Method and System for Dynamically Controlling Access to a Network

US 20080189776A1
Filed: 02/01/2008
Published: 08/07/2008
Est. Priority Date: 02/01/2007
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for dynamically evaluating access by a requester to a computer network, comprising the steps of:

receiving a request for access to the network from a requester at a device;

receiving authentication information for the requester;

accepting authorization information for the requester;

comparing the authentication information to authorization information to determine whether the requester is authentic;

generating an authentication score based on the comparison of the authentication information to the authorization information; and

determining network access based on the authentication score.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The dynamic access evaluation system receives a service request from a device seeking access to a network. The system receives information about the requester, the device from which the request is made and/or the location of the requester and the device. The system analyzes rule sets for the application being requested on the network to determine whether authentication is necessary. The system authenticates the requester based on a comparison of authorization information to information about the requester received in the request. The system authenticates the device by comparing device information in the request to historical device information. Furthermore, the system receives location information for the device and the requester and compares them to determine whether the locations are the same or similar. After granting access, the system continues to monitor information about the requester, device, or location and can terminate device access based on a change in the monitored information.

Citations

52 Claims

1. A computer-implemented method for dynamically evaluating access by a requester to a computer network, comprising the steps of:
- receiving a request for access to the network from a requester at a device;
  
  receiving authentication information for the requester;
  
  accepting authorization information for the requester;
  
  comparing the authentication information to authorization information to determine whether the requester is authentic;
  
  generating an authentication score based on the comparison of the authentication information to the authorization information; and
  
  determining network access based on the authentication score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising the steps of:
    - granting the requester access to the network at the device;
      
      providing the requester access to the network at the device;
      
      receiving additional authentication information for the requester;
      
      identifying a change in the authentication information for the requester, wherein at least a portion of the additional authentication information is different than the authentication information; and
      
      determining whether to terminate access to the network for the requester at the device based on said change.
  - 3. The computer-implemented method of claim 1, wherein the authentication information comprises two-factor authentication information.
  - 4. The computer-implemented method of claim 3, wherein the two-factor authentication information comprises a security identification and a personal identification number.
  - 5. The computer-implemented method of claim 1, wherein the authentication information comprises biometric data of the requester.
  - 6. The computer-implemented method of claim 1, wherein comparing the authentication information to the authorization information comprises:
    - determining whether the authentication information is substantially similar to the authorization information; and
      
      generating the authentication score based on the similarity of the authentication information to the authorization information.
  - 7. The computer-implemented method of claim 1, wherein comparing the authentication information to the authorization information comprises:
    - determining the identity of the requester based on the authentication information;
      
      determining a service requested by the requester in the network; and
      
      determining whether the requester is authorized to access the service on the network by comparing the identity of the requester to a listing of users permitted to access the service.
  - 8. The computer-implemented method of claim 7, wherein the service comprises an application on the network.

9. A computer-implemented method for dynamically evaluating access by a device to a computer network, comprising the steps of:
- receiving a request for access to the network from a device;
  
  receiving information about the device making the request;
  
  comparing the device information to historical device information;
  
  determining whether the device is authentic based on the comparison of the device information to the historical device information;
  
  generating an authentication score based on the comparison of the device information to historical device information; and
  
  determining whether to grant network access to the device based on the authentication score.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-implemented method of claim 9, wherein determining whether to grant network access to the device based on the authentication score comprises:
    - evaluating the authentication score;
      
      evaluating at least a portion of the comparison of the device information to the historical device information; and
      
      determining whether to grant network access to the device based on the authentication score and the portion of the comparison of device information to the historical device information.
  - 11. The computer-implemented method of claim 9, further comprising the steps of:
    - granting the device access to the network;
      
      providing the device access to the network;
      
      receiving additional device information for the device while the device is accessing the network;
      
      identifying a change in the device information, wherein at least a portion of the additional device information is different than the device information; and
      
      determining whether to terminate access to the network for the device based on the change.
  - 12. The computer-implemented method of claim 9, wherein the information about the device comprises fingerprint data of the device.
  - 13. The computer-implemented method of claim 9, wherein determining whether the device is authentic comprises the steps ofdetermining whether the device information is substantially similar to the historical device information;
    - andgenerating the authentication score based on the amount of similarity between the device information and the historical device information.
  - 14. The computer-implemented method of claim 9, further comprising the steps of:
    - determining a service requested by the device in the network;
      
      evaluating a set of rules related to the requested service to determine whether authentication of the device is required for the requested service; and
      
      granting access to the service on the network without evaluating the authentication score if it is determined that authentication of the device is not required for the requested service.
  - 15. The computer-implemented method of claim 14, further comprising the step of:
    - evaluating the authentication score to determine whether to grant network access if it is determined that authentication is required for the requested service.
  - 16. the computer-implemented method of claim 14, wherein the service comprises an application on the network.

17. A computer-implemented method for dynamically evaluating access by a device to a computer network, comprising the steps of:
- receiving a request for access to the network from a requester at a device;
  
  receiving a device location;
  
  receiving a requester location;
  
  comparing the location of the device to the location of the requester to determine whether they are substantially similar; and
  
  granting access to the network at the device based on a positive determination that the device location and the requester location are substantially similar.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 18. The computer-implemented method of claim 17, further comprising the steps of:
    - determining a service requested by the device in the network;
      
      evaluating a set of rules related to the requested service to determine whether determining the location of the device or the requester is required for access to the service; and
      
      granting access to the service on the network without regard to the comparison of the location of the device to the location of the requester based on a determination that determining the location of the device or the requester is not required for access to the service.
  - 19. The computer-implemented method of claim 17, further comprising the steps of:
    - determining a service requested by the device in the network;
      
      evaluating a set of rules related to the requested service to determine a location where the service can be accessed;
      
      determining whether the location of the device is within the location where the service is allowed to be accessed; and
      
      providing the device access to the service on the network based on a positive determination that the location of the device is within the location where the service is allowed to be accessed.
  - 20. The computer-implemented method of claim 19, further comprising the steps of:
    - receiving additional device location information while the device is accessing the service on the network;
      
      identifying a change in the location of the device based on a difference between the device location and the additional device location information;
      
      determining whether the location of the device is within the location where the service is allowed to be accessed based on the additional device location information; and
      
      determining whether to terminate access to the service based on the additional device location information.
  - 21. The computer-implemented method of claim 17, further comprising the steps of:
    - determining a service requested by the device in the network;
      
      evaluating a set of rules related to the requested service to determine a location where the service can be accessed;
      
      determining whether the location of the requester is within the location where the service is allowed to be accessed; and
      
      providing the device access to the service on the network based on a positive determination that the location of the requester is within the location where the service is allowed to be accessed.
  - 22. The computer-implemented method of claim 21, further comprising the steps of:
    - receiving additional requester location information while the device is accessing the service on the network;
      
      identifying a change in the location of the requester based on the additional device location information;
      
      determining whether the location of the requester is within the location where the service is allowed to be accessed based on the additional requester location information; and
      
      determining whether to terminate access to the service based on the additional requester location information.
  - 23. The computer-implemented method of claim 17, wherein the requester location is determined from presence feeds.
  - 24. The computer-implemented method of claim 17, wherein the device location is determined from a global positioning system signal.
  - 25. The computer-implemented method of claim 17, wherein receiving the device location comprises:
    - accepting an internet protocol address for the request;
      
      evaluating the internet protocol address to determine a location of the internet protocol address;
      
      assigning the location of the internet protocol address as the device location.
  - 26. The computer-implemented method of claim 17, further comprising the steps of:
    - determining the identity of the requester comprising the steps of;
      
      receiving authentication information for the requester;
      
      accepting authorization information for the requester;
      
      comparing the authentication information to the authorization information to determine whether the requester is authentic;
      
      identifying the requester based on a positive determination that the requester is authentic.
  - 27. The computer-implemented method of claim 17, wherein receiving the requester location comprises the steps of:
    - receiving the device location, wherein the device comprises a webcam;
      
      receiving a video feed of at least a portion of the requester from the webcam;
      
      determining the identity of the requester based on the video feed; and
      
      setting the location of the requester as equal to the device location.
  - 28. The computer-implemented method of claim 17, wherein receiving the requester location comprises the steps of:
    - receiving the device location;
      
      receiving a biometric data of the requester at the device;
      
      evaluating the biometric data to determine the identity of the requester; and
      
      setting the location of the requester as equal to the device location.
  - 29. The computer-implemented method of claim 17, further comprising the steps of:
    - generating a location score based on the similarity in location information for the device and the requester; and
      
      determining whether to grant network access to the device based on the location score.
  - 30. The computer-implemented method of claim 29, wherein the location score improves based on increase in the number of location source providers that identify that the requester and the device are in a substantially similar location.

31. A system for dynamically evaluating access by a device to a computer network comprisinga first logic component for receiving information about a requester using the device and determining the authenticity of the requester;
- a second logic component for receiving information about the device making a request to access the network and determine whether the device is authentic; and
  
  a third logic component for receiving information about a location of the device and a location of the requester and determining whether the locations of the device and the requester are substantially similar.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The system of claim 31, further comprising a policy engine for receiving the determinations of the first, second, and third logic components and determining whether to grant the device access to the network based on those determinations.
  - 33. The system of claim 32, wherein the policy engine further receives at least a portion of the information about the location of the device and the location of the requester and determining whether to grant the device access to the network further comprises an evaluation of the received portion of the information about the location of the device and the location of the requester.
  - 34. The system of claim 32, wherein the policy engine receives updated information from at least one of the first, second, and third logic components while the device is accessing the network, wherein the updated information is analyzed by the policy engine to identify differences between the updated information and the information from the first, second, and third logic components.
  - 35. The system of claim 34, further comprising a plurality of applications, at least a portion of the applications comprising access rules, wherein the policy engine evaluates the access rules for an application requested by the device and terminates the connection between the device and the network if the difference between the updated information and the information from the first, second, and third logic components violates at least one of the access rules for the requested application.
  - 36. The system of claim 31, further comprising presence feeds communicably connected to the third logic component, wherein the presence feeds comprise information about the location of the requester.
  - 37. The system of claim 31, further comprising an authorization repository communicably connected to the first logic component, wherein the authorization database comprises user permission information for a plurality of services on the network.
  - 38. The system of claim 31, further comprising a repository of device assets communicably connected to the second logic component, wherein the repository comprises information about a plurality of devices having access to the network.
  - 39. The system of claim 31, wherein the first, second, and third logic components are comprised in a single logic component.

40. A computer-implemented method for dynamically evaluating access by a requester to a computer network, comprising the steps of:
- determining a first authentication information for the requester at a first period in time;
  
  determining a second authentication information for the requester at a second period in time while the requester is accessing the network;
  
  comparing the first authentication information to the second authentication information;
  
  identifying a change between the first and second authentication information for the requester; and
  
  determining whether to terminate the requester'"'"'s access to the network at the device based on the change.
- View Dependent Claims (41, 42)
- - 41. The computer-implemented method of claim 40, wherein determining whether to terminate the requester'"'"'s access to the network at the device is based on an evaluation of the second authentication information.
  - 42. The computer-implemented method of claim 40, further comprising the step of granting the requester access to the network at the device based on the first authentication information.

43. A computer-implemented method for dynamically evaluating access by a device to a computer network, comprising the steps of:
- receiving a first set of information about the device making the request at a first period of time;
  
  receiving a second set of information about the device at a second period of time, while the device is accessing the network;
  
  comparing the first set of information about the device to the second set of information about the device;
  
  identifying a change between the first and second set of information; and
  
  determining whether to terminate the device'"'"'s access to the network based on the change.
- View Dependent Claims (44, 45)
- - 44. The computer-implemented method of claim 43, wherein determining whether to terminate the device'"'"'s access to the network is based on an evaluation of the second set of information about the device.
  - 45. The computer-implemented method of claim 43, further comprising the step of granting the device access to the network based on the first set of information about the device.

46. A computer-implemented method for dynamically evaluating access by a device to a computer network, comprising the steps of:
- receiving a first location for the device at a first period of time;
  
  receiving a second location for the device at a second period of time, while the device is accessing the network;
  
  comparing the first location to the second location;
  
  identifying a change between the first and second location of the device; and
  
  determining whether to terminate the device'"'"'s access to the network based on the change.
- View Dependent Claims (47, 48)
- - 47. The computer-implemented method of claim 46, wherein determining whether to terminate the device'"'"'s access to the network is based on an evaluation of the second location for the device.
  - 48. The computer-implemented method of claim 46, further comprising the step of granting the device access to the network based on the first location for the device.

49. A computer-implemented method for dynamically evaluating access by a requester at a device to a computer network, comprising the steps of:
- receiving a first location for the requester at a first period of time;
  
  receiving a second location for the requester at a second period of time, while the device is accessing the network;
  
  comparing the first location to the second location of the requester;
  
  identifying a change between the first and second location of the requester; and
  
  determining whether to terminate access to the network based on the change.
- View Dependent Claims (50, 51)
- - 50. The computer-implemented method of claim 49, wherein determining whether to terminate access to the network is based on an evaluation of the second location for the requester.
  - 51. The computer-implemented method of claim 49, further comprising the step of granting the requester access to the network at the device based on the first location for the requester.

52. A system for dynamically evaluating access by a device to a computer network comprising:
- a first logic component for receiving information about a requester using the device and determining the authenticity of the requester;
  
  a second logic component for receiving information about the device making a request to access the network and determine whether the device is authentic;
  
  a third logic component for receiving information about a location of the device and a location of the requester and determining whether the locations of the device and the requester are substantially similar;
  
  a policy engine for receiving information from at least one of the first, second, and third logic components at a first period of time and updated information from at least one of the first, second, and third logic components at a second period of time, while the device is accessing the network, wherein the information and the updated information are compared to identify a change and a determination is made whether to terminate access by the device to the network based on the change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Credit Suisse Securities USA LLC (Credit Suisse)
Original Assignee
Credit Suisse Securities USA LLC (Credit Suisse)
Inventors
Constable, Colin

Application Number

US12/024,905
Publication Number

US 20080189776A1
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 12/1822   Conducting the conference, ...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04W 12/06   Authentication

H04W 12/065   Continuous authentication

H04W 12/08   Access security

H04W 12/40   Security arrangements using...

H04W 12/63   Location-dependent; Proximi...

Method and System for Dynamically Controlling Access to a Network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Dynamically Controlling Access to a Network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links