MONITORING USER AUTHENTICITY

US 20170230418A1
Filed: 02/04/2016
Published: 08/10/2017
Est. Priority Date: 02/04/2016
Status: Active Grant

First Claim

Patent Images

1. A server system for monitoring user authenticity during user activities in user sessions on at least one application server, the server system comprising:

one or more processors; and

at least one memory comprising program code that, when executed by the one or more processors, causes the one or more processors to;

perform a user-modeling process in which a user model is adapted session-by-session to user activities, wherein the user model includes a plurality of adaptive feature-specific user-behavior models that are associated with features indicative of user behavior; and

perform a user-verification process comprising;

determining a plurality of feature-specific risk-score values, wherein determining each feature-specific risk-score value comprises comparing the at least one adaptive feature-specific user-behavior model with each respective feature extracted from one or more of the user activities during one of the user sessions on the at least one application server,determining a total risk-score value indicative of user non-authenticity by;

a) weighting and combining the feature-specific risk-score values, orb) weighting and combining pre-combined risk-score values, wherein the pre-combined risk-score values is determined by combining a portion of the feature-specific risk-score values using multi-criteria decision analysis, andin response to the total risk-score value exceeding a given threshold, performing a corrective action selected from the group consisting of (i) signing out the user, (ii) requesting a two-factor authentication from the user, (iii) locking the user, and (iv) initiating an alert function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for monitoring user authenticity according to user activities on an application server. A user-modeling process and a user-verification process are performed. In the user-modeling process, a user model is adapted session-by-session to user activities in which the user model includes a plurality of adaptive feature-specific user-behavior models. The user-verification process includes determining a plurality of feature-specific risk-score values, comparing the at least one of the adaptive feature-specific user-behavior models with a respective feature extracted from user activity in the user session on the application server, and determining a total risk-score value indicative of user authenticity by weighting and combining the plurality of feature-specific risk-score values. If the total risk-score value is greater than a given threshold, a corrective action is performed.

108 Citations

21 Claims

1. A server system for monitoring user authenticity during user activities in user sessions on at least one application server, the server system comprising:
- one or more processors; and
  
  at least one memory comprising program code that, when executed by the one or more processors, causes the one or more processors to;
  
  perform a user-modeling process in which a user model is adapted session-by-session to user activities, wherein the user model includes a plurality of adaptive feature-specific user-behavior models that are associated with features indicative of user behavior; and
  
  perform a user-verification process comprising;
  
  determining a plurality of feature-specific risk-score values, wherein determining each feature-specific risk-score value comprises comparing the at least one adaptive feature-specific user-behavior model with each respective feature extracted from one or more of the user activities during one of the user sessions on the at least one application server,determining a total risk-score value indicative of user non-authenticity by;
  
  a) weighting and combining the feature-specific risk-score values, orb) weighting and combining pre-combined risk-score values, wherein the pre-combined risk-score values is determined by combining a portion of the feature-specific risk-score values using multi-criteria decision analysis, andin response to the total risk-score value exceeding a given threshold, performing a corrective action selected from the group consisting of (i) signing out the user, (ii) requesting a two-factor authentication from the user, (iii) locking the user, and (iv) initiating an alert function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The server system of claim 1 wherein the user model is adapted on a user-model server based on the user activities associated with different applications on the at least one application server, and the adaptive feature-specific user-behavior models are specific for the different applications.
  - 3. The server system of claim 1 wherein the user model is adapted on a user-model server based on the user activities associated with different applications on the at least one application server, and the user model is replicated from the user-model server to the at least one application server, and the total risk-score value is determined on the at least one application server using the user model.
  - 4. The server system of claim 1 wherein the features are selected from the group consisting of origins of the user activities, time stamps of the user activities, and durations of the user sessions in which the user activities are performed, and the features are further selected from the group consisting client information, office information, and organization information.
  - 5. The server system of claim 1 wherein the features are time stamps of the user activities, a feature-specific behavior model is associated with the time stamps of the user activities and comprises a Gaussian-mixture model of the time stamps of the user activities, and the feature-specific risk-score value associated with the time stamps of the user activities is calculated based on a complement of probabilities from the Gaussian-mixture model.
  - 6. The server system of claim 1 wherein the features are the durations of the user sessions, a feature-specific behavior model is associated with the durations of the user sessions, and the feature-specific behavior-model maps the durations of the user sessions to (i) a moving average, (ii) a median, (iii) a standard-deviation, or (iv) a quantile.
  - 7. The server system of claim 1 wherein the features comprise a sequence of actions performed by the user, a feature-specific behavior model is associated with the actions and is a Markov chain model, and the feature-specific risk-score value associated with the sequence of actions performed by the user is calculated by determining a complement of the Markov-probability of the sequence extracted from the actions.
  - 8. The server system of claim 1 wherein the feature-specific risk-score values are combined by weighting the score values according to their relative fraud probability.
  - 9. The server system of claim 1 wherein the feature-specific risk-score values are combined to determine the total risk-score value using multi-criteria decision analysis, and the multi-criteria decision analysis is based on a weighted ordered-weighted-average, an ordered-weighted average, or a fuzzy integral of the feature-specific risk-score values.
  - 10. The server system of claim 1 wherein the corrective action is performed in response to a certain feature pattern being detected and regardless of the total risk-score value.

11. A method of monitoring user authenticity during user activities in user sessions on at least one application server, the method comprising:
- performing a user-modeling process in which a user model is adapted session-by-session to user activities, wherein the user model includes a plurality of adaptive feature-specific user-behavior models that are associated with features indicative of user behavior; and
  
  perform, by one or more processors the of at least one application server, a user-verification process comprising;
  
  determining a plurality of feature-specific risk-score values, wherein determining each feature-specific risk-score value comprises comparing the at least one adaptive feature-specific user-behavior model with a respective feature extracted from one or more of the user activities in one of the user sessions on the at least one application server,determining a total risk-score value indicative of user non-authenticity by;
  
  a) weighting and combining the feature-specific risk-score values, orb) weighting and combining pre-combined risk-score values, wherein the pre-combined risk-score values are determined by combining a portion of the feature-specific risk-score values using multi-criteria decision analysis, andin response to the total risk-score value exceeding a given threshold, performing a corrective action selected from the group consisting of (i) signing out the user, (ii) requesting a two-factor authentication from the user, (iii) locking the user, and (iv) initiating an alert function.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 wherein the user model is adapted on a user-model server based on the user activities associated with different applications on the at least one application server, and the adaptive feature-specific user-behavior models are specific for the different applications.
  - 13. The method of claim 11 wherein the user model is adapted on a user-model server based on the user activities associated with different applications on the at least one application server, and the user model is replicated from the user-model server to the at least one application server, and the total risk-score value is determined on the at least one application server using the user model.
  - 14. The method of claim 11 wherein the features are selected from the group consisting of origins of the user activities, time stamps of the user activities, and durations of the user sessions in which the user activities are performed, and the features are further selected from the group consisting client information, office information, and organization information.
  - 15. The method of claim 11 wherein the features are time stamps of the user activities, a feature-specific behavior model is associated with the time stamps of the user activities and comprises a Gaussian-mixture model of the time stamps of the user activities, and the feature-specific risk-score value associated with the time stamps of the user activities is calculated based on a complement of probabilities from the Gaussian-mixture model.
  - 16. The method of claim 11 wherein the features are the durations of the user sessions, a feature-specific behavior model is associated with the durations of the user sessions, and the feature-specific behavior-model maps the durations of the user sessions to at least one of (i) a moving average, (ii) a median, (iii) a standard-deviation, or (iv) a quantile.
  - 17. The method of claim 11 wherein the features comprise a sequence of actions performed by the user, a feature-specific behavior model is associated with the actions and is a Markov chain model, and the feature-specific risk-score value associated with the sequence of actions performed by the user is calculated by determining a complement of the Markov-probability of the sequence extracted from the actions.
  - 18. The method of claim 11 wherein the feature-specific risk-score values are combined by weighting the score values according to their relative fraud probability.
  - 19. The method of claim 11 wherein the feature-specific risk-score values are combined to determine the total risk-score value using multi-criteria decision analysis, and the multi-criteria decision analysis is based on a weighted ordered-weighted-average, an ordered-weighted average, or a fuzzy integral of the feature-specific risk-score values.
  - 20. The method of claim 11 wherein the corrective action is performed in response to a certain feature pattern being detected and regardless of the total risk-score value.

21. A computer program product for monitoring user authenticity during user activities in user sessions on at least one application server, the computer program product comprising:
- a computer readable storage medium; and
  
  program code on the computer readable storage medium, the program code, when executed by one or more processors, causes the one or more processors to;
  
  perform a user-modeling process in which a user model is adapted session-by-session to user activities, wherein the user model includes a plurality of adaptive feature-specific user-behavior models that are associated with features indicative of user behavior; and
  
  perform a user-verification process comprising;
  
  determining a plurality of feature-specific risk-score values, wherein determining each feature-specific risk-score value comprises comparing the at least one adaptive feature-specific user-behavior model with a respective feature extracted from one or more of the user activities in one of the user sessions on the at least one application server,determining a total risk-score value indicative of user non-authenticity by;
  
  a) weighting and combining the feature-specific risk-score values, orb) weighting and combining pre-combined risk-score values, wherein the pre-combined risk-score values are determined by combining a portion of the feature-specific risk-score values using multi-criteria decision analysis, andin response to the total risk-score value exceeding a given threshold, performing a corrective action selected from the group consisting of (i) signing out the user, (ii) requesting a two-factor authentication from the user, (iii) locking the user, and (iv) initiating an alert function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amadeus (Amadeus Global Travel Distribution S.A.)
Original Assignee
Amadeus (Amadeus Global Travel Distribution S.A.)
Inventors
Amar, Virginie, Barlet, Jeremie, Campora, Marc, El Hayek, Joseph, Peicle, Romain, Thonnard, Olivier, Zouaoui, Jihane

Granted Patent

US 9,876,825 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/535   Tracking the activity of th...

H04L 67/55   Push-based network services

MONITORING USER AUTHENTICITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

108 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

MONITORING USER AUTHENTICITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links