Microsoft’s New Model Detects Password Spray Attacks

Microsoft is observing October 2020 as the National Cyber Security Awareness Month (NCSAM, in short). As part of this awareness initiative, they are promoting the need for better digital security efforts.

They have announced new plans to better promote the importance of cybersecurity and unveiled their Zero Trust Deployment Center. They also released their work on an Adversarial ML Threat Matrix to better identify weaknesses in the machine learning models. They have also launched a pretty successful offensive that gave them the power to disable >90% of the Trickbot botnet’s infrastructure.

To make their intentions even clearer the researchers from this tech giant have developed a machine learning-based system that has the ability to detect password spray attacks. Their work has shown better performances than its predecessors and can detect attacks more accurately.

What is a password spray attack?
How is it detected?
How good is it?

What is a password spray attack?

Password spraying is a type of brute-force attack in which the actor tries to access a large number of usernames using a relatively smaller number of most commonly used passwords.

What differentiates it from the traditional brute force attack is that in the pure brute-force attack the threat actor attempts to gain access to a single account. This makes the task of the actor much harder as they get only a handful of tries before the account gets locked out. But this limitation can be effectively sidestepped in the password spray attack.

How is it detected?

Each time a user enters a password it is generally converted into a rather random-looking string called a ‘password hash’ for security reasons.

The password hash is unique - two even slightly different passwords would yield two completely different hashes. The activity graph generally looks flat if the user base is big. But a single hash failing across many accounts indicates a probable password spray attack.

How good is it?

Their previous attempt at countering this issue yielded a heuristics-based mechanism. The researchers have thoroughly improved the working of this system and trained the model in a supervised fashion using features like IP reputation, unusual login properties, and many other details that indicate a deviation from the usual behavior.

According to the researchers, the new model is twice as good as the earlier heuristic-based model in terms of recall. Better recall implies the model can correctly detect twice the number of compromised accounts. The precision is also impressive at 98%. Having a precision score of almost 100 says that when the model said an account has become a victim of a password spray attack it was indeed the case.

For those who are not very familiar with the terms precision and recall: they are measures of goodness of the model. The recall is defined as the ratio of true positives and true positives plus false negatives. In simple terms, it says how much of relevant items were found.

Precision, on the other hand, is defined as the ratio of the true positive and total number of samples. It tells how ‘trustworthy’ the model is.

Microsoft says that this new model would soon be made available to the Azure AD Identity Protection customers. They could use it in the portal and APIs for identity protection.

Other useful articles: