Microsoft Corporation
Detection of brute force attacks

Abstract:

The disclosed embodiments determine a plurality of anomaly indications for a plurality of corresponding time series. A multi-modal model is defined for each time series. A first distribution is compared against a time series when the time series values fall within a first range and a second distribution is compared against the time series when the time series values fall with a second range. Based on the comparison, an indication of anomaly is generated for the time series. The indicators of anomaly for each time series are then combined using Fisher's method in some embodiments. The resulting combined anomaly indication is used to determine whether a network is experiencing a brute force attack.