Microsoft Corporation
Systems and methods for real-time detection of compromised authentication credentials

Abstract:

Methods, systems, and computer program products are provided for real-time compromise detection based on behavioral analytics. The detection runs in real-time, during user authentication, for example, with respect to a resource. The probability that the authentication is coming from a compromised account is assessed. The features of the current authentication are compared with the features from past authentications of the user. After comparison, a match score is generated. The match score is indicative of the similarity of the authentication to the user's history of authentication. This score is then discretized into risk levels based on the empirical probability of compromise based on known past compromised user authentications. The risk levels may be used to detect whether user authentication is occurring via compromised credentials.