METHOD, DEVICE, AND SYSTEM OF DIFFERENTIATING BETWEEN A LEGITIMATE USER AND A CYBER-ATTACKER

US 20150205957A1
Filed: 04/01/2015
Published: 07/23/2015
Est. Priority Date: 11/29/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

determining whether a user, who utilizes a computing device to interact with a computerized service, is (A) an authorized user, or (B) an attacker posing as the authorized user and gaining unauthorized access to the computerized service;

wherein the determining comprises;

tracking user interactions with the computerized service via an input unit of the computing device;

analyzing the user interactions with the computerized service;

based on analysis of the user interactions with the computerized service, deducing at least one of;

(i) changes in data-entry rate of said user, and (ii) level of familiarity of said user with said computerized service;

based on said deducing, determining whether said user is (A) an authorized user, or (B) an attacker posing as the authorized user and gaining unauthorized access to the computerized service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device (a desktop computer, a laptop computer, a smartphone, a tablet, or the like) interacts and communicates with a server of a computerized server (a banking website, an electronic commerce website, or the like). The interactions are monitored, tracked and logged. User Interface (UI) interferences are intentionally introduced to the communication session; and the server tracks the response or the reaction of the end-user to such communication interferences. The system determines whether the user is a legitimate human user, or a cyber-attacker posing as the legitimate human user.

96 Citations

View as Search Results

24 Claims

1. A method comprising:
- determining whether a user, who utilizes a computing device to interact with a computerized service, is (A) an authorized user, or (B) an attacker posing as the authorized user and gaining unauthorized access to the computerized service;
  
  wherein the determining comprises;
  
  tracking user interactions with the computerized service via an input unit of the computing device;
  
  analyzing the user interactions with the computerized service;
  
  based on analysis of the user interactions with the computerized service, deducing at least one of;
  
  (i) changes in data-entry rate of said user, and (ii) level of familiarity of said user with said computerized service;
  
  based on said deducing, determining whether said user is (A) an authorized user, or (B) an attacker posing as the authorized user and gaining unauthorized access to the computerized service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, comprising:
    - monitoring a rate of manual data entry by said user into a form of said computerized service;
      
      if said rate of manual data entry is generally constant for all fields in said form, then determining that said user is an attacker posing as the authorized user.
  - 3. The method of claim 1, comprising:
    - calculating a typing speed of data entry by said user, for each field in a form of said computerized service;
      
      if the typing speed of data entry by said user, is generally constant for all fields in said form of the computerized service, then determining that said user is an attacker posing as the authorized user.
  - 4. The method of claim 1, comprising:
    - monitoring a rate of manual data entry by said user into a form of said computerized service;
      
      if (a) the rate of manual data entry by said user is generally constant for a first group of fields in said form, and (b) the rate of manual data entry by said user is generally varying for a second group of fields in said form, then determining that said user is an authorized user of the computerized service.
  - 5. The method of claim 1, comprising:
    - monitoring a rate of manual data entry by said user into a form of said computerized service;
      
      monitoring deletion operations during manual data entry by said user into said form of said computerized service;
      
      based on a combination of (a) the rate of manual data entry, and (b) utilization or non-utilization of deletion operations during manual data entry, determining whether said user is (A) an authorized user, or (B) an attacker posing as the authorized user and gaining unauthorized access to the computerized service.
  - 6. The method of claim 1, comprising:
    - (a) monitoring a rate of manual data entry by said user into a form of said computerized service;
      
      (b) determining that the rate of manual data entry by said user into said form is generally constant across all fields of said form;
      
      (c) monitoring deletion operations during manual data entry by said user into said form of said computerized service;
      
      (d) determining that the number of deletion operations during manual data entry by said user into said form is smaller than a threshold value;
      
      (e) based on a combination of the determinations of step (b) and step (d), determining that said user is an attacker posing as the authorized user and gaining unauthorized access to the computerized service.
  - 7. The method of claim 1, comprising:
    - defining a first field, in a form of said computerized service, as a field that users are familiar with and type data therein rapidly;
      
      defining a second field, in said form of said computerized service, as a field that users are unfamiliar with and type data therein slowly;
      
      detecting that a rate of manual data entry by said user into the first field, is generally similar to the rate of manual data entry by said user into the second field;
      
      based on said detecting, determining that said user is an attacker posing as the authorized user and gaining unauthorized access to the computerized service.
  - 8. The method of claim 1, comprising:
    - defining a first field, in a form of said computerized service, as a field that users are familiar with and type data therein rapidly;
      
      defining a second field, in said form of said computerized service, as a field that users are unfamiliar with and type data therein slowly;
      
      detecting that said user enters data slowly into said first field that was defined as a field that users are familiar with and type data therein rapidly;
      
      based on said detecting, determining that said user is an attacker posing as the authorized user and gaining unauthorized access to the computerized service.
  - 9. The method of claim 1, comprising:
    - defining a first field, in a form of said computerized service, as a field that users are familiar with and type data therein rapidly;
      
      defining a second field, in said form of said computerized service, as a field that users are unfamiliar with and type data therein slowly;
      
      detecting that said user enters data rapidly into said second field that was defined as a field that users are unfamiliar with and type data therein slowly;
      
      based on said detecting, determining that said user is an attacker posing as the authorized user and gaining unauthorized access to the computerized service.
  - 10. The method of claim 1, comprising:
    - based on tracking of user interactions via the input unit of said computing device, estimating an actual level of familiarity of said user with a data-item that said user enters into a particular field of a form of said computerized service;
      
      based on a field-type of said particular field, determining an expected level of familiarity of authorized users with data-items that they enter into said particular field;
      
      comparing between (a) the actual level of familiarity of said user with said data-item entered into said particular field, and (b) the expected level of familiarity that characterizes authorized users who enter data into said particular field;
      
      if said comparing indicates a mismatch between the actual level of familiarity and the expected level of familiarity, then determining that said user is an attacker posing as the authorized user.
  - 11. The method of claim 1, comprising:
    - monitoring user interactions of said user with the computerized service, and detecting that said user deleted one or more characters when entering a data-item into a particular field in a form of said computerized service;
      
      determining that said particular field is a field that most authorized users are highly familiar with, and that said particular field is a field that most authorized users do not make mistakes when entering data therein;
      
      based on said, determining that said user is an attacker posing as the authorized user.
  - 12. The method of claim 1, comprising:
    - monitoring user interactions of said user with the computerized service, and detecting that said user exclusively performed copy-and-paste operations to enter data-items into all fields of a form of said computerized service;
      
      based on said detecting, determining that said user is an attacker posing as the authorized user.
  - 13. The method of claim 1, comprising:
    - defining a first field, in a form of said computerized service, as a field that authorized users typically enter data therein by manual character-by-character typing;
      
      defining a second field, in said form of said computerized service, as a field that authorized users typically enter data therein by performing copy-and-paste operations;
      
      detecting that said user enters data into said first field by performing a copy-and-paste operation instead of by manual character-by-character typing;
      
      based on said detecting, determining that said user is an attacker posing as the authorized user and gaining unauthorized access to the computerized service.
  - 14. The method of claim 1, comprising:
    - defining a first group of fields, in a form of said computerized service, as a group of fields that authorized users typically enter data therein by manual character-by-character typing;
      
      defining a second group of fields, in said form of said computerized service, as a group of fields that authorized users typically enter data therein by performing copy-and-paste operations;
      
      monitoring data entry methods that said user utilizes when said user populates data into fields of said form;
      
      detecting that said user performed copy-and-paste operations in at least a first particular field of said form;
      
      detecting that said user performed manual character-by-character typing of data in at least a second particular field of said form;
      
      if said first particular field belongs to said second group of fields, and if said second particular field belongs to said first group of fields, then determining that said user is an attacker.
  - 15. The method of claim 1, comprising:
    - defining a first group of fields, in a form of said computerized service, as a group of fields that authorized users typically enter data therein by manual character-by-character typing;
      
      defining a second group of fields, in said form of said computerized service, as a group of fields that authorized users typically enter data therein by performing copy-and-paste operations;
      
      monitoring data entry methods that said user utilizes when said user populates data into fields of said form;
      
      detecting that said user performed copy-and-paste operations in at least a first particular field of said form;
      
      detecting that said user performed manual character-by-character typing of data in at least a second particular field of said form;
      
      if said first particular field belongs to said first group of fields, and if said second particular field belongs to said second group of fields, then determining that said user is an authorized user.
  - 16. The method of claim 1, comprising:
    - monitoring user interactions of said user with a date field in a form of said computerized service;
      
      detecting that in a current usage session by said user, said user enters a date into said date field by selecting a date from a drop-down mini-calendar matrix;
      
      determining that in a set of previous usage sessions of said user, said user entered dates into date fields via manual character-by-character typing;
      
      based on said detecting and said determining, determining that said user is an attacker posing as the authorized user.
  - 17. The method of claim 1, comprising:
    - monitoring user interactions of said user with a form having multiple fields of said computerized service, and tracking whether said user moves a cursor among fields of said form by utilizing a keyboard or by utilizing a pointing device;
      
      detecting that in a current usage session by said user, said user moves the cursor among fields of said form by utilizing the keyboard and not the pointing device;
      
      determining that in a set of previous usage sessions of said user, said user moved the cursor among fields of said form by utilizing the pointing device and not the keyboard;
      
      based on said detecting and said determining, determining that said user is an attacker posing as the authorized user.
  - 18. The method of claim 1, comprising:
    - monitoring user interactions of said user with a form having multiple fields of said computerized service, and tracking whether said user moves a cursor among fields of said form by utilizing a keyboard or by utilizing a pointing device;
      
      detecting that in a current usage session by said user, said user moves the cursor among fields of said form by utilizing the pointing device and not the keyboard;
      
      determining that in a set of previous usage sessions of said user, said user moved the cursor among fields of said form by utilizing the keyboard and not the pointing device;
      
      based on said detecting and said determining, determining that said user is an attacker posing as the authorized user.
  - 19. The method of claim 1, comprising:
    - monitoring user interactions of said user with a form having multiple fields of said computerized service, and tracking whether said user submits the form by utilizing a pointing device to click on a Submit button or by pressing Enter on a keyboard;
      
      detecting that in a current usage session by said user, said user submits the form by pressing Enter on the keyboard;
      
      determining that in a set of previous usage sessions of said user, said user submitted forms by utilizing the pointing device to click on the Submit button;
      
      based on said detecting and said determining, determining that said user is an attacker posing as the authorized user.
  - 20. The method of claim 1, comprising:
    - monitoring user interactions of said user with a form having multiple fields of said computerized service, and tracking whether said user submits the form by utilizing a pointing device to click on a Submit button or by pressing Enter on a keyboard;
      
      detecting that in a current usage session by said user, said user submits the form by utilizing the pointing device to click on the Submit button;
      
      determining that in a set of previous usage sessions of said user, said user submitted forms by pressing Enter on the keyboard;
      
      based on said detecting and said determining, determining that said user is an attacker posing as the authorized user.
  - 21. The method of claim 1, comprising:
    - monitoring user interactions of said user with a form having multiple fields of said computerized service;
      
      with regard to a particular field in said form, said particular field associated with at least a first engagement manner and a second data-entry manner, tracking whether said user engages with said particular field by utilizing the first or the second data-entry manner;
      
      detecting that in a current usage session by said user, said user engaged with said particular field by utilizing said first data-entry manner;
      
      determining that in a set of previous usage sessions of said user, said user engaged with said particular field by utilizing said second data-entry manner;
      
      based on said detecting and said determining, determining that said user is an attacker posing as the authorized user.
  - 22. The method of claim 1, comprising:
    - (a) defining a multiple-screen account-creation process for creating a new account associated with the computerized service;
      
      (b) presenting a first, fixed, screen of said multiple-screen account creation process, and measuring characteristics of user interactions in said first screen;
      
      (c) shuffling the order of remaining screens of said multiple-screens account-creation process, by presenting at least one out-of-order screen earlier relative to a pre-defined sequence of said remaining screens;
      
      (d) measuring characteristics of user interaction in said at least one out-of-order screen of the account creation process;
      
      (e) determining a change between;
      
      (A) the characteristics of user interactions measured in step (b) during the first fixed screen, and (B) the characteristics of user interactions measured in step (d) during the at least one out-of-order screen;
      
      (f) based on the changed determined in step (e), determining that said user is an attacker.
  - 23. The method of claim 1, comprising:
    - (a) defining a multiple-screen account-creation process for creating a new account associated with the computerized service;
      
      (b) presenting a first, fixed, screen of said multiple-screen account creation process, and measuring characteristics of user interactions in said first screen;
      
      wherein said first, fixed, screen is presented with identical content to all users creating new accounts;
      
      (c) pseudo-randomly changing a content of a second screen of said multiple-screens account-creation process;
      
      (d) measuring characteristics of user interaction in said second screen of the account creation process;
      
      (e) comparing between;
      
      (A) the characteristics of user interactions measured in step (b) during the first fixed screen of the account-creation process, and (B) the characteristics of user interactions measured in step (d) during the second screen of the account-creation process; and
      
      determining that the user interactions in the second screen of the account-creation process exhibit user delays;
      
      (f) based on the determining of step (e), determining that said user is an attacker.
  - 24. The method of claim 1, comprising:
    - monitoring user interactions of said user with a form having multiple fields of said computerized service;
      
      tracking deletion operations performed by said user, in at least one of the following fields;
      
      username field, password field, first name field, last name field;
      
      detecting that said user performed at least one deletion operation during entry of data into at least one of the following fields;
      
      username field, password field, first name field, last name field;
      
      based on said detecting, determining that said user is an attacker.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocatch Ltd.
Original Assignee
Biocatch Ltd.
Inventors
Turgeman, Avi, Rivner, Uri, Kedem, Oren

Application Number

US14/675,764
Publication Number

US 20150205957A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2133   Verifying human interaction...

G06F 3/041   Digitisers, e.g. for touch ...

G06N 5/04   Inference or reasoning models

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04W 12/06   Authentication

METHOD, DEVICE, AND SYSTEM OF DIFFERENTIATING BETWEEN A LEGITIMATE USER AND A CYBER-ATTACKER

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD, DEVICE, AND SYSTEM OF DIFFERENTIATING BETWEEN A LEGITIMATE USER AND A CYBER-ATTACKER

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links