Detecting attacks using compromised credentials via internal network monitoring

Assignee

• MICROSOFT TECHNOLOGY LICENSING, LLC · US

Inventors

• Itai Grady · Ramat HaSharon, IL
• Michael Dubinsky · Nes Ziona, IL
• Benny Lakunishok · Holon, IL
• Idan Plotnik · Dimona, IL
• Tal Arieh Be'ery · Netanya, IL

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/2151
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.