WO2020146935A1 - Methods and systems for detecting unauthorized access - Google Patents

Methods and systems for detecting unauthorized access Download PDF

Info

Publication number
WO2020146935A1
WO2020146935A1 PCT/CA2019/051741 CA2019051741W WO2020146935A1 WO 2020146935 A1 WO2020146935 A1 WO 2020146935A1 CA 2019051741 W CA2019051741 W CA 2019051741W WO 2020146935 A1 WO2020146935 A1 WO 2020146935A1
Authority
WO
WIPO (PCT)
Prior art keywords
account
peer
user
response
access
Prior art date
Application number
PCT/CA2019/051741
Other languages
French (fr)
Inventor
Robert Scott Mitchell
Original Assignee
Blackberry Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Blackberry Limited filed Critical Blackberry Limited
Priority to CN201980089381.6A priority Critical patent/CN113302606A/en
Priority to EP19909657.9A priority patent/EP3877877A4/en
Publication of WO2020146935A1 publication Critical patent/WO2020146935A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present application generally relates to computer security and, in particular, to detecting unauthorized access to an account.
  • a brute force attack to gain illicit access to a user account may involve a series of failed authentication attempts.
  • systems sometimes limit the number of failed attempts within a period of time.
  • this facilitates denial-of-service attacks by locking out access to the legitimate user.
  • the attempts are legitimate attempts by the authorized user, but the user has mistyped the credentials or misremembered his or her password.
  • Some systems will prompt the user if a new login from a new host is legitimate, but if the account is compromised, those alerts can be deleted before the legitimate user can see them.
  • Figure 1 diagrammatically shows an example system that includes an authenticator for managing user authentication to a secured system
  • Figure 2 shows, in flowchart form, one example method of identifying unauthorized attempts to access an account in a computer system
  • Figure 3 shows, in flowchart form, another example method of identifying unauthorized attempts to access an account in a computer system.
  • the present application describes method of identifying unauthorized attempts to access an account in a computer system, the account having an authorized user.
  • the method may include determining that a count of failed attempts to access the account exceeds a maximum; based on the count exceeding the maximum, retrieving from stored user data one or more peer contacts associated with the authorized user; transmitting a failure attribution request to the one or more peer contacts; receiving a response from at least one of the one or more peer contacts; when the response denies that the authorized user caused the failed attempts, taking a security action with respect to the account.
  • the present application describes a system for identifying unauthorized attempts to access an account in a computer system, the account having an authorized user.
  • the system includes a processor; a memory storing user data, including one or more peer contacts associated with the authorized user; and an authentication application containing processor executable instructions that, when executed by the processor, are to cause the processor to determine that a count of failed attempts to access the account exceeds a maximum; based on the count exceeding the maximum, retrieve from the memory the one or more peer contacts associated with the authorized user; transmit a failure attribution request to the one or more peer contacts; receive a response from at least one of the one or more peer contacts; and when the response denies that the authorized user caused the failed attempts, take a security action with respect to the account.
  • the determining includes receiving comparing received credentials in a request for access to stored user credentials to find they do not match and incrementing an associated count of failed attempts.
  • the stored user data includes a peer list containing the one or more peer contacts associated with the authorized user.
  • the list is stored in association with the account.
  • each peer contact in the peer list includes peer contact information to which the failure attribution request is to be transmitted.
  • the security action may include at least one of sending a notification to a security administrator, altering an authorization setting for the account, temporarily preventing further access attempts to the account, or imposing a further level of authentication required to access the account following a successful authentication.
  • the method and system may further include transmitting an attribution request to a user contact address for the authorized user, receiving a response from the user contact address, and when the response denies user involvement in the failed attempts then taking the security action.
  • the one or more peer contacts may include a plurality of peer contacts in a hierarchical order, and transmitting may include transmitting the failure attribution request to a first peer contact in the hierarchical order; awaiting the response; and if the response is not received within a time window, sending the failure attribution request to a next peer contact in the hierarchical order.
  • the method and system may include temporarily preventing further access attempts to the account while awaiting the response.
  • the awaiting and sending are repeated for each successive peer contact in the hierarchical order until the response is received or the time window for a last peer contact expires.
  • transmitting the failure attribution request includes determining that a number of failure attribution requests transmitted over a time period is below an abuse threshold as a condition precedent to transmitting the failure attribution request.
  • “substantially” are meant to cover variations that may exist in the upper and lower limits of the ranges of values, such as variations in properties, parameters, and dimensions.
  • the terms“about”,“approximately”, and“substantially” may mean plus or minus 10 percent or less.
  • the term“and/or” is intended to cover all possible combinations and sub-combinations of the listed elements, including any one of the listed elements alone, any sub-combination, or all of the elements, and without necessarily excluding additional elements.
  • the phrase“at least one of ... or...” is intended to cover any one or more of the listed elements, including any one of the listed elements alone, any sub-combination, or all of the elements, without necessarily excluding any additional elements, and without necessarily requiring all of the elements.
  • account is to be given a broad interpretation and is not limited to a specific type of account. It is meant to refer to any resource to which access may be restricted by way of a user identity challenge. Examples may include attempts to open a locked device like a mobile phone or personal computer, attempts to access a computer environment like a user account on an enterprise network or social network, or attempts to access a service like a video streaming service. In this sense,“account” refers to any computer-secured resource that has restricted access to users that present valid authentication credentials.
  • authentication is a cornerstone security technique. Authentication involves the receipt of some input to prove the identity of the user requesting access to a resource.
  • the most typical example of user authentication data is a username and password. Other examples may include biometric input, a password alone without a username (although it may be associated with one), answers to challenge phrases, etc.
  • An authenticator verifies the validity of the provided user authentication data by comparing it to a stored user data.
  • the user data may include profiles for a plurality of users, each having a unique username and password.
  • the user data may include additional data, such as authorization data indication the level of access available to the user.
  • a security challenge for computing systems is to prevent repeated attempts to access an account.
  • One technique is to limit the number of consecutive failed attempts and to lock the account if too many attempts are made without success. This can be frustrating for a legitimate user that makes typing mistakes, forgets the CapsLock is on, has misremembered their password, or is trying out a number of their more commonly-used passwords to try to guess which one they used for this account. Moreover, locking the account after a maximum number of failed attempts creates a denial of service risk. That can be addressed through limiting the locking of the account to a short period of time, but that then allows for the attack to continue, albeit more slowly. Other techniques may try to distinguish between legitimate user failed attempts and malicious failed attempts using behavioral analytics, IP address information, or other side information to try to evaluate the nature of failed attempts to access.
  • the system may impose two-factor authentication (2FA).
  • 2FA simply imposes a second authentication step after the first successful authentication. This may be through presenting a further user credential request at the same user interface, or may be through providing some data, e.g. a code, via an alternative user account for the same user, and requesting that the user access that alternative user account and present the data to further authenticate the user’s identity. If a user’s credentials are compromised for both accounts then the malicious actor may be able to pass through the 2FA process. Strong 2FA requires that one element be something only the user knows, and something only the user possesses such as a unique rotating token or secondary device like a mobile phone to acknowledge a secondary approval prompt.
  • 2FA adds a layer of additional security to user authentication, but does not address the issue of failed authentications and the need to evaluate whether the failed authentications represent an attack on the system or a legitimate user’s attempt to access their account.
  • a computing system determines how to handle authentication failures by obtaining attribution information.
  • the user may be contacted via a separate communication channel, such as through a different account or a different device, to solicit information regarding a failed attempt or attempts to access an account.
  • the user may confirm that the failed attempt(s) are attributable to the user or may deny that the failed attempt(s) are attributable to the user. If the response to the solicitation is denial of attribution, then the system may take certain security actions since the failed attempt(s) are a likely attack.
  • attribution information may be solicited from one or more peers associated with the user. That is, the system may have stored information in association with the user linking the user to one or more peers. The one or more peers may be sent an attribution request at a device or contact point designated for the one or more peers. A response from one of the peers may indicate that the failed authentication attempt(s) are attributable to the user, which the system may treat as verification that the failed authentication attempt(s) are legitimate user failures. Such a determination may mean any alarm or lock condition may be cleared. A response from a peer that indicates that the failed authentication attempt(s) are not from the user may trigger a security action. The peer indication of non-user attribution may result in security action even if the user has indicated that the failed attempt(s) are legitimate, in some instances.
  • FIG. 1 diagrammatically illustrates an example system 100 for detecting likely attacks on user authentication.
  • the system 100 includes a secured system 102.
  • the secured system 102 represents a resource to which one or more users seeks access.
  • the secured system 102 may include a corporate network environment with all its internal resources, in some cases. In other examples, it may be a social network, gaming network, financial network, or any other type of computing resource.
  • the secured system 102 may be operably connected to a plurality of networks, which may include public networks, private networks, or both.
  • An authenticator 104 manages authentication of user requests to access the secured system 102.
  • the authenticator 104 may include or have access to stored user data 106.
  • An authentication request provides user authentication data to the authenticator 104, which then evaluates the validity of the user authentication data by comparing it to the stored user data 106.
  • the stored user data 106 may include identifying data for a plurality of authorized users, including usernames (or user IDs), associated passwords, and any associated security settings, like authorization levels.
  • the user data 106 includes, for each user, a record of failed authentication attempts, which may include a count of failed authentication attempts 108. These attempts may include all unsuccessful attempts to access the account associated with a particular user.
  • the count may be a count of consecutive failed attempts without a successful authentication. In some cases, the count may be limited in time to attempts in the past hour, day, week, or some other time period. In yet other cases, the count may include non-consecutive failures over a time period.
  • the records of failed authentication attempts may include additional metadata regarding the attempts, such as the IP address or other identifying information regarding the source of the attempt.
  • the system 100 further includes within the user data 106 a peer list 110 stored in association with an authorized user.
  • the peer list 110 contains identifiers for one or more peers designated for the authorized user. The designation may be made by the authorized user when configuring his or her account as part of the set-up process. In some cases, such as a corporate environment, the designation of peers may be policy based and at least partly controlled by an administrator. For example, an authorized user may be required to have his or her immediate supervisor included as a peer.
  • the peer list 110 may include user identifiers for each of the peers, such as a username or user ID.
  • the authenticator 104 may access the peer list 110 to obtain the user identifiers for the peers.
  • the peer list 110 may include contact information for each peer.
  • the authenticator 104 may search the user data 106 for contact details for each peer based on the user identifiers in the peer list 110.
  • the contact details may include a mobile number, email address, messaging identity, social network identifier, SIP URI, or other peer contact data to which the authenticator 104 can send a notification or request.
  • the peer list 110 may include a status of whether or not the peer is available.
  • the peer contact is an individual different and separate from the user associated with the user account.
  • the peer contact information includes one or more addresses or accounts associated with (owned or operated by) the peer contact. It may include device identifiers or other data specific to a device or account controlled by the peer contact that represents identifying contact information for the peer contact. To be clear, the peer contact information is not an alternative account or contact information for the user.
  • the peers may not necessarily be authorized users of the secured system 102 and may not have their details stored in the user data 106 as users of the secured system 102. Nevertheless, the authorized user may have designated them as peers on configuration of the user’s account and may have provided the peer contact data, which is then stored in, or in association with, the peer list 110.
  • the user data 106 may be implemented as two or more data storage elements, including databases, and there may be multiple records, at least one of which stores user authentication information for the user, and at least another of which stores the peer list 110 associated with the user.
  • the authenticator 104 may track failed authentication attempts in association with a user account. If the number of failed authentication attempts exceeds a maximum, then the authenticator 104 may output an attribution request.
  • the trigger for the attribution request may be the count of failed authentication attempts for a user account exceeding a preset threshold, such as five or ten.
  • the trigger may be based on consecutive failed authentication attempts without a successful authentication, in some implementations.
  • the trigger may also take into account the time over which the failures occurred, such that the threshold is based on a maximum number of failed authentication attempts within a certain window of time, e.g. 15 minutes, an hour, a day, etc.
  • Some implementations may consider the number of failed attempts without success from a given source IP address, or lower threshold if the source IP has not been a recent source of positive authentication. Other factors may be included in the determination of whether to send an attribution request.
  • the authenticator 104 determines that an attribution request is to be sent, then it sends a message to the user, to one or more peers, or to both.
  • the message may be sent through any suitable medium, including instant messaging, SMS, email, or other communication types.
  • the message informs the user and/or peers that there have been a maximum number of failed attempts to access the user account and requesting that the recipient indicate whether the attempts were made by the user.
  • the message may include a selectable icon, button or other response element to trigger a response message.
  • the message may include two different selectable response elements: one to attribute failures to the user and another to attribute failures to someone other than the user.
  • the message may include a link that, when selected, opens a browser session and links to a webpage through which the attribution response may be provided.
  • Other mechanisms for soliciting and obtaining electronic feedback from the user and/or peers will be appreciated.
  • the message may, in some cases, contain information regarding the failed authentication attempts. That information may be obtained by the authenticator 104 from the stored record of failed authentication attempts for that user account.
  • the information in the message may include information identifying the user account and the user, the time and or date of each attempt, the geographic location from which the access attempt appears to originate (based on IP address, for example), and/or the count of failed attempts.
  • the authenticator 104 is shown as being separate from the secured system 102 for ease of discussion, it will be appreciated that the authenticator 104 may be implemented as part of the secured system 102. It will also be appreciated that the authenticator 104 may be implemented by way of software operating on a suitable computing platform, such as a server or similar networked computing system. The software is executed by one or more processors within the computing system to cause the computing system to carry out the described operations of the authenticator 104. Any suitable programming language and/or program structure may be used in realizing the software-implemented authenticator 104.
  • the secured system 102 is shown as being in the“cloud” of a networked environment.
  • the secured system 102 may be partly or wholly local to a user device with a network connection to the cloud.
  • the authenticator 104 may be partly implemented locally on the user device to secure the secured system 102 and partly in the cloud to perform user authentication on input user credentials and to grant access through provision of an access token or the like to the user device.
  • Other architectures for secured systems 102 will be appreciated by those ordinarily skilled in the art.
  • FIG. 2 shows, in flowchart form, one example method 200 for identifying unauthorized attempts to access an account in a computer system.
  • the method 200 may be implemented by the authenticator 104.
  • the access attempt includes receipt of user credentials, such as a username and password or the like.
  • the access attempt may involve the exchange of multiple messages between a remote computing device and the authenticator, in some cases.
  • the user credentials are evaluated in operation 204 to assess whether they are valid. This may include querying a user database storing username and password combinations, for example. Suitable encryption and hashing algorithms may be used to secure the database, as will be appreciated by those ordinarily skilled in the art.
  • the requestor is granted access 206. This may include providing the remote device with a security token or data enabling it to access further portions of the secured system. It may include establishing a secured connection or session between the remote device and the secured system. Other mechanisms for enabling access to the secured system will be appreciated.
  • the threshold can be set to a larger number than that for moderate risk environments. For higher risk the threshold could be set low, or to 1 (one) to alert the peers on every failed attempt. If the access attempt involves a failure to identify an existing user account, for example due to provision of an incorrect username that does not have an associated account, then the failed attempt is not necessarily counted against any user account. It will also be understood that the threshold may take into account a number of factors, including the window of time over which the failed attempts have occurred, whether any intervening successful attempts have been made, and other factors, as discussed above.
  • the method 200 returns to operation 202. If the count does exceed the threshold, then attribution information may be sought to identify the source of the unauthenticated attempts.
  • user contact information associated with the user account is retrieved. This may include an email, mobile number, messaging ID, or other user contact data stored in association with the user account.
  • peer contact information for one or more peers associated with the user account is retrieved. This may include obtaining peer contact information from a stored list of peers associated with the user account. The peer contact information may include an email, mobile number, messaging ID, or other peer contact information to which the system can send a message or notification.
  • a notification is sent to the user and to the peers.
  • the notification may be sent via any suitable communication medium for a given implementation, such as SMS, email, social network messaging, instant messaging, or other such mediums.
  • the notification is addressed based on the contact information obtained in operations 210 and 212.
  • the notification to the user may differ from the notification to the peers.
  • the notification may be a message containing a selectable element to trigger a response message.
  • the message may contain a link to a website or other interface through which the recipient can provide a response.
  • the response sought is whether the failed attempts can be attributed to the user.
  • operation 214 could be exploited by an attacker making multiple failed authentication attempts across a wide range of authorized users, triggering a flood of peer validation requests.
  • some implementations would establish a counter measure, operation 217, to make a count of peer validation requests in a given time frame, and throttle the requests, and trigger an appropriate security action in operation 225. If the count is below the acceptable threshold, which may be labelled an“abuse threshold”, the process would continue to operation 216. It will be appreciated that operation 217 may occur before operation 214 as a condition precedent to transmitting the notification.
  • the system first awaits a response from the user, as indicated by operation 216. If the response received from the user is a denial that the attempts are by the user, then the system may take a security action in operation 218. If the response is that the attempts are legitimate attempts by the user, then the system proceeds to evaluate at least one peer response. In some implementations that can determine that no immediate peers are available to respond, and depending on the security risk level and the administrative policy applied, the system can trigger an appropriate security action.
  • the security action performed in operation 225 is different from the security operation performed in operation 218. More precisely, in one embodiment of the disclosure, the security action performed in operation 218 is stricter than the security action performed in operation 225, from a security point of view. In a variant, the security action performed in operation 225 and the security action performed in operation 218 are the same.
  • the system evaluates a peer response. If the peer confirms that the failed attempts are attributable to the user, then the system returns to 202 and no security action is taken. In some cases, the system may clear a restricted security setting with respect to the user account. In one example, the system may zero the number of failed attempts stored in the count so as to enable the user to retry accessing the account without immediately re-triggering the attribution process.
  • the security action may include sending a notification to an administrator or other security point. It may include changing authorization data for the user account to provide more restricted access in the event a successful authentication occurs. In some cases, it may include locking the account to prevent successful authentication, perhaps for a preset period of time. In some instances, it may result in additional security oversight, such as triggering a recording or more robust log of all activity associated with the user account and any attempts to access the user account. In some cases, the security action may include imposing a further level of authentication that is required even if someone is able to successfully authenticate.
  • the notification to the peers may be staged based on a hierarchical ranking of the peers.
  • the attribution process does not include contacting the user for attribution information and only involves contacting the one or more peers associated with the user account.
  • Figure 3 shows another example method 300 of identifying unauthorized attempts to access an account in a computer system.
  • the authenticator monitors access attempts and determines when the number of failed consecutive access attempts exceeds a threshold, as indicated by operations 302, 304, 306 and 308.
  • peer contact information is retrieved from storage in operation 310.
  • the peer contact information may include a peer list, which may rank the peer contacts in an order.
  • administrative policies may determine the order. For example, an immediate supervisor may be ranked first.
  • An IT department representative may be included in the ranking.
  • a co-worker may have a lower ranking than IT department personnel or supervisory personnel.
  • a notification regarding the failed authentication attempts is sent to the first or highest ranked peer contact associated with the user account.
  • the notification requests attribution for the failed authentication attempts. In particular, it may request confirmation that the failed authentication attempts were failed attempts by the user.
  • the system then awaits a response, as indicated by operations 314, and 316.
  • the time for response may be set to any suitable time for a particular implementation. For example, some number of minutes (1, 2, 5, etc.) may be set as the response time. If the request for a response does not result in receipt of an attribution response from the peer contact, then the system may return to operation 312 to send a notification to the next peer contact in hierarchical order, as shown by operation 322.
  • operation 312 could be exploited by an attacker making multiple failed authentication attempts across a wide range of authorized users, triggering a flood of peer validation requests.
  • some implementations would establish a counter measure, operation 313, to make a count of peer validation requests in a given time frame, and throttle the requests, and trigger an appropriate security action in operation 315. If the count is below the abuse threshold, the process would continue to operation 314. It will be appreciated that operation 313 may occur prior to, and as a condition precedent to, sending the attribution request in operation 312.
  • the security action may include one or more operations to notify, lock, restrict, or otherwise take measures with regard to the account.
  • the security action performed in operation 315 is different from the security action performed in operation 320. More precisely, in one embodiment of the disclosure, the security action performed in operation 320 is stricter than the security action performed in operation 315. In a variant, the security action performed in operation 315 and the security action performed in operation 320 are identical.
  • a security action may be implemented to prevent further attempts to access the user account. That is, the account may be temporarily locked while awaiting attribution information from the peer contacts. This may assist in slowing down an attack if the failed authentication attempts are part of an attack. A confirmation of user involvement in operation 318 may result in removal of the restrictions on the account. Conversely, a peer contact response that denies user involvement may result in leaving the account restrictions in place as the security action of operation 322. Further actions may also be taken, such as sending a notification to IT administrators regarding the locked account.
  • the system may be configured to notify one or more IT administrators, lift security restrictions, seek user confirmation at an alternative user contact address, or take one or more other actions.
  • the account may remain locked until at least one of the peer contacts replies to the notification or security administrator clears the event upon adequate alternate authentication.
  • Example embodiments of the present application are not limited to any particular operating system, system architecture, mobile device architecture, server architecture, or computer programming language.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Social Psychology (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Described are methods and systems to identify unauthorized attempts to access an account in a computer system, the account having an authorized user. The methods and systems include determining that a count of failed attempts to access the account exceeds a maximum. Based on the count exceeding the maximum, one or more peer contacts associated with the authorized user are retrieved from stored user data. A failure attribution request is transmitted to the one or more peer contacts and a response is received from at least one of the one or more peer contacts. If the response denies that the authorized user caused the failed attempts, then a security action is taken with respect to the account. The method may include first confirming that the number of failure attributions requests sent has not exceeded an abuse threshold to prevent denial-of-service attacks.

Description

METHODS AND SYSTEMS FOR DETECTING
UNAUTHORIZED ACCESS
FIELD
[0001] The present application generally relates to computer security and, in particular, to detecting unauthorized access to an account.
BACKGROUND
[0002] In computing systems, security is often maintained through requiring that a request for access be accompanied by user credentials. Those provided credentials are compared to stored authorized user credentials and, if validated, then the user access request is considered authenticated and access is granted.
[0003] A brute force attack to gain illicit access to a user account may involve a series of failed authentication attempts. To limit this attack vector, systems sometimes limit the number of failed attempts within a period of time. However, this facilitates denial-of-service attacks by locking out access to the legitimate user. Moreover, in some cases the attempts are legitimate attempts by the authorized user, but the user has mistyped the credentials or misremembered his or her password. It would be advantageous for the system to distinguish between legitimate user failures to authenticate and illegitimate attempts to authenticate that original from someone other than the authorized user. While these failed attempts are logged, they are more often invisible or ignored by the user. Some systems will prompt the user if a new login from a new host is legitimate, but if the account is compromised, those alerts can be deleted before the legitimate user can see them.
BRIEF DESCRIPTION OF THE DRAWINGS
[0004] Reference will now be made, by way of example, to the accompanying drawings which show example embodiments of the present application, and in which: [0005] Figure 1 diagrammatically shows an example system that includes an authenticator for managing user authentication to a secured system;
[0006] Figure 2 shows, in flowchart form, one example method of identifying unauthorized attempts to access an account in a computer system; and
[0007] Figure 3 shows, in flowchart form, another example method of identifying unauthorized attempts to access an account in a computer system.
[0008] Similar reference numerals may have been used in different figures to denote similar components.
DESCRIPTION OF EXAMPLE EMBODIMENTS
[0009] In a first aspect, the present application describes method of identifying unauthorized attempts to access an account in a computer system, the account having an authorized user. The method may include determining that a count of failed attempts to access the account exceeds a maximum; based on the count exceeding the maximum, retrieving from stored user data one or more peer contacts associated with the authorized user; transmitting a failure attribution request to the one or more peer contacts; receiving a response from at least one of the one or more peer contacts; when the response denies that the authorized user caused the failed attempts, taking a security action with respect to the account.
[0010] In another aspect, the present application describes a system for identifying unauthorized attempts to access an account in a computer system, the account having an authorized user. The system includes a processor; a memory storing user data, including one or more peer contacts associated with the authorized user; and an authentication application containing processor executable instructions that, when executed by the processor, are to cause the processor to determine that a count of failed attempts to access the account exceeds a maximum; based on the count exceeding the maximum, retrieve from the memory the one or more peer contacts associated with the authorized user; transmit a failure attribution request to the one or more peer contacts; receive a response from at least one of the one or more peer contacts; and when the response denies that the authorized user caused the failed attempts, take a security action with respect to the account. [0011] In some implementations, the determining includes receiving comparing received credentials in a request for access to stored user credentials to find they do not match and incrementing an associated count of failed attempts.
[0012] In some implementations, the stored user data includes a peer list containing the one or more peer contacts associated with the authorized user. In some cases, the list is stored in association with the account. In some cases, each peer contact in the peer list includes peer contact information to which the failure attribution request is to be transmitted.
[0013] In some implementations, the security action may include at least one of sending a notification to a security administrator, altering an authorization setting for the account, temporarily preventing further access attempts to the account, or imposing a further level of authentication required to access the account following a successful authentication.
[0014] In some implementations, the method and system may further include transmitting an attribution request to a user contact address for the authorized user, receiving a response from the user contact address, and when the response denies user involvement in the failed attempts then taking the security action.
[0015] In some implementations, the one or more peer contacts may include a plurality of peer contacts in a hierarchical order, and transmitting may include transmitting the failure attribution request to a first peer contact in the hierarchical order; awaiting the response; and if the response is not received within a time window, sending the failure attribution request to a next peer contact in the hierarchical order. In some cases, the method and system may include temporarily preventing further access attempts to the account while awaiting the response. In some cases, the awaiting and sending are repeated for each successive peer contact in the hierarchical order until the response is received or the time window for a last peer contact expires.
[0016] In some implementations, wherein transmitting the failure attribution request includes determining that a number of failure attribution requests transmitted over a time period is below an abuse threshold as a condition precedent to transmitting the failure attribution request.
[0017] Other aspects and features of the present application will be understood by those of ordinary skill in the art from a review of the following description of examples in conjunction with the accompanying figures. [0018] In the present application, the terms “about”, “approximately”, and
“substantially” are meant to cover variations that may exist in the upper and lower limits of the ranges of values, such as variations in properties, parameters, and dimensions. In a non- limiting example, the terms“about”,“approximately”, and“substantially” may mean plus or minus 10 percent or less.
[0019] In the present application, the term“and/or” is intended to cover all possible combinations and sub-combinations of the listed elements, including any one of the listed elements alone, any sub-combination, or all of the elements, and without necessarily excluding additional elements.
[0020] In the present application, the phrase“at least one of ... or...” is intended to cover any one or more of the listed elements, including any one of the listed elements alone, any sub-combination, or all of the elements, without necessarily excluding any additional elements, and without necessarily requiring all of the elements.
[0021] References herein may be made to attempts to access an“account”. The term
“account” is to be given a broad interpretation and is not limited to a specific type of account. It is meant to refer to any resource to which access may be restricted by way of a user identity challenge. Examples may include attempts to open a locked device like a mobile phone or personal computer, attempts to access a computer environment like a user account on an enterprise network or social network, or attempts to access a service like a video streaming service. In this sense,“account” refers to any computer-secured resource that has restricted access to users that present valid authentication credentials.
[0022] In computing devices and network environments authentication is a cornerstone security technique. Authentication involves the receipt of some input to prove the identity of the user requesting access to a resource. The most typical example of user authentication data is a username and password. Other examples may include biometric input, a password alone without a username (although it may be associated with one), answers to challenge phrases, etc. An authenticator verifies the validity of the provided user authentication data by comparing it to a stored user data. The user data may include profiles for a plurality of users, each having a unique username and password. The user data may include additional data, such as authorization data indication the level of access available to the user. [0023] A security challenge for computing systems is to prevent repeated attempts to access an account. One technique is to limit the number of consecutive failed attempts and to lock the account if too many attempts are made without success. This can be frustrating for a legitimate user that makes typing mistakes, forgets the CapsLock is on, has misremembered their password, or is trying out a number of their more commonly-used passwords to try to guess which one they used for this account. Moreover, locking the account after a maximum number of failed attempts creates a denial of service risk. That can be addressed through limiting the locking of the account to a short period of time, but that then allows for the attack to continue, albeit more slowly. Other techniques may try to distinguish between legitimate user failed attempts and malicious failed attempts using behavioral analytics, IP address information, or other side information to try to evaluate the nature of failed attempts to access.
[0024] When a user successfully logs into an account, i.e. succeeds in authentication, as a technique to improve security of the system, the system may impose two-factor authentication (2FA). 2FA simply imposes a second authentication step after the first successful authentication. This may be through presenting a further user credential request at the same user interface, or may be through providing some data, e.g. a code, via an alternative user account for the same user, and requesting that the user access that alternative user account and present the data to further authenticate the user’s identity. If a user’s credentials are compromised for both accounts then the malicious actor may be able to pass through the 2FA process. Strong 2FA requires that one element be something only the user knows, and something only the user possesses such as a unique rotating token or secondary device like a mobile phone to acknowledge a secondary approval prompt.
[0025] 2FA adds a layer of additional security to user authentication, but does not address the issue of failed authentications and the need to evaluate whether the failed authentications represent an attack on the system or a legitimate user’s attempt to access their account.
[0026] In accordance with one aspect of the present application, a computing system determines how to handle authentication failures by obtaining attribution information. In one instance, the user may be contacted via a separate communication channel, such as through a different account or a different device, to solicit information regarding a failed attempt or attempts to access an account. Through the separate communication channel, the user may confirm that the failed attempt(s) are attributable to the user or may deny that the failed attempt(s) are attributable to the user. If the response to the solicitation is denial of attribution, then the system may take certain security actions since the failed attempt(s) are a likely attack.
[0027] In accordance with another aspect of the present application, as an alternative or in addition to soliciting information from the user, attribution information may be solicited from one or more peers associated with the user. That is, the system may have stored information in association with the user linking the user to one or more peers. The one or more peers may be sent an attribution request at a device or contact point designated for the one or more peers. A response from one of the peers may indicate that the failed authentication attempt(s) are attributable to the user, which the system may treat as verification that the failed authentication attempt(s) are legitimate user failures. Such a determination may mean any alarm or lock condition may be cleared. A response from a peer that indicates that the failed authentication attempt(s) are not from the user may trigger a security action. The peer indication of non-user attribution may result in security action even if the user has indicated that the failed attempt(s) are legitimate, in some instances.
[0028] Reference is first made to Figure 1, which diagrammatically illustrates an example system 100 for detecting likely attacks on user authentication. The system 100 includes a secured system 102. The secured system 102 represents a resource to which one or more users seeks access. The secured system 102 may include a corporate network environment with all its internal resources, in some cases. In other examples, it may be a social network, gaming network, financial network, or any other type of computing resource. The secured system 102 may be operably connected to a plurality of networks, which may include public networks, private networks, or both.
[0029] An authenticator 104 manages authentication of user requests to access the secured system 102. The authenticator 104 may include or have access to stored user data 106. An authentication request provides user authentication data to the authenticator 104, which then evaluates the validity of the user authentication data by comparing it to the stored user data 106. For example, the stored user data 106 may include identifying data for a plurality of authorized users, including usernames (or user IDs), associated passwords, and any associated security settings, like authorization levels. [0030] In this example system 100, the user data 106 includes, for each user, a record of failed authentication attempts, which may include a count of failed authentication attempts 108. These attempts may include all unsuccessful attempts to access the account associated with a particular user. In some cases, the count may be a count of consecutive failed attempts without a successful authentication. In some cases, the count may be limited in time to attempts in the past hour, day, week, or some other time period. In yet other cases, the count may include non-consecutive failures over a time period. The records of failed authentication attempts may include additional metadata regarding the attempts, such as the IP address or other identifying information regarding the source of the attempt.
[0031] In this example, the system 100 further includes within the user data 106 a peer list 110 stored in association with an authorized user. The peer list 110 contains identifiers for one or more peers designated for the authorized user. The designation may be made by the authorized user when configuring his or her account as part of the set-up process. In some cases, such as a corporate environment, the designation of peers may be policy based and at least partly controlled by an administrator. For example, an authorized user may be required to have his or her immediate supervisor included as a peer.
[0032] The peer list 110 may include user identifiers for each of the peers, such as a username or user ID. The authenticator 104 may access the peer list 110 to obtain the user identifiers for the peers. The peer list 110 may include contact information for each peer. In some implementations, the authenticator 104 may search the user data 106 for contact details for each peer based on the user identifiers in the peer list 110. The contact details may include a mobile number, email address, messaging identity, social network identifier, SIP URI, or other peer contact data to which the authenticator 104 can send a notification or request. In some implementations, the peer list 110 may include a status of whether or not the peer is available. It will be appreciated that the peer contact is an individual different and separate from the user associated with the user account. The peer contact information includes one or more addresses or accounts associated with (owned or operated by) the peer contact. It may include device identifiers or other data specific to a device or account controlled by the peer contact that represents identifying contact information for the peer contact. To be clear, the peer contact information is not an alternative account or contact information for the user.
[0033] In an open system, the peers may not necessarily be authorized users of the secured system 102 and may not have their details stored in the user data 106 as users of the secured system 102. Nevertheless, the authorized user may have designated them as peers on configuration of the user’s account and may have provided the peer contact data, which is then stored in, or in association with, the peer list 110.
[0034] Although illustrated as a single database, the user data 106 may be implemented as two or more data storage elements, including databases, and there may be multiple records, at least one of which stores user authentication information for the user, and at least another of which stores the peer list 110 associated with the user.
[0035] As noted above, the authenticator 104 may track failed authentication attempts in association with a user account. If the number of failed authentication attempts exceeds a maximum, then the authenticator 104 may output an attribution request. The trigger for the attribution request may be the count of failed authentication attempts for a user account exceeding a preset threshold, such as five or ten. The trigger may be based on consecutive failed authentication attempts without a successful authentication, in some implementations. The trigger may also take into account the time over which the failures occurred, such that the threshold is based on a maximum number of failed authentication attempts within a certain window of time, e.g. 15 minutes, an hour, a day, etc. Some implementations may consider the number of failed attempts without success from a given source IP address, or lower threshold if the source IP has not been a recent source of positive authentication. Other factors may be included in the determination of whether to send an attribution request.
[0036] Once the authenticator 104 determines that an attribution request is to be sent, then it sends a message to the user, to one or more peers, or to both. The message may be sent through any suitable medium, including instant messaging, SMS, email, or other communication types. The message informs the user and/or peers that there have been a maximum number of failed attempts to access the user account and requesting that the recipient indicate whether the attempts were made by the user. Depending on the implementation, the message may include a selectable icon, button or other response element to trigger a response message. In some cases, the message may include two different selectable response elements: one to attribute failures to the user and another to attribute failures to someone other than the user. In some cases, the message may include a link that, when selected, opens a browser session and links to a webpage through which the attribution response may be provided. Other mechanisms for soliciting and obtaining electronic feedback from the user and/or peers will be appreciated. [0037] The message may, in some cases, contain information regarding the failed authentication attempts. That information may be obtained by the authenticator 104 from the stored record of failed authentication attempts for that user account. The information in the message may include information identifying the user account and the user, the time and or date of each attempt, the geographic location from which the access attempt appears to originate (based on IP address, for example), and/or the count of failed attempts.
[0038] Although the authenticator 104 is shown as being separate from the secured system 102 for ease of discussion, it will be appreciated that the authenticator 104 may be implemented as part of the secured system 102. It will also be appreciated that the authenticator 104 may be implemented by way of software operating on a suitable computing platform, such as a server or similar networked computing system. The software is executed by one or more processors within the computing system to cause the computing system to carry out the described operations of the authenticator 104. Any suitable programming language and/or program structure may be used in realizing the software-implemented authenticator 104.
[0039] The secured system 102 is shown as being in the“cloud” of a networked environment. In some cases, the secured system 102 may be partly or wholly local to a user device with a network connection to the cloud. The authenticator 104 may be partly implemented locally on the user device to secure the secured system 102 and partly in the cloud to perform user authentication on input user credentials and to grant access through provision of an access token or the like to the user device. Other architectures for secured systems 102 will be appreciated by those ordinarily skilled in the art.
[0040] Reference is now made to Figure 2, which shows, in flowchart form, one example method 200 for identifying unauthorized attempts to access an account in a computer system. The method 200 may be implemented by the authenticator 104.
[0041] In operation 202 an access attempt is made with respect to the user account.
This may involve a login attempt by way of a website, mobile app, lock screen or other software security checkpoint. In some implementations, the access attempt includes receipt of user credentials, such as a username and password or the like. The access attempt may involve the exchange of multiple messages between a remote computing device and the authenticator, in some cases. The user credentials are evaluated in operation 204 to assess whether they are valid. This may include querying a user database storing username and password combinations, for example. Suitable encryption and hashing algorithms may be used to secure the database, as will be appreciated by those ordinarily skilled in the art. If the user credentials are determined to be valid in operation 204, the requestor is granted access 206. This may include providing the remote device with a security token or data enabling it to access further portions of the secured system. It may include establishing a secured connection or session between the remote device and the secured system. Other mechanisms for enabling access to the secured system will be appreciated.
[0042] If the user credentials determined to be invalid in operation 204, then in operation 208 it is determined whether the failed authentication attempt results in more than a threshold number of failures in association with the user account. In this regard, it will be appreciated that the access attempt is associated with a given user account. For implementations in lower risk environment the threshold can be set to a larger number than that for moderate risk environments. For higher risk the threshold could be set low, or to 1 (one) to alert the peers on every failed attempt. If the access attempt involves a failure to identify an existing user account, for example due to provision of an incorrect username that does not have an associated account, then the failed attempt is not necessarily counted against any user account. It will also be understood that the threshold may take into account a number of factors, including the window of time over which the failed attempts have occurred, whether any intervening successful attempts have been made, and other factors, as discussed above.
[0043] If, in operation 208, it is determined that the count of failed authentication attempts does not exceed the threshold, then the method 200 returns to operation 202. If the count does exceed the threshold, then attribution information may be sought to identify the source of the unauthenticated attempts. In operation 210, user contact information associated with the user account is retrieved. This may include an email, mobile number, messaging ID, or other user contact data stored in association with the user account. In operation 212, peer contact information for one or more peers associated with the user account is retrieved. This may include obtaining peer contact information from a stored list of peers associated with the user account. The peer contact information may include an email, mobile number, messaging ID, or other peer contact information to which the system can send a message or notification. [0044] In operation 214 a notification is sent to the user and to the peers. The notification may be sent via any suitable communication medium for a given implementation, such as SMS, email, social network messaging, instant messaging, or other such mediums. The notification is addressed based on the contact information obtained in operations 210 and 212. The notification to the user may differ from the notification to the peers. The notification may be a message containing a selectable element to trigger a response message. The message may contain a link to a website or other interface through which the recipient can provide a response. The response sought is whether the failed attempts can be attributed to the user. In of itself, operation 214 could be exploited by an attacker making multiple failed authentication attempts across a wide range of authorized users, triggering a flood of peer validation requests. As such, some implementations would establish a counter measure, operation 217, to make a count of peer validation requests in a given time frame, and throttle the requests, and trigger an appropriate security action in operation 225. If the count is below the acceptable threshold, which may be labelled an“abuse threshold”, the process would continue to operation 216. It will be appreciated that operation 217 may occur before operation 214 as a condition precedent to transmitting the notification.
[0045] In this example, the system first awaits a response from the user, as indicated by operation 216. If the response received from the user is a denial that the attempts are by the user, then the system may take a security action in operation 218. If the response is that the attempts are legitimate attempts by the user, then the system proceeds to evaluate at least one peer response. In some implementations that can determine that no immediate peers are available to respond, and depending on the security risk level and the administrative policy applied, the system can trigger an appropriate security action. In one embodiment of the disclosure, the security action performed in operation 225 is different from the security operation performed in operation 218. More precisely, in one embodiment of the disclosure, the security action performed in operation 218 is stricter than the security action performed in operation 225, from a security point of view. In a variant, the security action performed in operation 225 and the security action performed in operation 218 are the same.
[0046] In operation 220, the system evaluates a peer response. If the peer confirms that the failed attempts are attributable to the user, then the system returns to 202 and no security action is taken. In some cases, the system may clear a restricted security setting with respect to the user account. In one example, the system may zero the number of failed attempts stored in the count so as to enable the user to retry accessing the account without immediately re-triggering the attribution process.
[0047] If the peer response denies user attribution in operation 220, then the system make take a security action in operation 222.
[0048] The security action may include sending a notification to an administrator or other security point. It may include changing authorization data for the user account to provide more restricted access in the event a successful authentication occurs. In some cases, it may include locking the account to prevent successful authentication, perhaps for a preset period of time. In some instances, it may result in additional security oversight, such as triggering a recording or more robust log of all activity associated with the user account and any attempts to access the user account. In some cases, the security action may include imposing a further level of authentication that is required even if someone is able to successfully authenticate.
[0049] In some cases, the notification to the peers may be staged based on a hierarchical ranking of the peers. In one example implementation, the attribution process does not include contacting the user for attribution information and only involves contacting the one or more peers associated with the user account. Figure 3 shows another example method 300 of identifying unauthorized attempts to access an account in a computer system. In this example, the authenticator monitors access attempts and determines when the number of failed consecutive access attempts exceeds a threshold, as indicated by operations 302, 304, 306 and 308.
[0050] Once the number of consecutive failed authentication attempts exceeds the threshold, peer contact information is retrieved from storage in operation 310. The peer contact information may include a peer list, which may rank the peer contacts in an order. In some cases, administrative policies may determine the order. For example, an immediate supervisor may be ranked first. An IT department representative may be included in the ranking. A co-worker may have a lower ranking than IT department personnel or supervisory personnel.
[0051] In operation 312, a notification regarding the failed authentication attempts is sent to the first or highest ranked peer contact associated with the user account. The notification requests attribution for the failed authentication attempts. In particular, it may request confirmation that the failed authentication attempts were failed attempts by the user. The system then awaits a response, as indicated by operations 314, and 316. The time for response may be set to any suitable time for a particular implementation. For example, some number of minutes (1, 2, 5, etc.) may be set as the response time. If the request for a response does not result in receipt of an attribution response from the peer contact, then the system may return to operation 312 to send a notification to the next peer contact in hierarchical order, as shown by operation 322. In of itself, operation 312 could be exploited by an attacker making multiple failed authentication attempts across a wide range of authorized users, triggering a flood of peer validation requests. As such, some implementations would establish a counter measure, operation 313, to make a count of peer validation requests in a given time frame, and throttle the requests, and trigger an appropriate security action in operation 315. If the count is below the abuse threshold, the process would continue to operation 314. It will be appreciated that operation 313 may occur prior to, and as a condition precedent to, sending the attribution request in operation 312.
[0052] If a response is received in operation 318, then the response either confirms that the user is the source of the failed attempts, in which case the method 300 returns to operation 302 to accept new attempts to access the account, or the response denies user involvement, in which case a security action is taken with regard to the account, as shown by operation 320. As noted above, the security action may include one or more operations to notify, lock, restrict, or otherwise take measures with regard to the account. In one embodiment of the disclosure, the security action performed in operation 315 is different from the security action performed in operation 320. More precisely, in one embodiment of the disclosure, the security action performed in operation 320 is stricter than the security action performed in operation 315. In a variant, the security action performed in operation 315 and the security action performed in operation 320 are identical.
[0053] In some cases, while awaiting a response from the peer contacts, a security action may be implemented to prevent further attempts to access the user account. That is, the account may be temporarily locked while awaiting attribution information from the peer contacts. This may assist in slowing down an attack if the failed authentication attempts are part of an attack. A confirmation of user involvement in operation 318 may result in removal of the restrictions on the account. Conversely, a peer contact response that denies user involvement may result in leaving the account restrictions in place as the security action of operation 322. Further actions may also be taken, such as sending a notification to IT administrators regarding the locked account.
[0054] If the peer contact list is exhausted without receiving a response from any of the peer contacts within the time out period, and/or if no peers are determined to be active and/or available, then the system may be configured to notify one or more IT administrators, lift security restrictions, seek user confirmation at an alternative user contact address, or take one or more other actions. In some examples, the account may remain locked until at least one of the peer contacts replies to the notification or security administrator clears the event upon adequate alternate authentication.
[0055] Example embodiments of the present application are not limited to any particular operating system, system architecture, mobile device architecture, server architecture, or computer programming language.
[0056] It will be understood that the applications, modules, routines, processes, threads, or other software components implementing the described method/process may be realized using standard computer programming techniques and languages. The present application is not limited to particular processors, computer languages, computer programming conventions, data structures, or other such implementation details. Those skilled in the art will recognize that the described processes may be implemented as a part of computer-executable code stored in volatile or non-volatile memory, as part of an application-specific integrated chip (ASIC), etc.
[0057] Certain adaptations and modifications of the described embodiments can be made. Therefore, the above discussed embodiments are considered to be illustrative and not restrictive.

Claims

WHAT IS CLAIMED IS:
1. A method of identifying unauthorized attempts to access an account in a computer system, the account having an authorized user, the method comprising:
determining that a count of failed attempts to access the account exceeds a maximum;
based on the count exceeding the maximum, retrieving from stored user data one or more peer contacts associated with the authorized user;
transmitting a failure attribution request to the one or more peer contacts; receiving a response from at least one of the one or more peer contacts; when the response denies that the authorized user caused the failed attempts, taking a security action with respect to the account.
2. The method of claim 1, wherein determining comprises:
receiving a request for access to the account with offered credentials; determining that the offered credentials do not match stored user credentials for the account; and
incrementing the count of failed attempts.
3. The method of claim 1 or claim 2, wherein the stored user data comprises a peer list containing the one or more peer contacts associated with the authorized user.
4. The method of claim 3, wherein the peer list is stored in association with the account.
5. The method of claim 3 or claim 4, wherein each peer contact in the peer list comprises peer contact information to which the failure attribution request is to be transmitted.
6. The method of any one of claims 1 to 5, wherein the security action comprises at least one of sending a notification to a security administrator, altering an authorization setting for the account, temporarily preventing further access attempts to the account, or imposing a further level of authentication required to access the account following a successful authentication.
7. The method of any one of claims 1 to 6, wherein the method further comprises transmitting an attribution request to a user contact address for the authorized user, receiving a response from the user contact address, and when the response denies user involvement in the failed attempts then taking the security action.
8. The method of any one of claims 1 to 7, wherein the one or more peer contacts comprise a plurality of peer contacts in a hierarchical order, and wherein transmitting comprises:
transmitting the failure attribution request to a first peer contact in the hierarchical order;
awaiting the response; and
if the response is not received within a time window, sending the failure attribution request to a next peer contact in the hierarchical order.
9. The method of claim 8, wherein the method further comprises temporarily preventing further access attempts to the account while awaiting the response.
10. The method of claim 8 or claim 9, wherein the awaiting and sending are repeated for each successive peer contact in the hierarchical order until the response is received or the time window for a last peer contact expires.
11. The method of any one of claims 1 to 10, wherein transmitting the failure attribution request comprises determining that a number of failure attribution requests transmitted over a time period is below an abuse threshold as a condition precedent to transmitting the failure attribution request.
12. A system for identifying unauthorized attempts to access an account in a computer system, the account having an authorized user, the system comprising:
a processor;
a memory storing user data, comprising one or more peer contacts associated with the authorized user; and
an authentication application containing processor executable instructions that, when executed by the processor, are to cause the processor to: determine that a count of failed attempts to access the account exceeds a maximum;
based on the count exceeding the maximum, retrieve from the memory the one or more peer contacts associated with the authorized user;
transmit a failure attribution request to the one or more peer contacts; receive a response from at least one of the one or more peer contacts; and when the response denies that the authorized user caused the failed attempts, take a security action with respect to the account.
13. The system of claim 12, wherein the instructions are to cause the processor to determine that the count of failed attempts to access the account exceeds the maximum by:
receiving a request for access to the account with offered credentials; determining that the offered credentials do not match stored user credentials for the account; and
incrementing the count of failed attempts.
14. The system of claim 12 or claim 13, wherein the stored user data comprises a peer list containing the one or more peer contacts associated with the authorized user.
15. The system of claim 14, wherein the peer list is stored in association with the account.
16. The system of claim 14 or claim 15, wherein each peer contact in the peer list comprises peer contact information to which the failure attribution request is to be transmitted.
17. The system of any one of claims 12 to 16, wherein the security action comprises at least one of sending a notification to a security administrator, altering an authorization setting for the account, temporarily preventing further access attempts to the account, or imposing a further level of authentication required to access the account following a successful authentication.
18. The system of any one of claims 12 to 17, wherein the instructions are to further cause the processor to transmit an attribution request to a user contact address for the authorized user, receive a response from the user contact address, and when the response denies user involvement in the failed attempts then take the security action.
19. The system of any one of claims 12 to 18, wherein the one or more peer contacts comprise a plurality of peer contacts in a hierarchical order, and wherein the instructions are to cause the processor to transmit by:
transmitting the failure attribution request to a first peer contact in the hierarchical order;
awaiting the response; and
if the response is not received within a time window, sending the failure attribution request to a next peer contact in the hierarchical order.
20. The system of claim 19, wherein the instructions are to further cause the processor to temporarily prevent further access attempts to the account while awaiting the response.
21. The system of claim 19 or claim 20, wherein the awaiting, and sending are repeated for each successive peer contact in the hierarchical order until the response is received or the time window for a last peer contact expires.
22. A non-transitory computer-readable storage medium storing instructions that, when executed by a processor of a computer system, cause the processor to identify unauthorized attempts to access an account, the account having an authorized user, the instructions, when executed by the processor, cause the processor to:
determine that a count of failed attempts to access the account exceeds a maximum;
based on the count exceeding the maximum, retrieve from stored user data one or more peer contacts associated with the authorized user;
transmit a failure attribution request to the one or more peer contacts; receive a response from at least one of the one or more peer contacts; when the response denies that the authorized user caused the failed attempts, take a security action with respect to the account.
PCT/CA2019/051741 2019-01-17 2019-12-04 Methods and systems for detecting unauthorized access WO2020146935A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980089381.6A CN113302606A (en) 2019-01-17 2019-12-04 Method and system for detecting unauthorized access
EP19909657.9A EP3877877A4 (en) 2019-01-17 2019-12-04 Methods and systems for detecting unauthorized access

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US16/250,410 US11616774B2 (en) 2019-01-17 2019-01-17 Methods and systems for detecting unauthorized access by sending a request to one or more peer contacts
US16/250,410 2019-01-17

Publications (1)

Publication Number Publication Date
WO2020146935A1 true WO2020146935A1 (en) 2020-07-23

Family

ID=71609220

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2019/051741 WO2020146935A1 (en) 2019-01-17 2019-12-04 Methods and systems for detecting unauthorized access

Country Status (4)

Country Link
US (1) US11616774B2 (en)
EP (1) EP3877877A4 (en)
CN (1) CN113302606A (en)
WO (1) WO2020146935A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11356472B1 (en) * 2019-12-16 2022-06-07 Wells Fargo Bank, N.A. Systems and methods for using machine learning for geographic analysis of access attempts
US11601435B1 (en) * 2021-06-07 2023-03-07 Wells Fargo Bank, N.A. System and method for graduated deny lists
US11972427B2 (en) * 2021-07-27 2024-04-30 Subway IP LLC System for deterring unauthorized access to an account associated with an online ordering platform

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020067832A1 (en) * 2000-06-05 2002-06-06 Jablon David P. Systems, methods and software for remote password authentication using multiple servers
US20040010720A1 (en) * 2002-07-12 2004-01-15 Romi Singh System and method for remote supervision and authentication of user activities at communication network workstations
US20050188080A1 (en) * 2004-02-24 2005-08-25 Covelight Systems, Inc. Methods, systems and computer program products for monitoring user access for a server application
US20070067642A1 (en) * 2005-09-16 2007-03-22 Singhal Tara C Systems and methods for multi-factor remote user authentication
US20090260081A1 (en) 2008-04-14 2009-10-15 Tecsys Development, Inc. System and Method for Monitoring and Securing a Baseboard Management Controller
US20140053238A1 (en) 2013-10-29 2014-02-20 Sky Socket, Llc Attempted Security Breach Remediation
US20140150072A1 (en) * 2012-11-29 2014-05-29 International Business Machines Corporation Social authentication of users
US20150106897A1 (en) 2013-10-16 2015-04-16 Evan Davis Method and system for implementing video two factor authentication
EP3013086A1 (en) * 2014-10-20 2016-04-27 Xiaomi Inc. Method, apparatus and electronic device for connection management
US20180097787A1 (en) * 2016-09-30 2018-04-05 Palo Alto Networks, Inc. Multifactor authentication as a network service

Family Cites Families (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6891819B1 (en) * 1997-09-05 2005-05-10 Kabushiki Kaisha Toshiba Mobile IP communications scheme incorporating individual user authentication
US7568098B2 (en) * 2003-12-02 2009-07-28 Microsoft Corporation Systems and methods for enhancing security of communication over a public network
US7383575B2 (en) * 2003-12-23 2008-06-03 Lenovo (Singapore) Pte Ltd. System and method for automatic password reset
US7650368B2 (en) * 2007-02-07 2010-01-19 At&T Intellectual Property I, L.P. Methods, systems, and products for restoring electronic media
US8130747B2 (en) * 2007-08-06 2012-03-06 Blue Coat Systems, Inc. System and method of traffic inspection and stateful connection forwarding among geographically dispersed network appliances organized as clusters
US8738923B2 (en) * 2007-09-14 2014-05-27 Oracle International Corporation Framework for notifying a directory service of authentication events processed outside the directory service
US7979419B2 (en) * 2007-11-01 2011-07-12 Sharp Laboratories Of America, Inc. Distributed search methods for time-shifted and live peer-to-peer video streaming
US8909297B2 (en) * 2008-03-04 2014-12-09 Mike Matas Access management
US8615551B2 (en) * 2009-09-08 2013-12-24 Nokia Corporation Method and apparatus for selective sharing of semantic information sets
EP2635972A4 (en) * 2010-10-13 2016-10-26 Zte Usa Inc System and method for multimedia multi-party peering (m2p2)
US8516607B2 (en) * 2011-05-23 2013-08-20 Qualcomm Incorporated Facilitating data access control in peer-to-peer overlay networks
US9386091B2 (en) * 2011-07-22 2016-07-05 Raketu Communications, Inc. Self-adapting direct peer to peer communication and messaging system
US9092969B2 (en) * 2011-12-29 2015-07-28 Verizon Patent And Licensing Inc. Method and system for invoking a security function of a device based on proximity to another device
US20120266209A1 (en) * 2012-06-11 2012-10-18 David Jeffrey Gooding Method of Secure Electric Power Grid Operations Using Common Cyber Security Services
US20140007205A1 (en) * 2012-06-28 2014-01-02 Bytemobile, Inc. No-Click Log-In Access to User's Web Account Using a Mobile Device
US9223950B2 (en) * 2013-03-05 2015-12-29 Intel Corporation Security challenge assisted password proxy
US9667637B2 (en) * 2014-06-09 2017-05-30 Guardicore Ltd. Network-based detection of authentication failures
US20160036902A1 (en) * 2014-07-31 2016-02-04 Google Technology Holdings LLC Method and apparatus for sharing content between devices in peer-to-peer networks
CN107690777A (en) * 2015-03-30 2018-02-13 爱迪德技术有限公司 Monitor peer-to-peer network
US9621737B2 (en) * 2015-08-27 2017-04-11 Google Inc. Abuse detection for phone number lookups
US9755949B2 (en) * 2015-09-21 2017-09-05 Verizon Digital Media Services Inc. Network failover and loop detection in hierarchical networks
JP6613909B2 (en) * 2016-01-15 2019-12-04 富士通株式会社 Mutual authentication method, authentication device, and authentication program
US10771479B2 (en) * 2016-09-26 2020-09-08 Splunk Inc. Configuring modular alert actions and reporting action performance information
US10637963B2 (en) * 2017-06-26 2020-04-28 Verizon Patent And Licensing Inc. Method and system for traffic management using a unified network barring mechanism
US10893053B2 (en) * 2018-03-13 2021-01-12 Roblox Corporation Preventing unauthorized account access based on location and time
US11089036B2 (en) * 2018-12-27 2021-08-10 Sap Se Identifying security risks and fraud attacks using authentication from a network of websites

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020067832A1 (en) * 2000-06-05 2002-06-06 Jablon David P. Systems, methods and software for remote password authentication using multiple servers
US20040010720A1 (en) * 2002-07-12 2004-01-15 Romi Singh System and method for remote supervision and authentication of user activities at communication network workstations
US20050188080A1 (en) * 2004-02-24 2005-08-25 Covelight Systems, Inc. Methods, systems and computer program products for monitoring user access for a server application
US20070067642A1 (en) * 2005-09-16 2007-03-22 Singhal Tara C Systems and methods for multi-factor remote user authentication
US20090260081A1 (en) 2008-04-14 2009-10-15 Tecsys Development, Inc. System and Method for Monitoring and Securing a Baseboard Management Controller
US20140150072A1 (en) * 2012-11-29 2014-05-29 International Business Machines Corporation Social authentication of users
US20150106897A1 (en) 2013-10-16 2015-04-16 Evan Davis Method and system for implementing video two factor authentication
US20140053238A1 (en) 2013-10-29 2014-02-20 Sky Socket, Llc Attempted Security Breach Remediation
EP3013086A1 (en) * 2014-10-20 2016-04-27 Xiaomi Inc. Method, apparatus and electronic device for connection management
US20180097787A1 (en) * 2016-09-30 2018-04-05 Palo Alto Networks, Inc. Multifactor authentication as a network service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3877877A4

Also Published As

Publication number Publication date
CN113302606A (en) 2021-08-24
US11616774B2 (en) 2023-03-28
EP3877877A1 (en) 2021-09-15
US20200236099A1 (en) 2020-07-23
EP3877877A4 (en) 2022-09-07

Similar Documents

Publication Publication Date Title
US11888868B2 (en) Identifying security risks and fraud attacks using authentication from a network of websites
US11716324B2 (en) Systems and methods for location-based authentication
US11108752B2 (en) Systems and methods for managing resetting of user online identities or accounts
US9942220B2 (en) Preventing unauthorized account access using compromised login credentials
Doerfler et al. Evaluating login challenges as adefense against account takeover
US9590973B2 (en) Methods for fraud detection
US8819803B1 (en) Validating association of client devices with authenticated clients
US11330005B2 (en) Privileged account breach detections based on behavioral access patterns
US8959650B1 (en) Validating association of client devices with sessions
US7475252B2 (en) System, method and program to filter out login attempts by unauthorized entities
US20080034412A1 (en) System to prevent misuse of access rights in a single sign on environment
US20080016551A1 (en) Secure Authentication Systems and Methods
US20200329025A1 (en) Preventing account lockout through request throttling
EP3874716B1 (en) Detecting and responding to attempts to gain unauthorized access to user accounts in an online system
US10362055B2 (en) System and methods for active brute force attack protection
US11616774B2 (en) Methods and systems for detecting unauthorized access by sending a request to one or more peer contacts
US11729214B1 (en) Method of generating and using credentials to detect the source of account takeovers
US12101315B2 (en) Systems and methods for rapid password compromise evaluation
EP4170965A1 (en) Application security through global lockout and capture
JP6842951B2 (en) Unauthorized access detectors, programs and methods
US20240297887A1 (en) Mid-session trust assessment
JP2021082342A (en) Illegal access detector, program and method
Raponi et al. Web-sites password management (in) security: Evidence and remedies
WO2019032300A1 (en) System and methods for active brute force attack prevention

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19909657

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019909657

Country of ref document: EP

Effective date: 20210609

NENP Non-entry into the national phase

Ref country code: DE