MONITORING USER AUTHENTICITY
First Claim
1. A server system for monitoring user authenticity during user activities in user sessions on at least one application server, the server system comprising:
- one or more processors; and
at least one memory comprising program code that, when executed by the one or more processors, causes the one or more processors to;
perform a user-modeling process in which a user model is adapted session-by-session to user activities, wherein the user model includes a plurality of adaptive feature-specific user-behavior models that are associated with features indicative of user behavior; and
perform a user-verification process comprising;
determining a plurality of feature-specific risk-score values, wherein determining each feature-specific risk-score value comprises comparing the at least one adaptive feature-specific user-behavior model with each respective feature extracted from one or more of the user activities during one of the user sessions on the at least one application server,determining a total risk-score value indicative of user non-authenticity by;
a) weighting and combining the feature-specific risk-score values, orb) weighting and combining pre-combined risk-score values, wherein the pre-combined risk-score values is determined by combining a portion of the feature-specific risk-score values using multi-criteria decision analysis, andin response to the total risk-score value exceeding a given threshold, performing a corrective action selected from the group consisting of (i) signing out the user, (ii) requesting a two-factor authentication from the user, (iii) locking the user, and (iv) initiating an alert function.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for monitoring user authenticity according to user activities on an application server. A user-modeling process and a user-verification process are performed. In the user-modeling process, a user model is adapted session-by-session to user activities in which the user model includes a plurality of adaptive feature-specific user-behavior models. The user-verification process includes determining a plurality of feature-specific risk-score values, comparing the at least one of the adaptive feature-specific user-behavior models with a respective feature extracted from user activity in the user session on the application server, and determining a total risk-score value indicative of user authenticity by weighting and combining the plurality of feature-specific risk-score values. If the total risk-score value is greater than a given threshold, a corrective action is performed.
108 Citations
21 Claims
-
1. A server system for monitoring user authenticity during user activities in user sessions on at least one application server, the server system comprising:
-
one or more processors; and at least one memory comprising program code that, when executed by the one or more processors, causes the one or more processors to; perform a user-modeling process in which a user model is adapted session-by-session to user activities, wherein the user model includes a plurality of adaptive feature-specific user-behavior models that are associated with features indicative of user behavior; and perform a user-verification process comprising; determining a plurality of feature-specific risk-score values, wherein determining each feature-specific risk-score value comprises comparing the at least one adaptive feature-specific user-behavior model with each respective feature extracted from one or more of the user activities during one of the user sessions on the at least one application server, determining a total risk-score value indicative of user non-authenticity by; a) weighting and combining the feature-specific risk-score values, or b) weighting and combining pre-combined risk-score values, wherein the pre-combined risk-score values is determined by combining a portion of the feature-specific risk-score values using multi-criteria decision analysis, and in response to the total risk-score value exceeding a given threshold, performing a corrective action selected from the group consisting of (i) signing out the user, (ii) requesting a two-factor authentication from the user, (iii) locking the user, and (iv) initiating an alert function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of monitoring user authenticity during user activities in user sessions on at least one application server, the method comprising:
-
performing a user-modeling process in which a user model is adapted session-by-session to user activities, wherein the user model includes a plurality of adaptive feature-specific user-behavior models that are associated with features indicative of user behavior; and perform, by one or more processors the of at least one application server, a user-verification process comprising; determining a plurality of feature-specific risk-score values, wherein determining each feature-specific risk-score value comprises comparing the at least one adaptive feature-specific user-behavior model with a respective feature extracted from one or more of the user activities in one of the user sessions on the at least one application server, determining a total risk-score value indicative of user non-authenticity by; a) weighting and combining the feature-specific risk-score values, or b) weighting and combining pre-combined risk-score values, wherein the pre-combined risk-score values are determined by combining a portion of the feature-specific risk-score values using multi-criteria decision analysis, and in response to the total risk-score value exceeding a given threshold, performing a corrective action selected from the group consisting of (i) signing out the user, (ii) requesting a two-factor authentication from the user, (iii) locking the user, and (iv) initiating an alert function. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer program product for monitoring user authenticity during user activities in user sessions on at least one application server, the computer program product comprising:
-
a computer readable storage medium; and program code on the computer readable storage medium, the program code, when executed by one or more processors, causes the one or more processors to; perform a user-modeling process in which a user model is adapted session-by-session to user activities, wherein the user model includes a plurality of adaptive feature-specific user-behavior models that are associated with features indicative of user behavior; and perform a user-verification process comprising; determining a plurality of feature-specific risk-score values, wherein determining each feature-specific risk-score value comprises comparing the at least one adaptive feature-specific user-behavior model with a respective feature extracted from one or more of the user activities in one of the user sessions on the at least one application server, determining a total risk-score value indicative of user non-authenticity by; a) weighting and combining the feature-specific risk-score values, or b) weighting and combining pre-combined risk-score values, wherein the pre-combined risk-score values are determined by combining a portion of the feature-specific risk-score values using multi-criteria decision analysis, and in response to the total risk-score value exceeding a given threshold, performing a corrective action selected from the group consisting of (i) signing out the user, (ii) requesting a two-factor authentication from the user, (iii) locking the user, and (iv) initiating an alert function.
-
Specification