Browse Prior Art Database

Discouraging Penetration Attempts on Interactive Computer Systems Without Denial of Service

IP.com Disclosure Number: IPCOM000034352D
Original Publication Date: 1989-Feb-01
Included in the Prior Art Database: 2005-Jan-27
Document File: 3 page(s) / 15K

Publishing Venue

IBM

Related People

Capek, PG: AUTHOR

Abstract

A technique is described whereby the implementation of an algorithm discourages multiple attempts to penetrate computer access by an intruder, but continues to provide service to legitimate users. Typically, interactive computing systems require users to enter an identification (userid) and a password to demonstrate identity during the logging-in process. However, many systems do not have a mechanism to prevent unauthorized users from repetitively entering combinations of userid and passwords. The unauthorized user can try combinations repeatedly until a valid hit is made for gaining access. Frequently, means of dealing with this security exposure have utilized a counting means to record the unsuccessful log-in attempts associated with the terminal (port) or with the userid.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 55% of the total text.

Page 1 of 3

Discouraging Penetration Attempts on Interactive Computer Systems Without Denial of Service

A technique is described whereby the implementation of an algorithm discourages multiple attempts to penetrate computer access by an intruder, but continues to provide service to legitimate users. Typically, interactive computing systems require users to enter an identification (userid) and a password to demonstrate identity during the logging-in process. However, many systems do not have a mechanism to prevent unauthorized users from repetitively entering combinations of userid and passwords. The unauthorized user can try combinations repeatedly until a valid hit is made for gaining access. Frequently, means of dealing with this security exposure have utilized a counting means to record the unsuccessful log-in attempts associated with the terminal (port) or with the userid. After some counting threshold is reached, denial of further attempts (from the port or from the users or both) is made until manual intervention and investigation is taken. Although this approach can be an effective means of reducing the threat from intruders, it introduces the possibility that an intruder can, almost trivially, cause service to be denied to a legitimate user. This is generally done by simply initiating log-on attempts many times, thereby causing the userid or port to be "locked out". Such systems provide no deterrent until the threshold count is reached. The concept described herein provides an algorithm which is invoked whenever a log-on attempt has failed. It provides a means of causing a terminal port to be "locked out" for some period of time, by determining when and for how long a port should be "locked out".

The concept provides distinct benefits, as follows: $ It discourages penetration attempts, even when performed

by a computer acting as a human from a remote port, by

making successive unsuccessful attempts to log-on become

slower and slower.

$ It detects and discourages penetration efforts not

usually protected, such as when many userids are tried in

conjunction with a particular password. The theory, in

such attempts, is that a single password is an

appropriate one for some userid on the system.

$ It reduces the exposure which causes service to be denied

to an authorized user, while requiring an intruder to

exert more effort. This discourages "lockout" caused

by repeated unsuccessful attempts. The algorithm is designed to keep three lists, one for userids, one for passwords and one for terminal ports, which are involved in failed log-on attempts.

For each item on each of the three lists, a count is maintained of the number of unsuccessful attempts which are made. Whenever a further unsuccessful log-on attempt is made, the port is disabled (for subsequent attempts) for a specific amount of time. This length of time is exponential in the largest of three values associated with the userid, password, and port used in the...