine that a Kerberos ticket contains a maximum lifetime for user ticket or a maximum lifetime for user ticket renewal with a value above a value specified by the blocking rules.
  - 7. The authenticating device of claim 1, wherein the blocking rules instruct the authenticating device to block the authentication request based on a security principle initiating the authentication request, a calling device initiating the authentication request or a resource that the authentication request is seeking to access.
  - 8. The authenticating device of claim 1, wherein when the blocking rules instruct the authenticating device to block the authentication request, the instructions are further executable to:
    - cause a lower level API to return a reserved value to an upper level API, wherein the reserved value causes the upper level API to return an access denied signal to the authentication request, and wherein the reserved value is not used in native operation of the authentication API.
  - 9. The authenticating device of claim 1, wherein the authentication request data comprises at least one element selected from the group consisting of:
    - a user identification, a timestamp of the authentication request, a calling device identification, an authenticating device identification, a target network resource being requested and a type of access being requested.
  - 10. The authenticating device of claim 1, wherein the type of access being requested indicates that a calling device is attempting to access files on a network share, map a drive to the network share, initiate a remote desktop protocol (RDP) session to another computer, or access the registry of another computer.

11. A method for network authentication by an authenticating device, comprising:
- intercepting, at the authenticating device, an authentication request sent to an authentication application program interface (API), wherein the authenticating device comprises a domain controller configured with the authentication API and an agent module,wherein the agent module comprises;
  
  a hook that intercepts the authentication request;
  
  data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and
  
  filter rules that filter the authentication request data that is sent to a central server;
  
  sending, from the authenticating device, the authentication request to the central server to identify malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment; and
  
  determining, at the authenticating device, whether to block an invocation of the authentication API based on blocking rules received from the central server,wherein the agent module determines, for every authentication request intercepted in the authenticating device, whether to block a respective authentication request from invoking the authentication API without waiting for a response from the central server for the respective authentication request.

12. A central server, comprising:
- a processor;
  
  a memory in electronic communication with the processor;
  
  instructions stored in the memory, the instructions being executable to;
  
  receive filtered authentication data from a first authenticating device that comprises a domain controller configured with an authentication API and an agent module, wherein the agent module comprises;
  
  a hook that intercepts an authentication request;
  
  data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and
  
  filter rules that filter the authentication request data to produce the filtered authentication data that is received by the central server;
  
  wherein, for every transmission of filtered authentication data received by the central server from the first authenticating device, the central server responds to the first authenticating device after the first authenticating device determines, using blocking rules locally stored at the first authenticating device, whether to block an authentication request associated with a respective transmission from invoking the authentication API in the first authenticating device;
  
  identify malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment;
  
  determine updated blocking rules based on identified malicious activity patterns, wherein the updated blocking rules instruct the first authenticating device about which authentication requests to block from invoking the authentication application program interface (API); and
  
  send the updated blocking rules to the first authenticating device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The central server of claim 12, wherein identifying malicious activity patterns comprises determining that a specified count of repeated failed authentications reported by one or more authenticating devices in a specified time period exceeds a certain threshold.
  - 14. The central server of claim 12, wherein identifying malicious activity patterns comprises determining that a specified count of repeated failed logins against a given authenticating device in a specified time period exceeds a certain threshold.
  - 15. The central server of claim 12, wherein identifying malicious activity patterns comprises determining that a specified count of user account authentications across multiple network assets in a specified time period exceeds a certain threshold.
  - 16. The central server of claim 12, wherein identifying malicious activity patterns comprises identifying attempted use of a nonexistent user name on one or more authenticating devices in the network environment.
  - 17. The central server of claim 12, wherein identifying malicious activity patterns comprises determining that at least a specified count of failed authentications for a given security principle due to a bad password followed by a successful authentication in a specified time has occurred.
  - 18. The central server of claim 12, wherein identifying malicious activity patterns comprises determining that a same security principle is authenticated from more than specified network locations in a specified time frame.
  - 19. The central server of claim 12, wherein identifying malicious activity patterns comprises determining that multiple authenticated accounts originate from a single system.
  - 20. The central server of claim 12, wherein the blocking rules instruct an authenticating device to block an authentication request based on a security principle initiating the authentication request, a calling device initiating the authentication request or a resource that the authentication request is seeking to access.
  - 21. The central server of claim 12, wherein the instructions are further executable to:
    - send data collection rules to one or more authenticating devices indicating authentication request data to be collected; and
      
      send filter rules to one or more authenticating devices indicating how to filter the authentication request data that is sent to the central server.

22. A method by a central server, comprising:
- receiving filtered authentication data from a first authenticating device that comprises a domain controller configured with an authentication API and an agent module, wherein the agent module comprises;
  
  a hook that intercepts an authentication request;
  
  data collection rules that are used to determine what authentication request data to scrape from the intercepted authentication request; and
  
  filter rules that filter the authentication request data to produce the filtered authentication data that is received by the central server;
  
  wherein, for every transmission of filtered authentication data received by the central server from the first authenticating device, the central server responds to the first authenticating device after the first authenticating device determines, using blocking rules locally stored at the first authenticating device, whether to block an authentication request associated with a respective transmission from invoking the authentication API in the first authenticating device;
  
  identifying malicious activity patterns of authentication activity spanning across a plurality of authenticating devices in a network environment;
  
  determining updated blocking rules based on identified malicious activity patterns, wherein the updated blocking rules instruct the first authenticating device about which authentication requests to block from invoking the authentication application program interface (API); and
  
  sending the updated blocking rules to the first authenticating device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stealthbits Technologies
Original Assignee
Stealthbits Technologies, Inc. (Netwrix Corp.)
Inventors
Sarra, Anthony Nicholas
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/142,976
Time in Patent Office

550 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Systems and methods for detecting and blocking malicious network activity

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting and blocking malicious network activity

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links