Detecting unauthorized cloud access by detecting malicious velocity incidents
US10764303B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Apr 25, 2018 |
| Grant date | Sep 1, 2020 |
| Priority date | — |
| Expiry date | Feb 22, 2039 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04W12/63
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
Embodiments detect unauthorized access to cloud-based resources. One technique analyzes cloud-based events to distinguish potentially malicious velocity incidents from benign velocity incidents. A velocity incident occurs when the same user causes events from two geographically remote locations in a short time. Benign velocity incidents are distinguished from malicious velocity incidents by comparing an event with past events that have the same features. Embodiments probabilistically determine if a velocity incident is malicious or benign based on a weighted multi-feature analysis. For each feature of an event, a probability is calculated based on past events that have the same feature. Then, each feature is associated with a weight based on a relative frequency of past events having that feature. A weighted average of probabilities is calculated, and the resulting probability is compared to a defined threshold to determine if the velocity incident is likely malicious or benign.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.