US-12619718-B2 - Detection and prevention of login attacks

Abstract

The present disclosure relates generally to cybersecurity and, more particularly, to a system and method to detect and prevent login attacks. A computer-implemented method includes: gathering, by a computing device, a login window from a display of a user device; determining, by the computing device, that the login window is invalid; flagging, by the computing device, the login window as an attack on the user device upon determining that the login window is invalid; and executing, by the computing device, a security action on the user device.

Inventors

• Cesar Augusto Rodriguez Bravo
• Kim A. Eckert

Assignees

• KYNDRYL, INC.

Dates

Publication Date

20260505

Application Date

20240313

Claims (20)

1. 1 . A method, comprising: gathering, by a computing device, a lock screen corresponding to a login from a display of a user device; determining, by the computing device, that the lock screen is invalid; flagging, by the computing device, the lock screen as an attack on the user device upon determining that the lock screen is invalid; and executing, by the computing device, a security action comprising deleting the lock screen on the user device, wherein the determining that the lock screen is invalid comprises: querying logs of the user device to detect whether a predetermined event identification has been created which indicates that the user device is in the lock screen; and determining that the lock screen is invalid in response to detecting that the querying logs are devoid of the predetermined event identification.
2. 2 . The method of claim 1 , wherein the determining that the lock screen is invalid comprises matching the gathered lock screen to one or more sample valid lock screens and upon determining that a match does not exist, flagging the lock screen as invalid.
3. 3 . The method of claim 1 , wherein the gathering comprises obtaining a screenshot of the display using a screencasting process.
4. 4 . The method of claim 1 , wherein the gathering comprises gathering images from an operating systems graphics architecture using an internal API.
5. 5 . The method of claim 1 , wherein the determining the lock screen is invalid further comprises: querying a logonui process to determine whether the user device is in the lock screen; and determining that the lock screen is invalid in response to detecting that the querying logs are devoid of the logonui process.
6. 6 . The method of claim 1 , wherein the determining the lock screen is invalid further comprises: executing an API call by detecting a windows session change to determine whether the user device is in the lock screen; and determining that the lock screen is invalid in response to not detecting the windows session change.
7. 7 . The method of claim 1 , wherein the security action further comprises providing a notification that the lock screen is invalid.
8. 8 . The method of claim 1 , further comprising gathering a security profile of the user when the lock screen is determined to be invalid, the security profile comprising security actions to take on the user device.
9. 9 . The method of claim 1 , wherein the security action further comprises executing a Ctrl+Alt+Del command which displays a Ctrl+Alt+Del command screen on top of any software running on the user device.
10. 10 . The method of claim 1 , wherein the security action further comprises deleting non-essential processes.
11. 11 . The method of claim 1 , wherein the security action further comprises executing a notification window with an on-top property.
12. 12 . The method of claim 1 , wherein the computing device includes software provided as a service in a cloud environment.
13. 13 . The method of claim 1 , wherein the predetermined event identification comprises an event identification 4800.
14. 14 . The method of claim 13 , further comprising executing a system diagnostic process query to determine that the user device is in the lock screen and that the lock screen is invalid.
15. 15 . A computer program product comprising one or more computer readable storage media having program instructions collectively stored on the one or more computer readable storage media, the program instructions executable to: detect a lock screen on a display of a user device, the detecting comprising gathering images from an operating systems graphics architecture using an internal API; flag the lock screen as an attack on the user device upon determining that the lock screen is invalid; and execute a security action comprising executing a Ctrl+Alt+Del command which displays a Ctrl+Alt+Del command screen on top of any software running on the user device when the lock screen is flagged as invalid, wherein the determining the lock screen is invalid comprises: querying a logonui process of the user device to determine whether the user device is in the lock screen; and determining that the lock screen is invalid in response to detecting that the querying logs are devoid of the logonui process.
16. 16 . The computer program product of claim 15 , wherein the security action further comprises: deleting non-essential processes; executing a notification window with an on-top property; and deleting the lock screen on the user device.
17. 17 . The computer program product of claim 15 , wherein the determining further comprises matching the lock screen to sample lock screens of the user device known to be real lock screens.
18. 18 . The computer program product of claim 15 , wherein the determining further comprises: querying logs of the user device to detect whether a predetermined event identification has been created which indicates that the user device is in the lock screen; and determining that the lock screen is invalid in response to detecting that the querying logs are devoid of the predetermined event identification.
19. 19 . The computer program product of claim 15 , wherein the determining further comprises: executing an API call by detecting a windows session change to determine whether the user device is in the lock screen; and determining that the lock screen is invalid in response to not detecting the window session change.
20. 20 . A system comprising: a processor, a computer readable memory, one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions executable to: gather a lock screen from a display of a user device; determine that the lock screen is invalid by executing a login process; and execute a security action on the user device, wherein the security action prevents a user from entering a password into the lock screen by performing one or more of deleting the lock screen on the user device, executing a Ctrl+Alt+Del command which displays a Ctrl+Alt+Del command screen on top of any software running on the user device, or deleting non-essential processes; wherein the determining the lock screen is invalid comprises: executing an API call by detecting a windows session change to determine whether the user device is in the lock screen; and determining that the lock screen is invalid in response to not detecting the window session change.

Description

BACKGROUND Aspects of the present invention relate generally to cybersecurity and, more particularly, to a system and method to detect and prevent login attacks. Computer attacks may take on many different forms including, for example, a keystroke attack (also known as keylogging attacks). There are several types of keylogging attacks. These attacks may include, for example, key sniffing, hardware-based attacks and software keylogging attacks. SUMMARY In a first aspect of the invention, there is a computer-implemented method including: gathering, by a computing device, a login window from a display of a user device; determining, by the computing device, that the login window is invalid; flagging, by the computing device, the login window as an attack on the user device upon determining that the login window is invalid; and executing, by the computing device, a security action on the user device. In another aspect of the invention, there is a computer program product including one or more computer readable storage media having program instructions collectively stored on the one or more computer readable storage media. The program instructions are executable to: detect a login window on a display of a user device, the detecting comprising gathering images from an operating systems graphics architecture using an internal API; determine that the login window is invalid by matching the login window to sample login windows of the user device known to be real login windows; flag the login window as an attack on the user device upon determining that the login window does not match to any of the sample login windows; and execute a security action on the user device when there is no match. In another aspect of the invention, there is system including a processor, a computer readable memory, one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media. The program instructions are executable to: gather a login window from a display of a user device; flag the login window as an attack on the user device upon determining that the login window is invalid; and execute a security action on the user device when the login window is flagged as invalid. BRIEF DESCRIPTION OF THE DRAWINGS Aspects of the present invention are described in the detailed description which follows, in reference to the noted plurality of drawings by way of non-limiting examples of exemplary embodiments of the present invention. FIG. 1 depicts a cloud computing node according to an embodiment of the present invention. FIG. 2 depicts a cloud computing environment according to an embodiment of the present invention. FIG. 3 depicts abstraction model layers according to an embodiment of the present invention. FIG. 4 shows a flowchart of an exemplary method in accordance with aspects of the invention. FIG. 5 shows an example use of screencast technologies and matching operations in accordance with aspects of the present invention. DETAILED DESCRIPTION Aspects of the present invention relate generally to cybersecurity and, more particularly, to a system and method to detect and prevent login attacks. More specifically, aspects of the invention are directed to a system and method to detect and protect against fake windows login attacks. For example, the system and method will detect fake login windows which, in turn, will protect against a user inputting their password or other login information into a fake login page. In this way, aspects of the present invention ensure password or passcode or other login information will not be sent to an attacker (e.g., hacker), which could otherwise be obtained by an attacker when a user password has been entered into a fake login page. The system and/or method can be implemented as a computer program product. The system, method and computer program product provide a technical feature (e.g., technical solution) to a technical problem of detecting and thwarting malicious activity on a computing device, e.g., keylogging attacks and more fake windows login attacks. The system, method, and computer program product, for example, also integrate a practical and significant application to detect and prevent fake windows login attacks. By way of example, the system, method and computer program use a plurality of techniques to determine if a login screen is displayed on the user screen. These techniques may include, for example, screencast technologies, and gathering images from an operating system graphics architecture using, for example, internal APIs. The system, method and computer program further gather system calls and parameters from the operating system to determine if the device is in a locked state and, if so, the system, method and computer program determine if the user is being attacked by correlating the results of the above gathered and analyzed information as described in more detail herein. Should the device be under attack, e.g., it is