US 12,261,879 B2
Information security system and method for denial-of-service detection
Xiao Jun Zhang, Irvine, CA (US); Neetika Singh, Simi Valley, CA (US); Jesse Deping Meng, San Jose, CA (US); Robert Bruce Williams, Mission Viejo, CA (US); Joshua Samuel Drucker, Maricopa, AZ (US); and Cynthia Diane Dieterich, Wrightwood, CA (US)
Assigned to Bank of America Corporation, Charlotte, NC (US)
Filed by Bank of America Corporation, Charlotte, NC (US)
Filed on Mar. 8, 2024, as Appl. No. 18/600,377.
Application 18/600,377 is a continuation of application No. 17/383,862, filed on Jul. 23, 2021, granted, now 11,962,615.
Prior Publication US 2024/0214418 A1, Jun. 27, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1458 (2013.01) [H04L 63/1416 (2013.01)] 14 Claims
OG exemplary drawing
 
1. A system for Denial-of-Service (DOS) attack detection comprising:
a memory operable to store:
a first threshold number associated with invalid sign-on attempts, wherein the first threshold number is determined with respect to a first time interval; and
a second threshold number associated with disabled user profiles, wherein the second threshold number is associated with the first time interval; and
a processor, operably coupled with the memory, and configured to:
detect a first number of invalid sign-on attempts with respect to a plurality of user profiles during the first time interval, wherein the first time interval is from an initial timestamp to a first timestamp;
detect a second number of invalid sign-on attempts with respect to the plurality of user profiles during a second time interval, wherein the second time interval is from the first timestamp to a second timestamp;
determine a difference between the first number of invalid sign-on attempts and the second number of invalid sign-on attempts;
determine whether the difference between the first number of invalid sign-on attempts and the second number of invalid sign-on attempts is more than the first threshold number;
in response to determining that the first number of invalid sign-on attempts is more than the first threshold number, trigger a first alert that indicates detection of a first DOS attack on multiple user profiles during the second time interval;
detect a first number of disabled user profiles with respect to the plurality of user profiles occurred during the first time interval;
detect a second number of disabled user profiles with respect to the plurality of user profiles during the second time interval;
calculate the difference between the second number of disabled user profiles and the first number of disabled user profiles;
determine whether the difference between the second number of disabled user profiles and the first number of disabled user profiles is more than the second threshold number; and
in response to determining that the difference between the second number of disabled user profiles and the first number of disabled user profiles is more than the second threshold number, trigger a second alert that indicates detection of a second DOS attack on multiple user profiles during the second time interval.