Individualized cybersecurity risk detection using multiple attributes

US 10,404,735 B2
Filed: 02/02/2017
Issued: 09/03/2019
Est. Priority Date: 02/02/2017
Status: Active Grant

First Claim

Patent Images

1. A method for assessing and responding to potential cybersecurity risks, comprising:

obtaining, by a computing device, a plurality of attributes relating to an authentication event;

determining, by the computing device, based on a cybersecurity risk assessment model, whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, wherein the cybersecurity risk assessment model is individualized on a per-user or per-device basis, and wherein determining whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk further comprises;

comparing the plurality of attributes to a cluster center and determining whether the plurality of attributes is within a radius R of the cluster center, wherein the radius R has multiple parts and the multiple parts have multiple formats, each part having a respective format corresponding to one or more of the plurality of attributes;

causing, by the computing device, in response to determining that the determined plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, a heightened security measure to be implemented; and

in response to the heightened security measure being passed, updating, by the computing device, the cybersecurity risk model by adding a new cluster to the cybersecurity risk model based on the plurality of attributes relating to the authentication event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for assessing and responding to potential cybersecurity risks includes: obtaining, by a computing device, a plurality of attributes relating to an authentication event; determining, by the computing device, based on a cybersecurity risk assessment model, whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, wherein the cybersecurity risk assessment model is individualized on a per-user or per-device basis; and causing, by the computing device, in response to determining that the determined plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, a heightened security measure to be implemented.

24 Citations

View as Search Results

18 Claims

1. A method for assessing and responding to potential cybersecurity risks, comprising:
- obtaining, by a computing device, a plurality of attributes relating to an authentication event;
  
  determining, by the computing device, based on a cybersecurity risk assessment model, whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, wherein the cybersecurity risk assessment model is individualized on a per-user or per-device basis, and wherein determining whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk further comprises;
  
  comparing the plurality of attributes to a cluster center and determining whether the plurality of attributes is within a radius R of the cluster center, wherein the radius R has multiple parts and the multiple parts have multiple formats, each part having a respective format corresponding to one or more of the plurality of attributes;
  
  causing, by the computing device, in response to determining that the determined plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, a heightened security measure to be implemented; and
  
  in response to the heightened security measure being passed, updating, by the computing device, the cybersecurity risk model by adding a new cluster to the cybersecurity risk model based on the plurality of attributes relating to the authentication event.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein the cybersecurity risk assessment model is individualized based on initializing and updating of the cybersecurity risk assessment model for a particular user or device.
  - 3. The method according to claim 2, wherein initializing and updating the cybersecurity risk assessment model comprises:
    - initializing the cybersecurity risk assessment model based on one or more sets of attributes corresponding to one or more successful authentication events; and
      
      updating the cybersecurity risk assessment model based on one or more sets of attributes corresponding to one or more subsequent successful authentication events after the cybersecurity risk assessment model has been initialized.
  - 4. The method according to claim 3, wherein initializing the cybersecurity risk assessment model further comprises creating one or more clusters based on the one or more sets of attributes corresponding to one or more successful authentication events;
    - andwherein updating the cybersecurity risk assessment model further comprises creating or updating one or more clusters based on the one or more sets of attributes corresponding to one or more subsequent successful authentication events.
  - 5. The method according to claim 1, wherein the plurality of attributes comprise one or more attribute types of the following attribute types:
    - a malware detection attribute;
      
      a jailbreak/root detection attribute;
      
      a debugger detection attribute;
      
      a location attribute;
      
      an accelerometer attribute;
      
      a gyroscope attribute;
      
      a compass attribute;
      
      a user navigation pattern attribute;
      
      a user swipe pattern attribute;
      
      an application tamper detection attribute;
      
      a device identifier attribute;
      
      an International Mobile Equipment Identity (IMEI) attribute;
      
      a device hardware attribute;
      
      a device certificate attribute;
      
      a date and/or time attribute;
      
      a device software attribute;
      
      a personal identification number (PIN) and/or password and/or biometric protection attribute;
      
      a device token attribute;
      
      a network identification attribute;
      
      a network services attribute;
      
      a proximate devices attribute;
      
      an attribute corresponding to whether a device is plugged in;
      
      a network proxy detection attribute; and
      
      a virtual private network (VPN) detection attribute.
  - 6. The method according to claim 1, wherein the plurality of attributes relating to the authentication event comprises an identification of one or more devices paired or available to be paired to a user device being authenticated, and wherein comparing the plurality of attributes to the cluster center comprises comparing the identification of the one or more devices paired or available to be paired to the user device being authenticated to one or more previous identifications of one or more devices paired or available to be paired to the user device.
  - 7. The method according to claim 1, wherein the plurality of attributes relating to the authentication event comprises an identification of one or more network services available to a user device being authenticated, and wherein comparing the plurality of attributes to the cluster center comprises comparing the identification of the one or more network services available to the user device being authenticated to one or more previous identifications of one or more network services available to a user device.

8. A non-transitory, computer-readable medium having processor-executable instructions stored thereon for assessing and responding to potential cybersecurity risks, the processor-executable instructions, when executed, facilitating performance of the following:
- obtaining a plurality of attributes relating to an authentication event;
  
  determining, based on a cybersecurity risk assessment model, whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, wherein the cybersecurity risk assessment model is individualized on a per-user or per-device basis, and wherein determining whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk further comprises;
  
  comparing the plurality of attributes to a cluster center and determining whether the plurality of attributes is within a radius R of the cluster center, wherein the radius R has multiple parts and the multiple parts have multiple formats, each part having a respective format corresponding to one or more of the plurality of attributes;
  
  causing, in response to determining that the determined plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, a heightened security measure to be implemented; and
  
  in response to the heightened security measure being passed, updating the cybersecurity risk model by adding a new cluster to the cybersecurity risk model based on the plurality of attributes relating to the authentication event.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The non-transitory, computer-readable medium according to claim 8, wherein the cybersecurity risk assessment model is individualized based on initializing and updating of the cybersecurity risk assessment model for a particular user or device.
  - 10. The non-transitory, computer-readable medium according to claim 9, wherein initializing and updating the cybersecurity risk assessment model comprises:
    - initializing the cybersecurity risk assessment model based on one or more sets of attributes corresponding to one or more successful authentication events; and
      
      updating the cybersecurity risk assessment model based on one or more sets of attributes corresponding to one or more subsequent successful authentication events after the cybersecurity risk assessment model has been initialized.
  - 11. The non-transitory, computer-readable medium according to claim 10, wherein initializing the cybersecurity risk assessment model further comprises creating one or more clusters based on the one or more sets of attributes corresponding to one or more successful authentication events;
    - andwherein updating the cybersecurity risk assessment model further comprises creating or updating one or more clusters based on the one or more sets of attributes corresponding to one or more subsequent successful authentication events.
  - 12. The non-transitory, computer-readable medium according to claim 8, wherein the plurality of attributes comprise one or more attribute types of the following attribute types:
    - a malware detection attribute;
      
      a jailbreak/root detection attribute;
      
      a debugger detection attribute;
      
      a location attribute;
      
      an accelerometer attribute;
      
      a gyroscope attribute;
      
      a compass attribute;
      
      a user navigation pattern attribute;
      
      a user swipe pattern attribute;
      
      an application tamper detection attribute;
      
      a device identifier attribute;
      
      an International Mobile Equipment Identity (IMEI) attribute;
      
      a device hardware attribute;
      
      a device certificate attribute;
      
      a date and/or time attribute;
      
      a device software attribute;
      
      a personal identification number (PIN) and/or password and/or biometric protection attribute;
      
      a device token attribute;
      
      a network identification attribute;
      
      a network services attribute;
      
      a proximate devices attribute;
      
      an attribute corresponding to whether a device is plugged in;
      
      a network proxy detection attribute; and
      
      a virtual private network (VPN) detection attribute.

13. A system for assessing and responding to potential cybersecurity risks, comprising:
- a user device, wherein the user device is configured to attempt an authentication event and detect a plurality of attributes relating to the authentication event; and
  
  a server, wherein the server is configured to;
  
  obtain the plurality of attributes relating to the authentication event attempted by the user device;
  
  determine, based on a cybersecurity risk assessment model, whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, wherein the cybersecurity risk assessment model is individualized on a per-user or per-device basis, and wherein determining whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk further comprises;
  
  comparing the plurality of attributes to a cluster center and determining whether the plurality of attributes is within a radius R of the cluster center, wherein the radius R has multiple parts and the multiple parts have multiple formats, each part having a respective format corresponding to one or more of the plurality of attributes;
  
  cause, in response to determining that the determined plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, a heightened security measure to be implemented; and
  
  in response to the heightened security measure being passed, update the cybersecurity risk model by adding a new cluster to the cybersecurity risk model based on the plurality of attributes relating to the authentication event.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system according to claim 13, wherein the cybersecurity risk assessment model is individualized based on initializing and updating of the cybersecurity risk assessment model for a particular user or device.
  - 15. The system according to claim 14, wherein initializing and updating the cybersecurity risk assessment model comprises:
    - initializing the cybersecurity risk assessment model based on one or more sets of attributes corresponding to one or more successful authentication events; and
      
      updating the cybersecurity risk assessment model based on one or more sets of attributes corresponding to one or more subsequent successful authentication events after the cybersecurity risk assessment model has been initialized.
  - 16. The system according to claim 15, wherein initializing the cybersecurity risk assessment model further comprises creating one or more clusters based on the one or more sets of attributes corresponding to one or more successful authentication events;
    - andwherein updating the cybersecurity risk assessment model further comprises creating or updating one or more clusters based on the one or more sets of attributes corresponding to one or more subsequent successful authentication events.
  - 17. The system according to claim 13, wherein the plurality of attributes comprise one or more attribute types of the following attribute types:
    - a malware detection attribute;
      
      a jailbreak/root detection attribute;
      
      a debugger detection attribute;
      
      a location attribute;
      
      an accelerometer attribute;
      
      a gyroscope attribute;
      
      a compass attribute;
      
      a user navigation pattern attribute;
      
      a user swipe pattern attribute;
      
      an application tamper detection attribute;
      
      a device identifier attribute;
      
      an International Mobile Equipment Identity (IMEI) attribute;
      
      a device hardware attribute;
      
      a device certificate attribute;
      
      a date and/or time attribute;
      
      a device software attribute;
      
      a personal identification number (PIN) and/or password and/or biometric protection attribute;
      
      a device token attribute;
      
      a network identification attribute;
      
      a network services attribute;
      
      a proximate devices attribute;
      
      an attribute corresponding to whether a device is plugged in;
      
      a network proxy detection attribute; and
      
      a virtual private network (VPN) detection attribute.
  - 18. The system according to claim 13, wherein the user device is a mobile device or a personal computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aetna Incorporated (CVS Health Corporation)
Original Assignee
Aetna Incorporated (CVS Health Corporation)
Inventors
Jain, Salil Kumar
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/423,089
Publication Number

US 20180219891A1
Time in Patent Office

943 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Individualized cybersecurity risk detection using multiple attributes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Individualized cybersecurity risk detection using multiple attributes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others