Security attack detection and defense
First Claim
1. A method of detecting an attack on an authentication service, said method comprising:
- storing data relating to a plurality of authentication requests communicated to an authentication service from a plurality of user agents via a data communication network, said requests each including a login identifier, a network address from which the request was communicated, and a password, and wherein storing the data relating to the requests comprises storing the login identifier and network address and storing the password of each of the requests in a database of the authentication service only if the request is unsuccessful;
searching the stored data based on a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents,comparing the stored data associated with the identified requests with a predefined pattern characterizing an attack based on the stored data of the identified requests to determine when the identified requests indicate the characterized attack on the authentication service; and
detecting the attack in response to determining that the identified requests indicate the characterized attack.
2 Assignments
0 Petitions
Accused Products
Abstract
Detecting an attack on an authentication service. A first memory area is configured to store data relating to a plurality of requests communicated to an authentication service from a plurality of user agents. A second memory area is configured to store a predefined pattern of one or more requests. The predefined pattern characterizes an attack. A processor searches the stored data as a function of a query variable to identify at least one of the plurality of the requests communicated from at least one of the plurality of the user agents and compares the stored data associated with each of the identified requests with the predefined pattern to determine whether the identified request indicates the attack characterized by the predefined pattern. Other aspects of the invention are directed to computer-readable media for use with detecting the attack on the authentication service.
67 Citations
38 Claims
-
1. A method of detecting an attack on an authentication service, said method comprising:
-
storing data relating to a plurality of authentication requests communicated to an authentication service from a plurality of user agents via a data communication network, said requests each including a login identifier, a network address from which the request was communicated, and a password, and wherein storing the data relating to the requests comprises storing the login identifier and network address and storing the password of each of the requests in a database of the authentication service only if the request is unsuccessful; searching the stored data based on a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents, comparing the stored data associated with the identified requests with a predefined pattern characterizing an attack based on the stored data of the identified requests to determine when the identified requests indicate the characterized attack on the authentication service; and detecting the attack in response to determining that the identified requests indicate the characterized attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system of detecting an attack on an authentication service, said system comprising:
-
a first memory area to store data relating to a plurality of authentication requests communicated to an authentication service from a plurality of user agents via a data communication network, said data being stored in the first memory area as a log of the authentication service, wherein each of the requests communicated to the authentication service includes a login identifier, a network address from which the request was communicated, and a password and wherein the stored data contains the login identifier and the network address and contains the password of each of the requests only if the request is unsuccessful, and wherein said first memory area is a database of the authentication service; a second memory area to store a predefined pattern of a plurality of requests, said predefined pattern characterizing an attack on the authentication service; and a processor configured to execute computer-executable instructions to; search the stored data as a function of a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents, compare the stored data associated with each of the identified requests with the predefined pattern, determine whether the identified requests indicate the attack characterized by the predefined pattern, and detect the attack in response to determining that the identified requests indicate the attack characterized by the predefined pattern. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A user authentication system, said system receiving a plurality of authentication requests communicated from a plurality of user agents, each of said requests including a login identifier, a network address from which the request was communicated, and a password associated therewith, said system comprising:
-
a first memory area to store data relating to a plurality of unsuccessful requests communicated from the plurality of user agents, wherein the stored data includes the login identifier and the network address and includes the password of each of the unsuccessful requests communicated from the plurality of user agents and does not include the password of any successful requests, wherein the first memory area is a database of the user authentication service; a second memory area to store a predefined pattern of a plurality of requests, said predefined pattern characterizing an attack based on the stored data of each of the plurality of requests; and a processor configured to execute computer-executable instructions to; search the stored data based on a query variable to generate a result set that identifies a plurality of the requests communicated from at least one of the plurality of the user agents, compare each of the identified requests with the predefined pattern to determine if the characterized attack has occurred, and detect the attack in response to determining that the characterized attack has occurred. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. One or more computer-readable storage media having computer-executable components for detecting an attack on an authentication service, said authentication service receiving a plurality of authentication requests communicated from a plurality of user agents via a data communication network, each of said requests including a login identifier, a network address from which the request was communicated, and a password associated therewith, said computer-readable media comprising:
-
a memory component to store data relating to a plurality of unsuccessful requests communicated to the authentication service from the plurality of user agents, wherein the stored data includes the login identifier and the network address, and includes the password of each of the unsuccessful requests communicated to the authentication service and does not include the password of any successful requests, wherein said memory component comprises a database of the authentication service, a query component to search the stored data as a function of a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents, and an analyzing component to compare the stored data associated with each of the identified requests with a predefined pattern characterizing an attack based on the stored data of each of the identified requests to determine when the identified request indicates the characterized attack on the authentication service and to detect the attack on the authentication service in response to determining that the identified request indicates the characterized attack. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
-
Specification