Authentication and authorization without the use of supplicants

US 10,419,439 B1
Filed: 07/25/2018
Issued: 09/17/2019
Est. Priority Date: 03/16/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a hardware processor that executes the following computer executable components stored in a memory;

an identification manager component that generates profile data for a device based on the device denying authorization to access a hostile source and in response to a first authentication request, andwherein the profile data includes at least data specific to a verifying user identity associated with the denial of the first authentication request; and

wherein a supplicant is not deployed on the device,an evaluation component that predicts an expected characteristic of a second authentication request by the device to access the hostile source prior to receipt of the second authentication request,wherein the evaluation component predicts a port connection for the second authentication request by combining the profile data with other profile data; and

a validation component that requests a second authentication of the device based on a detected state change between the device and the hostile source, andthat, in response to the receipt of the second authentication request compares the characteristic of the second authentication request to the predicted expected characteristic and, based on the comparison, controls access to a secure network,wherein the validation component automatically denies authentication of the device with the hostile source based on a determination that the characteristic of the second authentication request matches the expected characteristic,wherein the validation component requests additional information that comprises a reauthentication to a port from the device based on a determination that the characteristic of the second authentication request does match the expected characteristic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is authentication and authorization without the use of supplicants. Authentication and authorization includes generating a profile for a device based on at least one characteristic observed during a successful attempt by the device to access an 802.1X network infrastructure. Expected characteristics for a next attempt to access the infrastructure by the device are determined. A characteristic of the next access attempt is matched to the expected characteristic and access to the network is selectively controlled as a result of the matching. This is achieved without a supplicant being installed on the device.

Citations

20 Claims

1. A system, comprising:
- a hardware processor that executes the following computer executable components stored in a memory;
  
  an identification manager component that generates profile data for a device based on the device denying authorization to access a hostile source and in response to a first authentication request, andwherein the profile data includes at least data specific to a verifying user identity associated with the denial of the first authentication request; and
  
  wherein a supplicant is not deployed on the device,an evaluation component that predicts an expected characteristic of a second authentication request by the device to access the hostile source prior to receipt of the second authentication request,wherein the evaluation component predicts a port connection for the second authentication request by combining the profile data with other profile data; and
  
  a validation component that requests a second authentication of the device based on a detected state change between the device and the hostile source, andthat, in response to the receipt of the second authentication request compares the characteristic of the second authentication request to the predicted expected characteristic and, based on the comparison, controls access to a secure network,wherein the validation component automatically denies authentication of the device with the hostile source based on a determination that the characteristic of the second authentication request matches the expected characteristic,wherein the validation component requests additional information that comprises a reauthentication to a port from the device based on a determination that the characteristic of the second authentication request does match the expected characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, further wherein the validation component controlling access controls multiple endpoints attempting access to a plurality of networks.
  - 3. The system of claim 1, wherein the computer executable components stored in a memory further comprise:
    - an enhancement component that in combination with the evaluation component determines the manner of authenticating the endpoint.
  - 4. The system of claim 1, wherein the identification manager component generates the profile data based on usage characteristics of the device, and wherein the usage characteristics comprise a listening technology installed on the device.
  - 5. The system of claim 1, wherein the identification manager component generates the profile data based on usage characteristics of the device, and wherein the usage characteristics comprise a location.
  - 6. The system of claim 1, wherein the identification manager component generates the profile data based on usage characteristics of the device, and wherein the usage characteristics comprise an Internet protocol address.
  - 7. The system of claim 1, wherein the identification manager component generates the profile data based on usage characteristics of the device, and wherein the usage characteristics comprise a device type.
  - 8. The system of claim 1, wherein the identification manager component generates the profile data based on usage characteristics of the device, and wherein the usage characteristics comprise an access history for the device.

9. A method, comprising:
- generating, by a system comprising a processor, a profile for an endpoint based on a characteristic observed during a non-successful attempt by the endpoint to access a hostile source,wherein the non-successful attempt is in response to a first authentication request, and,wherein the profile includes at least data specific to a verifying user identity associated with a denial of the first authentication request, and wherein a supplicant is not deployed on the endpoint;
  
  predicting, by the system, an expected characteristic for another attempt by the endpoint to access the hostile source, the other attempt is a future attempt,wherein the evaluation component predicts a port connection for the second authentication request by combining the profile data with other profile data;
  
  comparing, by the system, a characteristic of the other attempt by the endpoint to access the hostile source with the expected characteristic; and
  
  selectively controlling, by the system, access to the hostile source by the endpoint as a result of the comparing,wherein a validation component requests an authentication of a device based on a detected state change between the device and a secure network, wherein the request is the other authentication request, andwherein the selectively controlling access comprises automatically denying based on a determination that the characteristic of the other attempt matches the expected characteristic;
  
  wherein the validation component requests additional information that comprises a reauthentication to a port from the device based on a determination that the characteristic of the second authentication request does match the expected characteristic.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein the observed characteristic and the expected characteristic are a same characteristic.
  - 11. The method of claim 9, wherein the observed characteristic and the expected characteristic are different characteristics.
  - 12. The method of claim 9, further comprising generating layer-2 802.1 X extensible authentication protocol responses and requests in place of the supplicant.

13. A computer-readable storage device storing executable instructions that, in response to execution, cause a system comprising a processor to perform operations, comprising:
- generating profile data for a device based on the device being denied access to a hostile source in response to a first authentication request, andwherein the profile data includes at least data specific to a verifying user identity associated with the denial of the first authentication request;
  
  predicting an expected characteristic of a second authentication request by the device to access the hostile source, the predicted expected characteristic is a prediction of a characteristic of the second authentication request, wherein the predicting includes predicting a port connection for the second authentication request by combining the profile data with other profile data; and
  
  after receipt of the second authentication request, comparing the characteristic of the second authentication request to the expected characteristic; and
  
  controlling access to a secure network based on the comparison, wherein a supplicant is not deployed on the device, wherein controlling access includes;
  
  wherein the second authentication request is made based on a detected state change between the device and the secure network,request additional information from the device, wherein the additional information comprises a reauthentication to a port;
  
  upon a determination that the characteristic of the second authentication request matches the predicted expected characteristic, automatically denying the device with the hostile source.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The computer-readable storage device of claim 13, wherein the controlling access further comprises control of multiple endpoints attempting access to a plurality of networks.
  - 15. The computer-readable storage device of claim 13, wherein the operations further comprise determining alternative manners of authenticating the endpoint based at least in part on the generated profile data.
  - 16. The computer-readable storage device of claim 13, wherein the profile data is generated based on usage characteristics of the device, and wherein the usage characteristics comprise a listening technology installed on the device.
  - 17. The computer-readable storage device of claim 13, wherein the profile data is generated based on usage characteristics of the device, and wherein the usage characteristics comprise a location.
  - 18. The computer-readable storage device of claim 13, wherein the profile data is generated based on usage characteristics of the device, and wherein the usage characteristics comprise an Internet protocol address.
  - 19. The computer-readable storage device of claim 13, wherein the profile data is generated based on usage characteristics of the device, and wherein the usage characteristics comprise a device type.
  - 20. The computer-readable storage device of claim 13, wherein the profile data is generated based on usage characteristics of the device, and wherein the usage characteristics comprise an access history for the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Original Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Inventors
Benskin, Ryan B., Belton, Jr., Lawrence T., Houser, Christopher, Makohon, Peter A., Morris, Timothy, Bracey, Omar
Primary Examiner(s)
Brown, Christopher J
Assistant Examiner(s)
Jackson, Jenise E

Application Number

US16/045,286
Time in Patent Office

419 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

H04W 12/065   Continuous authentication

H04W 12/08   Access security

Authentication and authorization without the use of supplicants

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication and authorization without the use of supplicants

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links