Adaptive client-aware session security

US 10,313,364 B2
Filed: 02/19/2016
Issued: 06/04/2019
Est. Priority Date: 01/13/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems configured with executable instructions,receiving a first request associated with an identifier and a first source;

determining, based at least in part on a classification of the first source, that a change from a second source to the first source is indicative of potential malicious activity; and

causing an operation to be performed as a result of determining that the change from the second source to the first source is indicative of potential malicious activity, wherein the operation is initiation of an authentication process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Source information for requests submitted to a system are classified to enable differential handling of requests over a session whose source information changes over the session. For source information (e.g., an IP address) classified as fixed, stronger authentication may be required to fulfill requests when the source information changes during the session. Similarly, for source information classified as dynamic, source information may be allowed to change without requiring the stronger authentication.

206 Citations

17 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving a first request associated with an identifier and a first source;
  
  determining, based at least in part on a classification of the first source, that a change from a second source to the first source is indicative of potential malicious activity; and
  
  causing an operation to be performed as a result of determining that the change from the second source to the first source is indicative of potential malicious activity, wherein the operation is initiation of an authentication process.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein the first source corresponds to a first Internet Protocol address, the second source corresponds to a second Internet Protocol address, and the identifier identifies a session.
  - 3. The computer-implemented method of claim 1, wherein:
    - the operation initiates an authentication process; and
      
      the method further comprises updating a database dependent on whether the authentication process results in successful authentication.
  - 4. The computer-implemented method of claim 1, wherein determining that the change from the second source to the first source is indicative of potential malicious activity comprises making a call to another computer system that indicates the first source and the second source and receiving a response from the other computer system, the response indicating whether the change from the second source to the first source is indicative of potential malicious activity.
  - 5. The computer-implemented method of claim 1, wherein:
    - the operation is initiation of a strong authentication process; and
      
      the method further comprises;
      
      receiving a third request associated with a second identifier and a third source;
      
      determining, based at least in part on a classification of the third source, that a change from a fourth source to the third source is not determined to be indicative potential malicious activity; and
      
      a weak authentication process to be performed as a result of determining that the change from the second source to the first source is not determined to be indicative of potential malicious activity.

6. A system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the system to;
  
  receive a second request associated with an identifier and a second source, the second source different from a first source of a first request associated with the identifier;
  
  determine, based at least in part on a classification of the first source that indicates whether a change from the first source to another source is unexpected, an operation to perform; and
  
  cause the operation to be performed, wherein the instructions that cause the system to determine the operation to perform to protect the system, as a result of execution by the one or more processors, cause the system to select an authentication type from a plurality of authentication types that includes strong authentication and weak authentication.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The system of claim 6, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the system to update a database dependent on an authentication process associated with the operation.
  - 8. The system of claim 6, wherein the instructions, as a result of execution by the one or more processors, further cause the system to calculate a classification score for the classification and determine whether to change the classification of the first source based at least in part on the classification score.
  - 9. The system of claim 8, wherein a first threshold classification score for changing from a first classification to a second classification is different than a second threshold classification score for changing from the second classification to the first classification.
  - 10. The system of claim 6, wherein the instructions to determine the operation to perform to protect the system comprise instructions that, as a result of execution by the one or more processors, cause the system to submit a request specifying the first source and second source to another system and determine the operation to perform based at least in part on a response from the other system.
  - 11. The system of claim 6, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the system to:
    - receive, from an entity, information regarding the first source; and
      
      update a classification of the first source in a database based at least in part on the information and a reputation score associated with the entity.

12. A non-transitory computer-readable storage medium having stored thereon instructions that, as a result of execution by one or more processors, cause a computer system to:
- obtain information that specifies a first request source and a second request source;
  
  classify, based at least in part on a classification of the first request source, a change from the first request source to the second request source during a session associated with an identity to determine a classification of the change;
  
  provide the classification of the change; and
  
  receive the classification of the change and determine, based at least in part on the classification of the change, whether to initiate an authentication process.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The non-transitory computer-readable storage medium of claim 12, wherein:
    - the instructions that cause the computer system to obtain the information cause the computer system to receive the information in an application programming interface request; and
      
      the instructions that cause the computer system to provide the classification of the change to protect the computer system cause the computer system to provide the classification of the change to protect the computer system in a response to the application programming interface request.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein:
    - the instructions that cause the computer system to obtain the information cause the computer system to obtain the information from a first request specifying the first request source and a second request specifying the second request source.
  - 15. The non-transitory computer-readable storage medium of claim 12, wherein the first request source is a set of network addresses and the second request source is a second set of network addresses.
  - 16. The non-transitory computer-readable storage medium of claim 12, wherein the instructions that cause the computer system to classify the change are further based at least in part on a classification of the second request source.
  - 17. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the computer system to:
    - obtain information indicating whether authentication after the change was successful; and
      
      update a database that at least stores a classification of the first source based at least in part on the information indicating whether the authentication after the change was successful.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Allen, Nicholas Alexander
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Kaplan, Benjamin A

Application Number

US15/048,823
Publication Number

US 20160173518A1
Time in Patent Office

1,201 Days
Field of Search

726 3, 726 28
US Class Current
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 21/62   Protecting access to data v...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Adaptive client-aware session security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

206 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Adaptive client-aware session security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others