DEVICE, METHOD, AND SYSTEM OF DETECTING REMOTE ACCESS USERS AND DIFFERENTIATING AMONG USERS

US 20150310196A1
Filed: 06/11/2015
Published: 10/29/2015
Est. Priority Date: 11/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining whether a user, who utilizes a computing device to interact with a computerized service, (i) is co-located physically near said computing device, or (ii) is located remotely from said computing device and controlling remotely said computer device via a remote access channel;

wherein the determining comprises;

(a) monitoring interactions of the user with an input unit;

(b) based on said monitoring, determining whether said user (i) is co-located physically at said computing device, or (ii) is located remotely from said computing device and controlling remotely said computing device via said remote access channel.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, detecting a possible cyber-attacker, detecting a remote access user, and detecting an automated script or malware. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account.

122 Citations

32 Claims

1. A method comprising:
- determining whether a user, who utilizes a computing device to interact with a computerized service, (i) is co-located physically near said computing device, or (ii) is located remotely from said computing device and controlling remotely said computer device via a remote access channel;
  
  wherein the determining comprises;
  
  (a) monitoring interactions of the user with an input unit;
  
  (b) based on said monitoring, determining whether said user (i) is co-located physically at said computing device, or (ii) is located remotely from said computing device and controlling remotely said computing device via said remote access channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1, comprising:
    - sampling multiple interactions of said user with said input unit;
      
      based on a frequency of said sampling, determining whether said user is (i) co-located physically at said computing device, or (ii) is located remotely from said computing device and controlling remotely said computing device via said remote access channel.
  - 3. The method of claim 1, comprising:
    - sampling multiple interactions of said user with said input unit;
      
      based on a level-of-noise in said sampling, determining whether said user is (i) co-located physically at said computing device, or (ii) is located remotely from said computing device and controlling remotely said computing device via said remote access channel.
  - 4. The method of claim 1, comprising:
    - sampling multiple interactions of said user with said input unit;
      
      based on a Signal to Noise Ratio (SNR) value that characterizes the sample interactions with said input unit, determining whether said user is (i) co-located physically at said computing device, or (ii) is located remotely from said computing device and controlling remotely said computing device via said remote access channel.
  - 5. The method of claim 1, comprising:
    - sampling multiple interactions of said user with a computer mouse;
      
      if said sampling indicates generally-smooth movement of the computer mouse, then, determining that said user is co-located physically near said computing device.
  - 6. The method of claim 1, comprising:
    - sampling multiple interactions of said user with a computer mouse;
      
      if said sampling indicates generally-rough movement of the computer mouse, then, determining that said user is located remotely from said computing device and controlling remotely said computing device via said remote access channel.
  - 7. The method of claim 1, comprising:
    - sampling multiple interactions of said user with a computer mouse;
      
      if said sampling indicates generally-linear movement of the computer mouse, then, determining that said user is located remotely from said computing device and controlling remotely said computing device via said remote access channel.
  - 8. The method of claim 1, comprising:
    - sampling multiple interactions of said user with a computer mouse;
      
      if said sampling indicates disturbed interaction between mouse movement and mouse click events, then, determining that said user is located remotely from said computing device and controlling remotely said computing device via said remote access channel.
  - 9. The method of claim 1, comprising:
    - sampling multiple interactions of said user with a computer keyboard;
      
      if said sampling indicates disturbed typing fluency, then, determining that said user is located remotely from said computing device and controlling remotely said computing device via said remote access channel.
  - 10. The method of claim 1, comprising:
    - sampling multiple interactions of said user with said input unit;
      
      determining a temporal pattern of said multiple interactions of said user with said input unit;
      
      if the temporal pattern of said multiple interactions matches a particular pre-defined temporal pattern, then, determining that said user is located remotely from said computing device and controlling remotely said computing device via said remote access channel;
      
      if the temporal pattern of said multiple interactions does not match said particular pre-defined temporal pattern, then, determining that said user is co-located physically near said computing device.
  - 11. The method of claim 1, comprising:
    - sampling multiple interactions of said user with said input unit;
      
      determining a temporal pattern of said multiple interactions of said user with said input unit;
      
      if a temporal pattern of said multiple interactions matches a first pre-defined temporal pattern that characterizes remote access, then, determining that said user is located remotely from said computing device and controlling remotely said computing device via said remote access channel;
      
      if the temporal pattern of said multiple interactions matches a second pre-defined temporal pattern that characterizes non-remote access, then, determining that said user is co-located physically near said computing device;
      
      if the temporal pattern of said multiple interactions is does not match the first pre-defined temporal pattern and does not match the second pre-defined temporal pattern, then, determining that said sampling is inconclusive with regard to detecting whether the user is a remote user or a non-remote user.
  - 12. The method of claim 1, comprising:
    - sampling multiple interactions of said user with said input unit;
      
      if a frequency of said multiple interactions is smaller than a particular pre-defined threshold, then, determining that said user is located remotely from said computing device and controlling remotely said computing device via said remote access channel;
      
      if the frequency of said multiple interactions is equal to or greater than said particular pre-defined threshold, then, determining that said user is co-located physically near said computing device.
  - 13. The method of claim 1, comprising:
    - sampling multiple interactions of said user with said input unit;
      
      if a frequency of said multiple interactions is smaller than a first pre-defined threshold, then, determining that said user is located remotely from said computing device and controlling remotely said computing device via said remote access channel;
      
      if the frequency of said multiple interactions is equal to or greater than a second pre-defined threshold, which is greater than the first pre-defined threshold, then, determining that said user is co-located physically near said computing device;
      
      if the frequency of said multiple interactions is equal to or greater than the first pre-defined threshold, and if the frequency of said multiple interactions is equal to or smaller than the second pre-defined threshold, then, determining that said sampling is inconclusive with regard to detecting whether the user is a remote user or a non-remote user.
  - 14. The method of claim 1, comprising:
    - sampling user interactions with an input unit of said computing device;
      
      based on said sampling, determining that said user is utilizing a first set of hardware components which is capable of sampling the input unit at a first frequency;
      
      subsequently, (A) sampling additional, subsequent user interactions;
      
      (B) determining that a second, different, frequency characterizes said subsequent sampling;
      
      (C) determining that a second, different, set of hardware components is being used;
      
      (D) determining that a non-authorized person is accessing said computerized service.
  - 15. The method of claim 1, wherein said computing device comprises at least a touch-screen and a motion sensor;
    - wherein the method comprises;
      
      sampling user interactions with said input unit of said computing device;
      
      analyzing temporal relationship between touch events and motion sensor events, of sampled user interactions via said input unit of said computing device;
      
      based on analysis of temporal relationship between touch events and motion sensor events, of sampled user interactions via said input unit of said computing device, determining whether the said mobile computing device is controlled remotely via said remote access channel.
  - 16. The method of claim 1, wherein said computing device comprises at least a touch-screen and a motion sensor;
    - wherein the method comprises;
      
      sampling user interactions with said input unit of said computing device;
      
      analyzing temporal relationship between (i) touch-screen on-screen pointer-movement events and (ii) motion sensor events, of sampled user interactions via said input unit of said computing device;
      
      based on analysis of temporal relationship between (i) touch-screen on-screen pointer-movement events and (ii) motion sensor events, of sampled user interactions via said input unit of said computing device, determining whether the said computing device is controlled remotely via said remote access channel.
  - 17. The method of claim 1, comprising:
    - (A) sampling touch-based gestures of a touch-screen of said computing device;
      
      (B) sampling motion sensor data of said computing device, during a time period which at least partially overlaps said sampling of touch-based gestures of the touch-screen of said computing device;
      
      (C) based on a mismatch between (i) sampled touch-based gestures, and (ii) sampled motion sensor data, determining that said computing device was controlled remotely via said remote access channel.
  - 18. The method of claim 1, comprising:
    - (A) sampling touch-based gestures of a touch-screen of said computing device;
      
      (B) sampling motion sensor data of said computing device, during a time period which at least partially overlaps said sampling of touch-based gestures of the touch-screen of the mobile computing device;
      
      (C) determining that sampled touch-based gestures indicate that a user operated the computing device at a particular time-slot;
      
      (D) determining that the sampled motion sensor data indicate that the computing device was not moved during said particular time-slot;
      
      (E) based on the determining of step (C) and the determining of step (D), determining that the computing device was controlled remotely via said remote access channel during said particular time-slot.
  - 19. The method of claim 1, comprising:
    - (A) based on sampling of input-unit data, determining a typing fluency score that characterizes typing fluency of said user;
      
      (B) based on sampling of input-unit data, determining a pointing-device movement fluency score that characterizes pointing-device movement fluency of said user;
      
      (C) based on sampling of input-unit data, determining a pointing-device clicking fluency score that characterizes pointing-device clicking fluency of said user;
      
      (D) determining a weighted behavioral fluency score, based on;
      
      (i) said typing fluency score, and (ii) said pointing-device movement fluency score, and (iii) said pointing-device clicking fluency score;
      
      (E) based on said weighted behavioral fluency score, determining whether said computing device is controlled remotely via said remote access channel.
  - 20. The method of claim 1, comprising:
    - based on sampling of input-unit data, determining a typing fluency score that characterizes typing fluency of said user;
      
      if said typing fluency score is smaller than a pre-defined threshold, then, determining that said computing device is controlled remotely via said remote access channel.
  - 21. The method of claim 1, comprising:
    - based on sampling of input-unit data, determining a pointing-device movement fluency score that characterizes pointing-device movement fluency of said user;
      
      if said pointing-device movement fluency score is smaller than a pre-defined threshold, then, determining that said computing device is controlled remotely via said remote access channel.
  - 22. The method of claim 1, comprising:
    - based on sampling of input-unit data, determining a point-device clicking fluency score that characterizes point-device clicking fluency of said user;
      
      if said pointing-device clicking fluency score is smaller than a pre-defined threshold, then, determining that said computing device is controlled remotely via said remote access channel.
  - 23. The method of claim 1, comprising:
    - (A) based on sampling of input-unit data, determining a typing fluency score that characterizes typing fluency of said user;
      
      (B) based on sampling of input-unit data, determining a pointing-device movement fluency score that characterizes pointing-device movement fluency of said user;
      
      (C) based on sampling of input-unit data, determining a pointing-device clicking fluency score that characterizes pointing-device clicking fluency of said user;
      
      (D) determining a weighted behavioral fluency score, based on;
      
      (i) said typing fluency score, and (ii) said pointing-device movement fluency score, and (iii) said pointing-device clicking fluency score;
      
      (E) based on said weighted behavioral fluency score, determining whether said user is an authorized user or an attacker.
  - 24. The method of claim 1, wherein the sampling is performed in parallel to regular, non-interfered, usage of the computerized service;
    - wherein the sampling is performed on a generally-continuous basis during said regular non-interfered usage of the computerized service.
  - 25. The method of claim 1, wherein the sampling is performed during regular non-interfered usage of the computerized service, and without firstly introducing a computer-generated abnormality to the regular usage of said computerized service.
  - 26. The method of claim 1, wherein the sampling is performed during interfered usage of the computerized service and after firstly introducing a computer-generated abnormality to the regular usage of said computerized service;
    - wherein the sampling comprises sampling of input-unit interactions in response to introduction of said computer-generated abnormality.
  - 27. The method of claim 1, wherein the sampling is performed during interfered usage of the computerized service and after firstly introducing a computer-generated abnormality to the regular usage of said computerized service;
    - wherein the sampling comprises sampling of input-unit interactions in response to introduction of said computer-generated abnormality;
      
      wherein said step (b) of determining is based, at least, on a latency between (i) introduction of said computer-generated abnormality, and (ii) a corrective user-response that is reflected through said input unit as a user response to said computer-generated abnormality.
  - 28. The method of claim 1, wherein the sampling is performed during interfered usage of the computerized service and after firstly introducing a computer-generated abnormality to the regular usage of said computerized service;
    - wherein the sampling comprises sampling of input-unit interactions in response to introduction of said computer-generated abnormality;
      
      wherein said step (b) of determining is based, at least, on analysis of a corrective user-response that is reflected through said input unit as a user response to said computer-generated abnormality.
  - 29. The method of claim 1, wherein said computing device comprises at least an accelerometer and a touch-screen;
    - wherein the method comprises;
      
      sampling user interactions with said input unit of said computing device;
      
      analyzing temporal relationship between touch events and accelerometer events, of sampled user interactions via said input unit of said computing device;
      
      based on analysis of temporal relationship between touch events and accelerometer events, of sampled user interactions via said input unit of said computing device, determining whether the said mobile computing device is controlled remotely via said remote access channel.
  - 30. The method of claim 1, wherein said computing device comprises at least an accelerometer and a touch-screen;
    - wherein the method comprises;
      
      sampling user interactions with said input unit of said computing device;
      
      analyzing temporal relationship between (i) touch-screen on-screen pointer-movement events and (ii) accelerometer events, of sampled user interactions via said input unit of said computing device;
      
      based on analysis of temporal relationship between (i) touch-screen on-screen pointer-movement events and (ii) accelerometer events, of sampled user interactions via said input unit of said computing device, determining whether the said computing device is controlled remotely via said remote access channel.
  - 31. The method of claim 1, comprising:
    - (A) sampling touch-based gestures of a touch-screen of said computing device;
      
      (B) sampling accelerometer data of said computing device, during a time period which at least partially overlaps said sampling of touch-based gestures of the touch-screen of said computing device;
      
      (C) based on a mismatch between (i) sampled touch-based gestures, and (ii) sampled accelerometer data, determining that said computing device was controlled remotely via said remote access channel.
  - 32. The method of claim 1, comprising:
    - (A) sampling touch-based gestures of a touch-screen of said computing device;
      
      (B) sampling accelerometer data of said computing device, during a time period which at least partially overlaps said sampling of touch-based gestures of the touch-screen of the mobile computing device;
      
      (C) determining that sampled touch-based gestures indicate that a user operated the computing device at a particular time-slot;
      
      (D) determining that the sampled accelerometer data indicate that the computing device was not moved during said particular time-slot;
      
      (E) based on the determining of step (C) and the determining of step (D), determining that the computing device was controlled remotely via said remote access channel during said particular time-slot.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocatch Ltd.
Original Assignee
Biocatch Ltd.
Inventors
TURGEMAN, Avi, Novick, Itai

Granted Patent

US 9,690,915 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G01R 29/26   Measuring noise figure; Mea...

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 2221/2133   Verifying human interaction...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04W 12/06   Authentication

H04W 12/63   Location-dependent; Proximi...

DEVICE, METHOD, AND SYSTEM OF DETECTING REMOTE ACCESS USERS AND DIFFERENTIATING AMONG USERS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

DEVICE, METHOD, AND SYSTEM OF DETECTING REMOTE ACCESS USERS AND DIFFERENTIATING AMONG USERS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links