Abstract: Methods, systems, apparatuses, and computer-readable storage mediums described herein are configured to detect anomalous post-authentication behavior/state change(s) with respect to a workload identity. For example, audit logs that specify actions performed with respect to the workload identity of a platform-based identity service, a causing state change(s), while another identity is authenticated with the platform-based identity service, are analyzed. The audit log(s) are analyzed via a model for anomaly prediction based on actions. The model generates an anomaly score indicating a probability whether a particular sequence of the actions is indicative of anomalous behavior/state change(s). A determination is made that an anomalous behavior has occurred based on the anomaly score, and when anomalous behavior has occurred, a mitigation action may be performed that mitigates the anomalous behavior.

Abstract: To detect identity spray attacks, a machine learning model classifies account access attempts as authorized or unauthorized, based on dozens of different pieces of information (machine learning model features). Boosted tree, neural net, and other machine learning model technologies may be employed. Model training data may include user agent reputation data, IP address reputation data, device or agent or location familiarity indications, protocol identifications, aggregate values, and other data. Account credential hash sets or hash lists may serve as model inputs. Hashes may be truncated to further protect user privacy. Classifying an access attempt as unauthorized may trigger application of multifactor authentication, password change requirements, account suspension, or other security enhancements. Statistical or heuristic detections may supplement the model.

Abstract: To detect identity spray attacks, a machine learning model classifies account access attempts as authorized or unauthorized, based on dozens of different pieces of information (machine learning model features). Boosted tree, neural net, and other machine learning model technologies may be employed. Model training data may include user agent reputation data, IP address reputation data, device or agent or location familiarity indications, protocol identifications, aggregate values, and other data. Account credential hash sets or hash lists may serve as model inputs. Hashes may be truncated to further protect user privacy. Classifying an access attempt as unauthorized may trigger application of multifactor authentication, password change requirements, account suspension, or other security enhancements. Statistical or heuristic detections may supplement the model.