Who is the assignee on this patent?

Microsoft Technology Licensing Llc

What technology area does this patent fall under?

Primary CPC classification G06F21/316. Mapped technology areas include Physics.

When was this patent published?

Publication date Thu Nov 11 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Detection of slow brute force attacks based on user-level time series analysis

US2021349979A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2021349979-A1
Application number	US-202016869351-A
Country	US
Kind code	A1
Filing date	May 7, 2020
Priority date	May 7, 2020
Publication date	Nov 11, 2021
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Methods, systems and computer program products are provided for detection of slow brute force attacks based on user-level time series analysis. A slow brute force attack may be detected based on one or more anomalous failed login events associated with a user, alone or in combination with one or more post-login anomalous activities associated with the user, security alerts associated with the user, investigation priority determined for the user and/or successful logon events associated with the user. An alert may indicate a user is the target of a successful or unsuccessful slow brute force attack. Time-series data (e.g., accounted for in configurable time intervals) may be analyzed on a user-by-user basis to identify localized anomalies and global anomalies, which may be scored and evaluated (e.g., alone or combined with other information) to determine an investigation priority and whether and what alert to issue for a user.

First claim

Opening claim text (preview).

What is claimed is: 1 . A system, comprising: one or more processors; and one or more memory devices that store program code configured to be executed by the one or more processors, the program code comprising: an incorrect password analyzer configured to: perform a user-level time-series analysis of attempted login events to identify at least one anomalous incorrect password event associated with a user; and an alert generator configured to: determine whether to generate an alert identifying a suspected slow brute force attack against the user based on the at least one anomalous incorrect password event associated with the user. 2 . The system of claim 1 , wherein the alert indicates the user is one of a compromised user or an uncompromised user based, at least in part, on the at least one anomalous incorrect password event and a presence or absence of at least one logon event associated with the user. 3 . The system of claim 1 , wherein the program code further comprises: an investigation priority analyzer configured to: perform a user-level analysis to determine an investigation priority level for the user associated with the at least one anomalous incorrect password event. 4 . The system of claim 3 , wherein the program code further comprises: an event analyzer configured to: perform a user-level analysis to identify at least one other anomalous event, other than a login event, associated with the user. 5 . The system of claim 4 , wherein the program code further comprises: a security alert analyzer configured to: perform a user-level analysis of security alerts to identify at least one security alert associated with the user. 6 . The system of claim 5 , wherein: the incorrect password analyzer is configured to: generate at least one incorrect password score for the at least one anomalous incorrect password event associated with the user; the investigation priority analyzer is configured to: generate at least one event score for the at least one anomalous event associated with the user; the security alert analyzer is configured to: generate at least one security alert score for the at least one security alert associated with the user; the investigation priority analyzer is configured to: generate an investigation priority score based on the at least one anomalous incorrect password score, the at least one event score, and the at least one security alert score; and the alert generator is configured to: determine whether to generate an alert identifying a suspected slow brute force attack against the user based on the at least one anomalous incorrect password event associated with the user, a presence or absence of at least one logon event associated with the user, and the investigation priority score. 7 . The system of claim 4 , wherein: the event analyzer comprises: a resource category analyzer configured to perform a user-level analysis of resource usage for the user compared to resource usage by the user's peers; an event properties analyzer configured to perform a user-level analysis of event properties for events associated with the user compared to event properties for events associated with the user's peers; and an event scorer configured to generate a score for the at least one anomalous event associated with the user based on at least one of the comparative analysis of the resource usage or the event properties. 8 . The system of claim 1 , wherein: the incorrect password analyzer comprises: a state updater configured to accumulate incorrect password events in time intervals; a local anomaly detector configured to detect a local anomaly in response to a number of incorrect password events in a time interval exceeding a mean number of incorrect password events in at least one previous time interval by a first threshold; a global anomaly detector configured to detect a global anomaly in response to a normalized residual value, based on a distance from the mean number of incorrect password events, for the local anomaly exceeding a normalized residual value for at least one preceding time interval by a second threshold; and an incorrect password scorer configured to generate incorrect password scores for at least one event in each global anomaly, wherein the at least one event in each global anomaly represents the at least one anomalous incorrect password event. 9 . A method that determines whether one or more users are a target of a slow brute force attack, the method comprising: performing a user-level time-series analysis of attempted login events to identify at least one anomalous incorrect password event associated with a user; and determining whether to generate an alert identifying a suspected slow brute force attack against the user based on the at least one anomalous incorrect password event associated with the user. 10 . The method of claim 9 , wherein the alert indicates the user is one of a compromised user or an uncompromised user based, at least in part, on the at least one anomalous incorrect password event and a presence or absence of at least one logon event associated with the user. 11 . The method of claim 9 , further comprising: performing a user-level analysis to determine an investigation priority level for the user associated with the at least one anomalous incorrect password event. 12 . The method of claim 11 , further comprising: performing a user-level analysis to identify at least one other anomalous event, other than a login event, associated with the user. 13 . The method of claim 12 , further comprising: performing a user-level analysis of security alerts to identify at least one security alert associated with the user. 14 . The method of claim 13 , further comprising: generating at least one incorrect password score for the at least one anomalous incorrect password event associated with the user; generating at least one event score for the at least one anomalous event associated with the user; generating at least one security alert score for the at least one security alert associated with the user; and generating an investigation priority score based on the at least one anomalous incorrect password score, the at least one event score, and the at least one security alert score; wherein said determining whether to generate and alert identifying a suspected slow brute force attack against the user comprises determining whether to generate an alert based on the at least one anomalous incorrect password event associated with the user, a presence or absence of at least one logon event associated with the user, and the investigation priority score. 15 . The method of claim 12 , wherein performing a user-level analysis to identify at least one other anomalous event comprises: performing a user-level analysis of resource usage for the user compared to resource usage by the user's peers; performing a user-level analysis of event properties for events associated with the user compared to event properties for events associated with the user's peers; and generating a score for the at least one anomalous event associated with the user based on at least one of the comparative analysis of the resource usage or the event properties. 16 . The method of claim 9 , wherein performing a user-level time-series analysis of attempted login events to identify at least one anomalous incorrect password event comprises: accumulating incorrect password events in time intervals; detecting a local anomaly in response to a number of incorrect password events in a time interval

Assignees

Microsoft Technology Licensing Llc

Inventors

Classifications

G06F21/316Primary
by observing the pattern of computer usage, e.g. typical user behaviour · CPC title
H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
G06F2221/2151
Time stamp · CPC title
G06F21/55
Detecting local intrusion or implementing counter-measures · CPC title
G06F21/552
involving long-term monitoring or reporting · CPC title

Patent family

Related publications grouped by family.

View patent family 75396909

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2021349979A1 cover?: Methods, systems and computer program products are provided for detection of slow brute force attacks based on user-level time series analysis. A slow brute force attack may be detected based on one or more anomalous failed login events associated with a user, alone or in combination with one or more post-login anomalous activities associated with the user, security alerts associated with the u…
Who is the assignee on this patent?: Microsoft Technology Licensing Llc
What technology area does this patent fall under?: Primary CPC classification G06F21/316. Mapped technology areas include Physics.
When was this patent published?: Publication date Thu Nov 11 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).