Detection and handling of excessive resource usage in a distributed computing environment
US-2022083397-A1 · Mar 17, 2022 · US
Classification scheme for detecting illegitimate account creation
US2022360596A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2022360596-A1 |
| Application number | US-202117321847-A |
| Country | US |
| Kind code | A1 |
| Filing date | May 17, 2021 |
| Priority date | May 5, 2021 |
| Publication date | Nov 10, 2022 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system and method that detects malicious account creation in a web-based platform. A method includes detecting suspicious events associated with an account creation process using a username classifier that evaluates a username used to create a new account, an IP address classifier that evaluates an IP address used to create the new account, and a domain classifier that evaluates a domain from an email address used to create the new account; analyzing each detected suspicious event with a density analysis classifier to determine if each detected suspicious event comprises a malicious event based on a density of detected suspicious events from a collections of account creation processes; and determining an alert condition based on at least one malicious event detection.
First claim
Opening claim text (preview).
We claim: 1 . A system, comprising: a memory; and a processor coupled to the memory and configured to execute instructions that detect a malicious account in a web-based platform, wherein the instructions cause the processor to: detect suspicious events associated with an account creation process using a username classifier that evaluates a username used to create a new account, an internet protocol (IP) address classifier that evaluates an IP address used to create the new account, and a domain classifier that evaluates a domain from an email address used to create the new account; analyze each detected suspicious event with a density analysis classifier to determine if each detected suspicious event comprises a malicious event based on a density of detected suspicious events from a collection of account creation processes; and determine an alert condition based on at least one malicious event detection. 2 . The system of claim 1 , wherein the username classifier is trained with a first dataset of legitimate usernames and a second dataset of illegitimate usernames, and wherein the username classifier: analyzes the username structure of a new username to predict whether the new username is legitimate or illegitimate; and flags an illegitimate username as a suspicious event. 3 . The system of claim 2 , wherein the username classifier is trained using N-grams in combination with a Naïve Bayes classifier. 4 . The system of claim 1 , wherein the username classifier is trained to predict whether the username comprises a suspicious event based on a number of characters in the username. 5 . The system of claim 1 , wherein the IP address classifier is trained by evaluating IP addresses used to create prior accounts in order to determine a threshold, and wherein IP address classifier: obtains the IP address used for the new account; determines a number of accounts created with the IP address during a predefined time period; and generates a suspicious event if the number of accounts exceeds the threshold. 6 . The system of claim 1 , wherein the domain classifier is trained by evaluating domains used to create prior accounts in order to determine a threshold, and wherein domain classifier: obtains the domain used for the new account; determines a number of accounts created with the domain during a predefined time period; and generates a suspicious event if the number of accounts exceeds the threshold. 7 . The system of claim 1 , wherein the density analysis classifier: evaluates a detected suspicious event relative to an associated time series of events within an associated time window in which the events are generated by at least one of the username classifier, IP address classifier and domain classifier; and classifies the detected suspicious event as a malicious event if a threshold number of events were flagged as suspicious events within the associated time window. 8 . The system of claim 1 , wherein each of the username classifier, IP address classifier, domain classifier and density analysis classifier are tuned to produce an overall target specificity that dictates a precision as a function of recall, wherein the precision is a ratio of correctly detected malicious events relative to a total number of detected events and recall is a probability that a malicious event will be detected. 9 . The system of claim 8 , wherein the overall target specificity is determined based on a historical prevalence of correctly detected malicious events. 10 . The system of claim 8 , wherein the overall target specificity is determined based on an assumption about a prevalence of malicious events in the web-based platform. 11 . A computerized method, comprising: detecting suspicious events associated with an account creation process using a username classifier that evaluates a username used to create a new account, an internet protocol (IP) address classifier that evaluates an IP address used to create the new account, and a domain classifier that evaluates a domain from an email address used to create the new account; analyzing each detected suspicious event with a density analysis classifier to determine if each detected suspicious event comprises a malicious event based on a density of detected suspicious events from a collection of account creation processes; and determining an alert condition based on at least one malicious event detection. 12 . The method of claim 11 , wherein the username classifier is trained with a first dataset of legitimate usernames and a second dataset of illegitimate usernames, and wherein the username classifier: analyzes the username structure of a new username to predict whether the new username is legitimate or illegitimate; and flags an illegitimate username as a suspicious event. 13 . The method of claim 12 , wherein the username classifier is trained using N-grams in combination with a Naïve Bayes classifier. 14 . The method of claim 11 , wherein the username classifier is trained to predict whether the username comprises a suspicious event based on a number of characters in the username. 15 . The method of claim 11 , wherein the IP address classifier is trained by evaluating IP addresses used to create prior accounts in order to determine a threshold, and wherein IP address classifier: obtains the IP address used for the new account; determines a number of accounts created with the IP address during a predefined time period; and generates a suspicious event if the number of accounts exceeds the threshold. 16 . The method of claim 11 , wherein the domain classifier is trained by evaluating domains used to create prior accounts in order to determine a threshold, and wherein domain classifier: obtains the domain used for the new account; determines a number of accounts created with the domain during a predefined time period; and generates a suspicious event if the number of accounts exceeds the threshold. 17 . The method of claim 1 , wherein the density analysis classifier: evaluates a detected suspicious event relative to an associated time series of events within an associated time window in which the events are generated by at least one of the username classifier, IP address classifier and domain classifier; and classifies the detected suspicious event as a malicious event if a threshold number of events were flagged as suspicious events within the associated time window. 18 . The method of claim 1 , wherein each of the username classifier, IP address classifier, domain classifier and density analysis classifier are tuned to produce an overall target specificity that dictates a precision as a function of recall, wherein the precision is a ratio of correctly detected malicious events relative to a total number of detected events and recall is a probability that a malicious event will be detected. 19 . The method of claim 18 , wherein the overall target specificity is determined based on a historical prevalence of correctly detected malicious events. 20 . The method of claim 18 , wherein the overall target specificity is determined based on an assumption about a prevalence of malicious events in the web-based platform.
Assignees
Inventors
Classifications
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
- H04L63/1483Primary
service impersonation, e.g. phishing, pharming or web spoofing (detection of rogue wireless access points H04W12/12) · CPC title
Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems · CPC title
Detection or prevention of fraud · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2022360596A1 cover?
- A system and method that detects malicious account creation in a web-based platform. A method includes detecting suspicious events associated with an account creation process using a username classifier that evaluates a username used to create a new account, an IP address classifier that evaluates an IP address used to create the new account, and a domain classifier that evaluates a domain from…
- Who is the assignee on this patent?
- Citrix Systems Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Nov 10 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).