Abstract
Network security operators are challenged with protecting an increasing number of clients from authentication-based attacks such as password guessing. Host-based defenses help in preventing such attacks but are difficult to manage and monitor at scale. These challenges open the door for network-based defenses. In this work, we introduce AuthML. AuthML performs protocol-agnostic authentication modeling to detect successful and unsuccessful authentication attempts at the network level. Using machine learning (ML), AuthML operates directly on network communication to determine the outcome of authentication attempts in real time. To show AuthML’s efficacy, we validate our approach on multiple deployment scenarios. AuthML achieves an accuracy of 99.9% examining 29,015 new flows in this operational phase, demonstrating that we can achieve similar performance in real time to state-of-the-art techniques without manual protocol analysis.