Detection of brute force attacks

We claim: 1 . A method performed by hardware processing circuitry, comprising: obtaining a first time series of operational parameter values of a device attached to a network; comparing the values of the first time series to a first parameter value range and a second parameter value range; determining, based on the comparing, that the values of the first time series are within the first parameter value range; based on the determining, selecting, from a plurality of distributions, a first distribution; comparing the first time series to the selected first distribution; determining, based on the comparing, a first probability at which values in the first time series occur in the selected distribution; determining, based on the first probability, a likelihood of a brute force attack on the network; based on the first time series, adjusting a boundary between the first parameter value range and the second parameter value range; and determining, based on the adjusted boundary, a second likelihood of a brute force attack. 2 . The method of claim 1 , further comprising performing, based on the likelihood, a mitigating action. 3 . The method of claim 2 , wherein the mitigating action includes changing an access control policy of the network. 4 . The method of claim 3 , wherein the changing of the access control policy comprises programmatically configuring a firewall of the network. 5 . The method of claim 1 , wherein the adjusting of the boundary comprises updating a threshold value τ p defining the boundary between the first range and the second range, τ p defined according to: τ p : =E [ Y|Y>Q p−1 ] where: E[ ] is an expected value function, Y is the first time series, t p is a threshold value between the first range and the second range, and Q p is a qth quantile of a negative binomial distribution. 6 . The method of claim 1 , wherein the adjusting of the boundary further comprises updating parameters defining the first and second distributions based on the first time series. 7 . The method of claim 1 , wherein the parameters are updated via exponential smoothing and a grid of smoothing weights. 8 . The method of claim 7 , where at least one parameter of the distribution is updated according to: Φ t+ϵ =gΦ −1 [η t+ϵ ], where: Φ t+ϵ is the updated parameter, g Φ is a link function for a parameter Φ, η t+ϵ ={tilde over (α)} θ *M Φ [ y t+ϵ |η t ]+(1−{tilde over (α)} θ )*η t , where: M Φ is a central moment corresponding to the parameter Φ, {tilde over (α)} θ is a smoothing weight, η t is gΦ[Φ t ], and y t+ϵ is a sample value included in the first time series. 9 . The method of claim 1 , further comprising: determining a second time series for second operational parameter values of the device; selecting, based on the second time series, a second distribution; second comparing the second time series to the selected second distribution; determining, based on the second comparing, a second probability at which second values in the second time series occur in the selected second distribution; applying Fisher's method to the first probability and the second probability; and based on the applying, generating a combined indicator of anomaly, wherein the determining of the likelihood of the brute force attack is further based on the combined indicator. 10 . A system, comprising: hardware processing circuitry; one or more hardware memories storing instructions that when executed configure the hardware processing circuitry to perform operations comprising: obtaining a first time series of operational parameter values of a device attached to a network; comparing the values of the first time series to a first parameter value range and a second parameter value range; determining, based on the comparing, that the values of the first time series are within the first parameter value range; based on the determining, selecting, from a plurality of distributions, a first distribution; comparing the first time series to the selected first distribution; determining, based on the comparing, a first probability at which values in the first time series occur in the selected distribution; determining, based on the first probability, a likelihood of a brute force attack on the network; based on the first time series, adjusting a boundary between the first parameter value range and the second parameter value range; and determining, based on the adjusted boundary, a second likelihood of a brute force attack. 11 . The system of claim 10 , the operations further comprising performing, based on the likelihood, a mitigating action. 12 . The system of claim 11 , wherein the mitigating action includes changing an access control policy of the network. 13 . The system of claim 12 , wherein the changing of the access control policy comprises programmatically configuring a firewall of the network. 14 . The system of claim 10 , wherein the adjusting of the boundary comprises updating a threshold value τ p defining the boundary between the first range and the second range, τ p defined according to: τ p : =E [ Y|Y>Q p−1 ] where: E[ ] is an expected value function, Y is the first time series, t p is a threshold value between the first range and the second range, Q p is a qth quantile of a negative binomial distribution. 15 . The system of claim 10 , wherein the adjusting of the boundary further comprises updating parameters defining the first and second distributions based on the first time series. 16 . The system of claim 10 , wherein the parameters are updated via exponential smoothing and a grid of smoothing weights. 17 . The system of claim 16 , wherein at least one parameter of the distribution is updated according to: Φ t+ϵ =g Φ −1 [η t+ϵ ], where: Φ t+ϵ is the updated parameter, g Φ is a link function for a parameter Φ, η t+ϵ ={tilde over (α)} θ *M Φ [ y t+ϵ |η t ]+(1−{tilde over (α)}θ)*η t , where: M Φ is a central moment corresponding to the parameter Φ, {tilde over (α)} θ is a smoothing weight, η t is g Φ [Φ t ], y t+ϵ is a sample value included in the first time series. 18 . The system of claim 10 , the operations further comprising modeling a distribution of the first time series as a finite mixture of distributions P1[Y| 1], . . . Pm[Y| m], where each parameter p is a stochastic process. 19 . The system of claim 18 , wherein the first distribution and the second distribution are included in the finite mixture of distributions. 20 . A non-transitory computer readable storage medium comprising instructions that when executed configure hardware processing circuitry to perform operations comprising: obtaining a first time series of operational parameter values of a device attached to a network; comparing the values of the first time series to a first parameter value range and a second parameter value range; determining, based on the comparing, that the values of the first time series are within the first parameter value range; based on the determining, selecting, from a plurality of distributions, a first distribution; comparing the first time series to the selected first distribution; determining, based on the comparing, a first probability at which values in the first time series occur in the selected distribution; determining, based on the first probability, a likelihood of a brute force attack on the network; based on the first