Suppression of authorization risk feedback to mitigate risk factor manipulation in an authorization system

US 10,091,181 B2
Filed: 06/09/2017
Issued: 10/02/2018
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of dynamic risk communication associated with a computer device, the method performed by one or more hardware processors, comprising:

automatically detecting one or more security risk factors for the computer device based on current context information associated with the computer device, the security risk factors used for authenticating a user, wherein for selected security risk factors the computer device requires additional information before authenticating the user;

determining whether an attempt is being made via the computer device to discover the one or more security risk factors that requires the additional information and to manipulate the computer device from using the selected security risk factors and from requiring the additional information;

responsive to determining that the attempt is being made to discover and manipulate the one or more security risk factors that requires the additional information, communicating a new challenge for additional identification for presenting on a user interface device of the computer device and suppressing an explanation of the one or more security risk factors from being presented on the user interface device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Dynamic risk communication associated with a computer device may include automatically detecting one or more security risk factors for the computer device based on current context information associated with the computer device. Whether an attempt is being made via the computer device to manipulate the one or more risk factors in an attempt to reduce a security level of a computer-implemented authentication procedure may be determined. Responsive to determining that the attempt is being made to manipulate the one or more risk factors, a new challenge for additional identification may be communicated for presentation on a user interface device of the computer device while suppressing one or more security risk factors from being presented on the user interface device. Responsive to determining that an attempt is not being made to manipulate the one or more risk factors, the new challenge and one or more security risk factors may be communicated.

26 Citations

20 Claims

1. A computer-implemented method of dynamic risk communication associated with a computer device, the method performed by one or more hardware processors, comprising:
- automatically detecting one or more security risk factors for the computer device based on current context information associated with the computer device, the security risk factors used for authenticating a user, wherein for selected security risk factors the computer device requires additional information before authenticating the user;
  
  determining whether an attempt is being made via the computer device to discover the one or more security risk factors that requires the additional information and to manipulate the computer device from using the selected security risk factors and from requiring the additional information;
  
  responsive to determining that the attempt is being made to discover and manipulate the one or more security risk factors that requires the additional information, communicating a new challenge for additional identification for presenting on a user interface device of the computer device and suppressing an explanation of the one or more security risk factors from being presented on the user interface device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the one or more security risk factors are analyzed at a security risk determination engine to generate a security risk level based on the current context information and historical patterns associated with one or more users and the computer device.
  - 3. The method of claim 2, wherein feedback from a user associated with the computer device is received, the feedback regarding the one or more security risk factors that are automatically detected, and the security risk level is recomputed based on the feedback.
  - 4. The method of claim 1, further comprising communicating the one or more security risk factors by displaying risk indicators by at least one of text, visual (icons) and audio display.
  - 5. The method of claim 1, further comprising generating one or more options that reduce the one or more security risk factors, the one or more options for presenting on the user interface device.
  - 6. The method of claim 1, further comprising automatically mitigating a security risk for a user associated with one or more users and the computer device, wherein the automatically mitigating a security risk comprises at least one of altering or substituting a user authentication interaction technique.
  - 7. The method of claim 1, further comprising:
    - responsive to determining that no attempt is being made to manipulate the one or more security risk factors, communicating the new challenge for additional identification and the one or more security risk factors for presentation on the user interface device.
  - 8. The method of claim 1, wherein the automatically detecting of the one or more security risk factors comprises comparing the current context information associated with the computer device with historical patterns of user behavior associated with one or more users and the computer device.

9. A non-transitory computer readable storage medium storing a program of instructions executable by a machine to perform a method of dynamic risk communication associated with a computer device, the method comprising:
- automatically detecting one or more security risk factors for the computer device based on current context information associated with the computer device, the security risk factors used for authenticating a user, wherein for selected security risk factors the computer device requires additional information before authenticating the user;
  
  determining whether an attempt is being made via the computer device to discover the one or more security risk factors that requires the additional information and to manipulate the computer device from using the selected security risk factors and from requiring the additional information;
  
  responsive to determining that the attempt is being made to discover and manipulate the one or more security risk factors that requires the additional information, communicating a new challenge for additional identification for presenting on a user interface device of the computer device and suppressing an explanation of the one or more security risk factors from being presented on the user interface device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer readable storage medium of claim 9, wherein the one or more security risk factors are analyzed at a security risk determination engine to generate a security risk level based on the current context information and historical patterns associated with one or more users and the computer device.
  - 11. The non-transitory computer readable storage medium of claim 10, wherein feedback from a user associated with the computer device is received, the feedback regarding the one or more security risk factors that are automatically detected, and the security risk level is recomputed based on the feedback.
  - 12. The non-transitory computer readable storage medium of claim 9, further comprising communicating the one or more security risk factors by displaying risk indicators by at least one of text, visual (icons) and audio display.
  - 13. The non-transitory computer readable storage medium of claim 9, further comprising generating one or more options that reduce the one or more security risk factors, the one or more options for presenting on the user interface device.
  - 14. The non-transitory computer readable storage medium of claim 9, further comprising automatically mitigating a security risk for a user associated with one or more users and the computer device, wherein the automatically mitigating a security risk comprises at least one of altering or substituting a user authentication interaction technique.
  - 15. The non-transitory computer readable storage medium of claim 9, wherein the method further comprises, responsive to determining that no attempt is being made to manipulate the one or more security risk factors, communicating the new challenge for additional identification and the one or more security risk factors for presentation on the user interface device.
  - 16. The non-transitory computer readable storage medium of claim 9, wherein the automatically detecting of the one or more security risk factors comprises comparing the current context information associated with the computer device with historical patterns of user behavior associated with one or more users and the computer device.

17. A system for dynamic risk communication associated with a computer device, comprising:
- one or more computer processors coupled to a memory,one or more of computer processors operable to automatically detect one or more security risk factors for the computer device based on current context information associated with the computer device, the security risk factors used for authenticating a user, wherein for selected security risk factors the computer device requires additional information before authenticating the user,one or more of computer processors further operable to determine whether an attempt is being made via the computer device to discover the one or more security risk factors that requires the additional information and to manipulate the computer device from using the selected security risk factors and from requiring the additional information,responsive to determining that the attempt is being made to manipulate the one or more security risk factors that requires the additional information, one or more of computer processors further operable to communicate a new challenge for additional identification for presenting on a user interface device of the computer device and suppress an explanation of the one or more security risk factors from being presented on the user interface device.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the one or more security risk factors are analyzed at a security risk determination engine to generate a security risk level based on the current context information and historical patterns associated with one or more users and the computer device, and wherein feedback from a user associated with the computer device is received, the feedback regarding the one or more security risk factors that are automatically detected, and the security risk level is recomputed based on the feedback.
  - 19. The system of claim 17, wherein responsive to determining that a second attempt is not being made to manipulate the one or more security risk factors, one or more of computer processors are further operable to communicate the new challenge for additional identification and the one or more security risk factors for presentation on the user interface device.
  - 20. The system of claim 17, wherein one or more of computer processors are further operable further to communicate the one or more security risk factors by displaying risk indicators by at least one of text, visual (icons) and audio display.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Cheng, Pau-Chen, Koved, Lawrence, Singh, Kapil K., Swart, Calvin B., Trewin, Sharon M.
Primary Examiner(s)
Edwards, Linglan E

Application Number

US15/618,283
Publication Number

US 20170279787A1
Time in Patent Office

480 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2125   Just-in-time application of...

G06F 2221/2139   Recurrent verification

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/63   Location-dependent; Proximi...

H04W 12/67   Risk-dependent, e.g. select...

Suppression of authorization risk feedback to mitigate risk factor manipulation in an authorization system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Suppression of authorization risk feedback to mitigate risk factor manipulation in an authorization system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others