| CPC H04L 63/0236 (2013.01) [H04L 63/083 (2013.01); H04L 63/1416 (2013.01); H04L 63/20 (2013.01)] | 11 Claims |
|
1. A method comprising:
receiving a plurality of login attempts from a network address over a set length of time;
querying log data to determine, for the network address, an average number of login failures of a first login error type of a plurality of error types of the plurality of login attempts over the set length of time;
calculating a first failure rate metric based on the average number of login failures of the first login error type over the set length of time;
first determining that the first failure rate metric exceeds a first reference number of login failures for the set length of time, the first reference number of login failures based on a historical average number of login failures for the set length of time associated with other network addresses for the first login error type;
querying the log data to determine an average number of login failures, for the network address, of a second login error type of the plurality of error types over the set length of time;
calculating a second failure rate metric based on the average number of login failures of the second login error type over the set length of time;
second determining that the second failure rate metric exceeds a second reference number of login failures of the second login error type for the set length of time, the second reference number of login failures of the second login error type based on a historical number of login failures of the second login error type for the set length of time; and
based in part on the first determining and second determining, adding the network address to a system deny list.
|