Patent attributes
Described are techniques including a computer-implemented method of aggregating a number of authentication failures from a plurality of connection attempts for an application or a service that services a plurality of clients, where respective authentication failures are detected by evaluating encrypted packets of the plurality of connection attempts. The method further comprises determining that the number of authentication failures is greater than a upper bound number of authentication failures, where the upper bound number of authentication failures is determined by an anomalous function using the plurality of connection attempts as input, where the anomalous function is defined, at least in part, by a Chebyshev's bound and a Chernoff bound. The method further comprises generating an alert indicating a potential credential attack against the application or the service.
