Security attack detection and defense

US 7,523,499 B2
Filed: 03/25/2004
Issued: 04/21/2009
Est. Priority Date: 03/25/2004
Status: Active Grant

First Claim

Patent Images

1. A method of detecting an attack on an authentication service, said method comprising:

storing data relating to a plurality of authentication requests communicated to an authentication service from a plurality of user agents via a data communication network, said requests each including a login identifier, a network address from which the request was communicated, and a password, and wherein storing the data relating to the requests comprises storing the login identifier and network address and storing the password of each of the requests in a database of the authentication service only if the request is unsuccessful;

searching the stored data based on a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents,comparing the stored data associated with the identified requests with a predefined pattern characterizing an attack based on the stored data of the identified requests to determine when the identified requests indicate the characterized attack on the authentication service; and

detecting the attack in response to determining that the identified requests indicate the characterized attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting an attack on an authentication service. A first memory area is configured to store data relating to a plurality of requests communicated to an authentication service from a plurality of user agents. A second memory area is configured to store a predefined pattern of one or more requests. The predefined pattern characterizes an attack. A processor searches the stored data as a function of a query variable to identify at least one of the plurality of the requests communicated from at least one of the plurality of the user agents and compares the stored data associated with each of the identified requests with the predefined pattern to determine whether the identified request indicates the attack characterized by the predefined pattern. Other aspects of the invention are directed to computer-readable media for use with detecting the attack on the authentication service.

67 Citations

View as Search Results

38 Claims

1. A method of detecting an attack on an authentication service, said method comprising:
- storing data relating to a plurality of authentication requests communicated to an authentication service from a plurality of user agents via a data communication network, said requests each including a login identifier, a network address from which the request was communicated, and a password, and wherein storing the data relating to the requests comprises storing the login identifier and network address and storing the password of each of the requests in a database of the authentication service only if the request is unsuccessful;
  
  searching the stored data based on a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents,comparing the stored data associated with the identified requests with a predefined pattern characterizing an attack based on the stored data of the identified requests to determine when the identified requests indicate the characterized attack on the authentication service; and
  
  detecting the attack in response to determining that the identified requests indicate the characterized attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein said storing the data relating to the plurality of the requests comprises storing one or more of the following:
    - a credential type of the one of the plurality of the requests;
      
      a user account associated with the one of the plurality of the requests;
      
      a status of the one of the plurality of the requests;
      
      a time stamp indicating a date and time of the one of the plurality of the requests;
      
      a type of interface from which the one of the plurality of the requests is communicated; and
      
      the user agent from which the one of the plurality of the requests is communicated.
  - 3. The method of claim 2, wherein said status of the one of the plurality of the requests comprises one of more of the following:
    - the one of the plurality of the requests is successful;
      
      the one of the plurality of the requests is unsuccessful; and
      
      the user account associated with the one of the plurality of the requests has been locked.
  - 4. The method of claim 1, wherein said comparing the stored data associated with each of the identified requests with the predefined pattern comprises comparing the stored data with a pattern characterized by one or more of the following:
    - using a single password to unsuccessfully attempt at least a predetermined quantity of requests on multiple user accounts within a predefined time interval;
      
      using the single password to unsuccessfully attempt at least the predetermined quantity of the requests from a single network address on the multiple user accounts within the predefined time interval; and
      
      unsuccessfully attempting at least the predetermined quantity of the requests from the single network address within the predefined time interval.
  - 5. The method of claim 1, wherein said comparing the stored data associated with each of the identified requests with the predefined pattern comprises comparing the stored data with a pattern characterized by one or more of the following:
    - using multiple passwords to unsuccessfully attempt at least a predetermined quantity of requests on a single user account within a predefined time interval;
      
      using the multiple passwords to unsuccessfully attempt at least the predetermined quantity of the requests from a single network address on the single user account within the predefined time interval; and
      
      unsuccessfully attempting at least the predetermined quantity of the requests on the single user account within the predefined time interval.
  - 6. The method of claim 1, wherein said comparing the stored data associated with each of the identified requests with the predefined pattern comprises comparing the stored data with a pattern characterized by one or more of the following:
    - a single password to unsuccessfully attempt at least a predetermined quantity of requests from multiple network addresses on a single user account within a predefined time interval; and
      
      unsuccessfully attempting at least the predetermined quantity of the requests from the multiple network addresses on the single user account.
  - 7. The method of claim 1, further comprising generating a report in response to detecting the attack, said report providing information regarding the attack for use in defending against the attack.
  - 8. The method of claim 1, further comprising remedying the attack in response to detecting the attack.
  - 9. The method of claim 1, wherein said remedying the attack comprises performing one or more of the following:
    - locking a user account associated with one of the plurality of the requests;
      
      blocking a network address from which the one of the plurality of the requests is communicated;
      
      implementing a human interaction proof on the authentication service;
      
      prompting a user to change a password associated with the user account; and
      
      limiting a quantity of allowed unsuccessful requests to a predetermined quantity within a predefined time interval for the network address from which the one of the plurality of the requests is communicated.
  - 10. The method of claim 1, wherein the plurality of the requests comprises one or more of the following types of requests:
    - authentication, registration, and password-reset;
      
      wherein one of the plurality of the requests is communicated via a human interaction proof; and
      
      wherein said storing the data relating to the plurality of the requests comprises storing one or more of the following;
      
      a network address from which the one of the plurality of the requests is communicated, a process where the human interaction proof is implemented, a time stamp indicating a date and time of the one of the plurality of the requests, and the user agent from which the one of the plurality of the requests is communicated.
  - 11. The method of claim 10, wherein said comparing the stored data associated with each of the identified requests with the predefined pattern comprises comparing the stored data with a pattern characterized by one or more of the following:
    - using multiple test strings to unsuccessfully attempt at least a predetermined quantity of requests on a single human interaction proof string within a predefined time interval; and
      
      using a single test string to unsuccessfully attempt at least the predetermined quantity of the requests on multiple human interaction proof strings within the predefined time interval.
  - 12. The method of claim 1, wherein said comparing the stored data associated with each of the identified requests with a predefined pattern comprises:
    - comparing historical data relating to the authentication service with the stored data, andin response to said comparing, determining if the stored data deviates from the historical data to determine if the attack on the authentication service has occurred.
  - 13. The method of claim 1, wherein said searching the stored data to identify a plurality of the requests comprises searching the stored data to generate a result set based on one or more of the following query variables:
    - a network address that communicates a request, a quantity of user accounts for which access has been attempted, a password associated with a failed request, a quantity of failed requests for one or more user accounts, a quantity of requests for one or more user accounts, and a time interval during which one or more requests are communicated;
      
      wherein the result set identifies the stored data relating to one or more requests that correspond to the query variables.
  - 14. The method of claim 1, wherein one or more computer-readable storage media have computer-executable instructions for performing the method recited in claim 1.

15. A system of detecting an attack on an authentication service, said system comprising:
- a first memory area to store data relating to a plurality of authentication requests communicated to an authentication service from a plurality of user agents via a data communication network, said data being stored in the first memory area as a log of the authentication service, wherein each of the requests communicated to the authentication service includes a login identifier, a network address from which the request was communicated, and a password and wherein the stored data contains the login identifier and the network address and contains the password of each of the requests only if the request is unsuccessful, and wherein said first memory area is a database of the authentication service;
  
  a second memory area to store a predefined pattern of a plurality of requests, said predefined pattern characterizing an attack on the authentication service; and
  
  a processor configured to execute computer-executable instructions to;
  
  search the stored data as a function of a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents,compare the stored data associated with each of the identified requests with the predefined pattern,determine whether the identified requests indicate the attack characterized by the predefined pattern, anddetect the attack in response to determining that the identified requests indicate the attack characterized by the predefined pattern.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The system of claim 15, wherein the stored data comprises one or more of the following:
    - a credential type of the one of the plurality of the requests;
      
      a user account associated with the one of the plurality of the requests;
      
      a failed password associated with the one of the plurality of the requests;
      
      a status of the one of the plurality of the requests;
      
      a time stamp indicating a date and time of the one of the plurality of the requests;
      
      a type of interface from which the one of the plurality of the requests is communicated; and
      
      the user agent from which the one of the plurality of the requests is communicated.
  - 17. The system of claim 15, wherein said predefined pattern is characterized by one or more of the following:
    - using a single password to unsuccessfully attempt a quantity of requests on multiple user accounts within a predefined time interval;
      
      using the single password to unsuccessfully attempt the quantity of the requests from a single network address on the multiple user accounts within the predefined time interval; and
      
      unsuccessfully attempting the quantity of the requests from the single network address within the predefined time interval.
  - 18. The system of claim 15, wherein said predefined pattern is characterized by one or more of the following:
    - using multiple passwords to unsuccessfully attempt a quantity of requests on a single user account within a predefined time interval;
      
      using the multiple passwords to unsuccessfully attempt the quantity of the requests from a single network address on the single user account within the predefined time interval;
      
      unsuccessfully attempting the quantity of the requests on the single user account within the predefined time interval;
      
      using a single password to unsuccessfully attempt a quantity of requests from multiple network addresses on a single user account within a predefined time interval; and
      
      using the multiple network addresses to unsuccessfully attempt the quantity of the requests on the single user account.
  - 19. The system of claim 15, wherein the processor is configured to search the stored data to identify a plurality of the requests by generating a result set based on one or more of the following query variables:
    - a network address that communicates a request, a quantity of user accounts for which access has been attempted, a password associated with a failed request, a quantity of failed requests for one or more user accounts, a quantity of requests for one or more user accounts, and a time interval during which one or more requests are communicated;
      
      wherein the result set identifies the stored data relating to one or more requests that correspond to the query variables.
  - 20. The system of claim 15, wherein the processor is further configured to generate a report in response to detecting the attack, said report providing information regarding the characterized attack for use in defending against the attack.
  - 21. The system of claim 15, wherein the processor is further configured to remedy the characterized attack in response to detecting the attack.
  - 22. The system of claim 15, wherein the plurality of the requests comprises one or more of the following types of requests:
    - authentication, registration, and password-reset;
      
      wherein one of the plurality of the requests is communicated via a human interaction proof; and
      
      wherein the stored data comprises one or more of the following;
      
      a network address from which the one of the plurality of the requests is communicated, a process where the human interaction proof is implemented, a time stamp indicating a date and time of the one of the plurality of the requests, and the user agent from which the one of the plurality of the requests is communicated.
  - 23. The system of claim 22, wherein said predefined pattern is characterized by one or more of the following:
    - using multiple test strings to unsuccessfully attempt a quantity of requests on a single human interaction proof string within a predefined time interval; and
      
      using a single test string to attempt unsuccessfully the quantity of the requests on multiple human interaction proof strings within the predefined time interval.

24. A user authentication system, said system receiving a plurality of authentication requests communicated from a plurality of user agents, each of said requests including a login identifier, a network address from which the request was communicated, and a password associated therewith, said system comprising:
- a first memory area to store data relating to a plurality of unsuccessful requests communicated from the plurality of user agents, wherein the stored data includes the login identifier and the network address and includes the password of each of the unsuccessful requests communicated from the plurality of user agents and does not include the password of any successful requests, wherein the first memory area is a database of the user authentication service;
  
  a second memory area to store a predefined pattern of a plurality of requests, said predefined pattern characterizing an attack based on the stored data of each of the plurality of requests; and
  
  a processor configured to execute computer-executable instructions to;
  
  search the stored data based on a query variable to generate a result set that identifies a plurality of the requests communicated from at least one of the plurality of the user agents,compare each of the identified requests with the predefined pattern to determine if the characterized attack has occurred, anddetect the attack in response to determining that the characterized attack has occurred.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The system of claim 24, wherein the stored data comprises one or more of the following:
    - a credential type of the one of the plurality of the requests;
      
      a user account associated with the one of the plurality of the requests;
      
      a failed password associated with the one of the plurality of the requests;
      
      a status of the one of the plurality of the requests;
      
      a time stamp indicating a date and time of the one of the plurality of the requests;
      
      a type of interface from which the one of the plurality of the requests is communicated; and
      
      a user agent from which the one of the plurality of the requests is communicated.
  - 26. The system of claim 24, wherein said predefined pattern is characterized by one or more of the following:
    - using a single password to unsuccessfully attempt at least a predetermined quantity of requests on multiple user accounts within a predefined time interval;
      
      using the single password to unsuccessfully attempt at least the predetermined quantity of the requests from a single network address on the multiple user accounts within the predefined time interval; and
      
      unsuccessfully attempting at least the predetermined quantity of the requests from the single network address within the predefined time interval.
  - 27. The system of claim 24, wherein the processor is further configured to generate a report in response to detecting the attack, said report providing information regarding the characterized attack for use in defending against the attack.
  - 28. The system of claim 24, wherein the processor is further configured to remedy the characterized attack if the characterized attack is determined to have occurred.
  - 29. The system of claim 24, wherein the plurality of the requests comprises one or more of the following types of requests:
    - authentication, registration, and password-reset;
      
      wherein one of the plurality of the requests is communicated via a human interaction proof; and
      
      wherein said predefined pattern is characterized by one or more of the following;
      
      using multiple test strings to unsuccessfully attempt at least a predetermined quantity of requests on a single human interaction proof string within a predefined time interval, and using a single test string to unsuccessfully attempt at least the predetermined quantity of the requests on multiple human interaction proof strings within the predefined time interval.
  - 30. The system of claim 24, further comprising means for determining if the stored data associated with one or more of the plurality of the requests matches the predefined pattern.

31. One or more computer-readable storage media having computer-executable components for detecting an attack on an authentication service, said authentication service receiving a plurality of authentication requests communicated from a plurality of user agents via a data communication network, each of said requests including a login identifier, a network address from which the request was communicated, and a password associated therewith, said computer-readable media comprising:
- a memory component to store data relating to a plurality of unsuccessful requests communicated to the authentication service from the plurality of user agents, wherein the stored data includes the login identifier and the network address, and includes the password of each of the unsuccessful requests communicated to the authentication service and does not include the password of any successful requests, wherein said memory component comprises a database of the authentication service,a query component to search the stored data as a function of a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents, andan analyzing component to compare the stored data associated with each of the identified requests with a predefined pattern characterizing an attack based on the stored data of each of the identified requests to determine when the identified request indicates the characterized attack on the authentication service and to detect the attack on the authentication service in response to determining that the identified request indicates the characterized attack.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
- - 32. The computer-readable storage media of claim 31, wherein the stored data comprises one or more of the following information:
    - a credential type of the one of the plurality of the requests;
      
      a user account associated with the one of the plurality of the requests;
      
      a failed password associated with the one of the plurality of the requests;
      
      a status of the one of the plurality of the requests;
      
      a time stamp indicating a date and time of the one of the plurality of the requests;
      
      a type of interface from which the one of the plurality of the requests is communicated; and
      
      the user agent from which the one of the plurality of the requests is communicated.
  - 33. The computer-readable storage media of claim 31, wherein said predefined pattern is characterized by one or more of the following:
    - using a single password to unsuccessfully attempt a quantity of requests on multiple user accounts within a predefined time interval;
      
      using the single password to unsuccessfully attempt the quantity of the requests from a single network address on the multiple user accounts within the predefined time interval; and
      
      unsuccessfully attempting the quantity of the requests from the single network address within the predefined time interval.
  - 34. The computer-readable storage media of claim 31, further comprising a report component to generate a report in response to detecting the attack, said report providing information regarding the attack for use in defending against the attack.
  - 35. The computer-readable storage media of claim 31, further comprising a defense component to remedy the characterized attack in response to detecting the attack.
  - 36. The computer-readable storage media of claim 35, wherein said defense component is adapted to remedy the characterized attack by performing one or more of the following in response to detecting the attack:
    - locking a user account associated with one of the plurality of the requests;
      
      blocking a network address from which the one of the plurality of the requests is communicated;
      
      implementing a human interaction proof on the authentication service;
      
      prompting a user to change a password associated with the user account; and
      
      limiting a quantity of allowed unsuccessful requests to a predetermined quantity within a predefined time interval for the network address from which the one of the plurality of the requests is communicated.
  - 37. The computer-readable storage media of claim 31, wherein the plurality of the requests comprises one or more of the following types of requests:
    - authentication, registration, and password-reset;
      
      wherein one of the plurality of the requests is communicated via a human interaction proof; and
      
      wherein said predefined pattern is characterized by one or more of the following;
      
      using multiple test strings to unsuccessfully attempt a quantity of requests on a single human interaction proof string within a predefined time interval, and using a single test string to unsuccessfully attempt the quantity of the requests on multiple human interaction proof strings within the predefined time interval.
  - 38. The computer-readable storage media of claim 31, wherein the query component is adapted to search the stored data to identify a plurality of the requests by generating a result set based on one or more of the following query variables:
    - a network address that communicates a request, a quantity of user accounts for which access has been attempted, a password associated with a failed request, a quantity of failed requests for one or more user accounts, a quantity of requests for one or more user accounts, and a time interval during which one or more requests are communicated; and
      
      wherein the result set identifies the stored data relating to one or more requests that match the query variables.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Back, Adam, Wilkins, Jonathan, Gjonej, Gerard
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US10/809,111
Publication Number

US 20050216955A1
Time in Patent Office

1,853 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/083 using passwords cryptograph...

H04L 63/1408 by monitoring network traff...

Security attack detection and defense

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Security attack detection and defense

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links