Presently available authentication services allow a user to maintain a user account and password for accessing information. For example, the user uses his or her user account and password to access a company intranet, a web server or service, or a private database. As users increasingly rely on authentication services to provide user validation functions, trust has become essential to the success of many of these authentication services. Trustworthiness is affected in part by the steps taken to improve the security of an authentication service. A key component in the security of the authentication service is the security of individual user accounts. If an attacker penetrates a single user account, the attacker has in effect defeated the authentication service, which causes loss of trustworthiness and confidence in the authentication service along with disclosure of confidential user information.
An authentication service may be subject to one or more types of attacks. For example, an attacker engaging in a brute force attack may target a large quantity of authentication credentials, thus increasing the probability that one of these authentication credentials would be successfully penetrated. In another example, an attacker engaging in an account-harvesting attack (or round robin attack) may try a small quantity of passwords on a large quantity of user accounts hoping that one of these passwords would be the valid password for a particular user account. Another type of attack is a denial of service (DoS) attack. Specifically, in a DoS attack, an attacker may fraudulently attempt to access several user accounts with an invalid password so that the authentication service would lock the attempted user accounts or take other preventive actions with the mistaken belief that these user accounts have been attacked. Any of the above attack types may also be distributed in that an attack may be initiated simultaneously from many locations and thus may be more serious as it is more difficult to detect.
Existing authentication services attempt to detect an attack by implementing an intrusion detection system. In general, an intrusion detection system may detect a hostile attack signature from a specific hostile source to generate an alarm and/or terminate communications from that specific hostile source. Nevertheless, an intrusion detection system often does not detect application-level events. Without providing the intrusion detection system with encryption keys, some authentication traffic may be not be detectable by the system, thus limiting its ability to report attacks.
Also, while an intrusion detection system may detect an attack in situations where a small quantity of user credentials is being targeted, it may not successfully detect an attack targeted against a large quantity of user credentials because it does not effectively detect attacks on these user credentials individually. That is, even though prior systems and methods may monitor a single user account to determine if an attack has occurred, they do not log and search authentication attempts communicating from a large quantity of user agents. As a result, prior systems and methods often may not effectively prevent an authentication service from being attacked if the authentication service maintains a large quantity of user credentials. Furthermore, an intrusion detection system often fails to identify what kind of authentication request pattern characterizes the one or more types of attacks.
Accordingly, a solution is needed that effectively detects and defends against an attack on an authentication service.