TECHNIQUES FOR CREDENTIAL STRENGTH ANALYSIS VIA FAILED INTRUDER ACCESS ATTEMPTS

US 20090172788A1
Filed: 12/27/2007
Published: 07/02/2009
Est. Priority Date: 12/27/2007
Status: Active Grant

First Claim

Patent Images

1. A machine-implemented method, comprising:

detecting that a failed authentication to a secure network has occurred;

acquiring a failed credential used in the failed authentication from an authentication service;

determining when the failed credential falls within a defined threshold of tolerance;

recording the failed credential in a failed credential store when the failed credential falls outside the defined threshold of tolerance; and

using the failed credential and the failed credential store to resolve a strength attribute associated with one or more existing valid credentials that properly authenticate to the secure network.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for credential strength analysis via failed intruder access attempts are presented. Intruders attempting to access a secure network with failed credentials are monitored. The failed credentials are retained and evaluated in view of previously recorded failed credentials. Credential policy is updated in response to the evaluation and intruder trends and sophistication levels are also predicted in response to the evaluation.

145 Citations

24 Claims

1. A machine-implemented method, comprising:
- detecting that a failed authentication to a secure network has occurred;
  
  acquiring a failed credential used in the failed authentication from an authentication service;
  
  determining when the failed credential falls within a defined threshold of tolerance;
  
  recording the failed credential in a failed credential store when the failed credential falls outside the defined threshold of tolerance; and
  
  using the failed credential and the failed credential store to resolve a strength attribute associated with one or more existing valid credentials that properly authenticate to the secure network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein determining further includes:
    - retrieving an identifier used with the failed credential;
      
      acquiring an existing valid credential for the identifier;
      
      calculating a numeric distance between the failed credential and the existing valid credential; and
      
      resolving whether the failed credential falls within the defined threshold of tolerance by comparing the numeric distance against the defined threshold of tolerance.
  - 3. The method of claim 2, wherein calculating further includes processing a Levenstein distance algorithm using the failed credential as one parameter to the algorithm and the existing valid credential as another parameter to the algorithm to obtain the numeric distance.
  - 4. The method of claim 1, wherein recording further includes:
    - determining that the failed credential already exists in the failed credential store; and
      
      updating a rank value associated with the failed credential in the failed credential store.
  - 5. The method of claim 1, wherein recording further includes, retaining an Internet Protocol (IP) address associated with a resource that supplied the failed credential with the failed credential in the failed credential store.
  - 6. The method of claim 1, wherein recording further includes, comparing a pattern of the failed credential to existing patterns associated with previous failed intruder attempts to access the secure network and when a match occurs updating a ranking associated with the pattern in the failed credential store, and wherein the failed credential store includes the existing patterns and existing rankings.
  - 7. The method of claim 1, wherein using further includes incrementing a frequency counter associated with a particular identifier used with the failed credential when the failed credential falls outside the defined threshold of tolerance and comparing the frequency counter to a policy to predict when an intruder may gain access to a legitimate credential for the particular identifier and thereby gain access to the secure network.

8. A machine-implemented method, comprising:
- determining a failed password supplied with a user identification in an attempt to access a secure resource originates from an intruder;
  
  analyzing the failed password in view of previous failed passwords and previous patterns associated with those failed passwords; and
  
  updating intruder detection metrics in response to the analysis.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein determining further includes evaluating the failed password and determining that the failed password was associated with a legitimate user, to which the user identification is associated, who mistyped the failed password inadvertently.
  - 10. The method of claim 8, wherein determining further includes matching the failed password to one of the previously failed passwords to resolve the intruder.
  - 11. The method of claim 8, wherein analyzing further includes deriving a failed password pattern and matching it with one of the previous patterns and in response thereto incrementing a counter associated with the user identification, wherein a policy determines when a value for the counter indicates that a legitimate password for a valid user who is associated with the user identification is to be changed to avoid subsequent detecting by the intruder.
  - 12. The method of claim 8, analyzing further includes updating rankings associated with the previous patterns in response to a failed password pattern derived from the failed password.
  - 13. The method of claim 8, wherein analyzing further includes assigning a complexity value to a pattern derived from the failed password in response to components of the pattern, and wherein the complexity value is compared to previous complexity values associated with the previous patterns to determine whether sophistication of the intruder is improving or not.
  - 14. The method of claim 8, wherein updating further includes recording an Internet Protocol (IP) address associated with the failed password in the intruder detection metrics to block subsequent login attempts that originate from that IP address.

15. A system, comprising:
- an authentication service implemented in a machine-accessible and computer-readable medium and that executes on a machine;
  
  the credential analysis service implemented in a machine-accessible and computer-readable medium and to process on the machine or a different machine;
  
  wherein the authentication service is to supply a failed credential, which is associated with a legitimate resource identifier, to the credential analysis service when a requesting resource attempts to use the failed credential under the guise of the legitimate resource identifier for purposes of accessing a secure network, and wherein the credential analysis service is to determine when the requesting resource is an intruder and when the intruder is detected, the credential analysis service acquires metrics associated with the failed credential and its usage by the intruder and updates an intruder data store, and wherein the credential analysis service evaluates the data store having other metrics associated with other failed credentials and other intruders for purposes of adjusting strength values for legitimate credentials used in the secure network and for purposes of adjusting a policy that is associated with intruder trends.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the failed credential is one of the following:
    - a password, a digital certificate, an authentication token, and an access assertion.
  - 17. The system of claim 15, wherein the credential analysis service processes a Levenstein distance algorithm with the failed credential and a proper credential for the legitimate resource identifier to determine whether the requesting resource is the intruder.
  - 18. The system of claim 15, wherein the credential analysis service acquires the metrics as a time the intruder attempted access with the failed credential, an Internet Protocol (IP) address used by the intruder, a pattern derived from the failed credential, a complexity value associated with the pattern, and an indication as to a frequency with which the failed password has been used before in previous attempts to gain unauthorized access to the secure network.
  - 19. The system of claim 18, wherein the credential analysis service decreases particular strength values for particular legitimate credentials when legitimate patterns for those particular legitimate credentials match a pattern for the failed credential.
  - 20. The system of claim 18, wherein the credential analysis service ranks a complexity value for a pattern of the failed credential against other complexity values in the other metrics to determine whether a particular trend shows that attacks on the secure network are getting increasingly more sophisticated.

21. A system, comprising:
- a password service implemented in a machine-accessible and computer-readable medium and is to process on a machine; and
  
  a intruder analysis service implemented in a machine-accessible and computer-readable medium and is to process on the machine or a different machine;
  
  wherein the password service supplies a failed password and user identifier received from a requesting user, who is attempting to login to a secure network, to the intruder analysis service, and wherein the intruder analysis service is to evaluate the failed password, in view of a data store of failed passwords historically maintained for previously failed passwords used to attempt access into the secure network, for purposes of adjusting password policy for the secure network.
- View Dependent Claims (22, 23, 24)
- - 22. The system of claim 21, wherein the intruder analysis service determines whether a pattern associated with the failed password matches known patterns used by intruders and when a match occurs rankings associated with the known patterns are updated.
  - 23. The system of claim 22, wherein the intruder analysis service uses the pattern to derive a complexity value for the failed password and compares that complexity value against other complexity values for the known patterns to determine whether attacks on the network are getting more sophisticated.
  - 24. The system of claim 23, wherein the intruder analysis service predicts a projected time that an intruder may compromise a valid password for a valid user, the valid user is associated with the user identifier, and wherein the intruder analysis service updates the policy to cause the valid user to be notified that the valid password should be changed to avoid it being compromised in the future.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Vedula, Srinivas, Morris, Cameron Craig

Granted Patent

US 8,412,931 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/1441 Countermeasures against mal...

TECHNIQUES FOR CREDENTIAL STRENGTH ANALYSIS VIA FAILED INTRUDER ACCESS ATTEMPTS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

TECHNIQUES FOR CREDENTIAL STRENGTH ANALYSIS VIA FAILED INTRUDER ACCESS ATTEMPTS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others