| CPC H04L 63/101 (2013.01) | 14 Claims |
|
1. A method comprising:
processing a login attempt event record identifying a network address with an account validator actor threat detector classifier;
receiving a first classification of the network address as an account validator actor from the account validator actor threat detector classifier, the first classification based on the network address attempting logins for different usernames;
in response to the receiving:
generating a first random number;
selecting a first blocking length of time from a plurality of blocking lengths of time;
calculating a first deny list duration based on summing the first random number and the first blocking length of time; and
adding the network address to a deny list for the first deny list duration;
setting a parole list duration to a first parole length of time;
after the first deny list duration, removing the network address from the deny list;
adding the network address to the parole list for the parole list duration;
receiving a second classification of the network address as having acted as an account validator actor during the parole list duration;
in response to receiving the second classification:
generating a second random number;
selecting, based on the second classification indicating the network address acted as an account validator actor during the parole duration, a second blocking length of time greater than the first blocking length of time from the plurality of blocking lengths of time;
calculating a second deny list duration based on summing the second random number and the second blocking length of time; and
adding the network address to the deny list for the second deny list duration;
after the second deny list duration has lapsed:
updating the parole list duration to a second parole length of time; and
removing the network address from the deny list;
based on not receiving a further classification of the network address as an account validator actor during the parole duration of the second parole length of time, removing the network address from the parole list; and
subsequent to the removing of the network address from the parole list, receiving a third classification of the network address as an account validator actor; and
in response to receiving the third classification;
generating a third random number;
selecting the first blocking length of time from the plurality of blocking lengths of time;
calculating a third deny list duration based on summing the third random number and the first blocking length of time; and
adding the network address to a deny list for the third deny list duration.
|