System and method for identity consolidation

US 8,327,421 B2
Filed: 01/30/2007
Issued: 12/04/2012
Est. Priority Date: 01/30/2007
Status: Active Grant

First Claim

Patent Images

1. A method for attributing a plurality of user-authentication credentials to an individual, the method comprising:

receiving, at an identity server machine, a plurality of user-authentication credentials, each being different from the others and associated with a different computer application;

inferring association, at the identity server machine, between different ones of the plurality of user-authentication credentials and a single individual, based on consistencies among the associated authentication credentials and observed application usage patterns attributed to each user-authentication credential, the observed application usage comprising one or more of logging into an operating system, logging into an application, using one or more functions within an application and navigating to one or more screens within an application;

creating, at the identity server machine, an identity signature for the single individual based on the different user-authentication credentials associated with the single individual; and

identifying, at the identity server machine, the individual based on the identity signature.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Application-specific and single-sign-on user-authentication credentials are analyzed and consolidated based on commonalities among the credentials and usage of the applications to which they are attributed according to a process whereby a plurality of user-authentication credentials each associated with a different computer application are received; at least a subset of the plurality of user-authentication credentials are associated with each other based on consistencies among the associated authentication credentials and observed application usage patterns attributed to each respective user-authentication credential; an identity signature is created for the individual based on the subset of associated user-authentication credentials; and the identity signature is attributed to the individual.

32 Citations

View as Search Results

29 Claims

1. A method for attributing a plurality of user-authentication credentials to an individual, the method comprising:
- receiving, at an identity server machine, a plurality of user-authentication credentials, each being different from the others and associated with a different computer application;
  
  inferring association, at the identity server machine, between different ones of the plurality of user-authentication credentials and a single individual, based on consistencies among the associated authentication credentials and observed application usage patterns attributed to each user-authentication credential, the observed application usage comprising one or more of logging into an operating system, logging into an application, using one or more functions within an application and navigating to one or more screens within an application;
  
  creating, at the identity server machine, an identity signature for the single individual based on the different user-authentication credentials associated with the single individual; and
  
  identifying, at the identity server machine, the individual based on the identity signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15)
- - 2. The method of claim 1 wherein the user-authentication credentials comprise one or more of an identification code, a secure access code, a screen name, and/or a password for granting a user'"'"'s access to one or more applications.
  - 3. The method of claim 1 wherein the plurality of user-authentication credentials are encrypted.
  - 4. The method of claim 3 wherein the plurality of user-authentication credentials are encrypted prior to receipt.
  - 5. The method of claim 3 wherein the encryption comprises application of a hash to the plurality of user-authentication credentials, and the associating step using the hashed user-authentication credentials.
  - 6. The method of claim 1 wherein the user-authentication credentials comprise biometric data.
  - 7. The method of claim 1 wherein the observed application usage comprises one or more of static observations and dynamic observations.
  - 8. The method of claim 1 wherein the consistencies comprise similarities of application usage attributed to the authentication credentials.
  - 9. The method of claim 1 further comprising calculating a match probability for at least one of the associations.
  - 10. The method of claim 9 wherein the authentication credentials included in the identity signature are determined at least in part by the calculated probabilities.
  - 11. The method of claim 10 further comprising weighting each of the authentication credentials prior to calculating the match probability.
  - 12. The method of claim 1 further comprising determining whether a match probability exceeds a threshold, the identity signature being created for the individual only if the match probability exceeds the threshold.
  - 13. The method of claim 1 further comprising receiving physical access data and including the physical access data in the identity signature.
  - 15. The system of claim 12 further comprising a single-sign-on agent for:
    - receiving the user-authentication credentials from the identification server;
      
      transmitting at least a part of the user-authentication credentials to one or more computer applications;
      
      receiving, from the one or more computer applications, user-authentication credentials attributed to each of the plurality of computer applications; and
      
      transmitting the user-authentication credentials attributed to each of the plurality of computer applications to the mapping module.

14. A system for attributing computer system user-authentication credentials to an individual, the system comprising:
- an identity server machine comprising;
  
  an identity signature data store for storing user-authentication credentials in connection with a plurality of different computer applications, the user-authentication credentials being different from each other; and
  
  a mapping module for (i) inferring association between different ones of the user-authentication credentials and a single individual, the association being inferred based on consistencies among the user-authentication credentials and observed application usage patterns attributed to each respective user-authentication credential, wherein the observed application usage comprises one or more of logging into an operating system, logging into an application, using one or more functions within an application and navigating to one or more screens within an application; and
  
  (ii) creating a single user signature for the individual based on the association.
- View Dependent Claims (16, 17)
- - 16. The system of claim 14 wherein the identity mapping module infers relationships among the user-authentication credentials.
  - 17. The system of claim 14 further comprising a physical access system interface configured to receive data from a physical access system.

18. An article of manufacture having non-transitory computer-readable program portions embodied thereon for attributing user-authentication credentials to an individual, the article comprising computer-readable instructions for:
- receiving, at an identity server machine, a plurality of user-authentication credentials, each being different from the others and associated with a different computer application;
  
  inferring association, at the identity server machine, between different ones of the plurality of user-authentication credentials and a single individual, based on consistencies among the associated authentication credentials and observed application usage patterns attributed to each user-authentication credential, the observed application usage comprising one or more of logging into an operating system, logging into an application, using one or more functions within an application and navigating to one or more screens within an application;
  
  creating, at the identity server machine, an identity signature for the single individual based on the different user-authentication credentials associated with the single individual; and
  
  identifying, at the identity server machine, the individual based on the identity signature.

19. A method for attributing user-authentication credentials to an individual, the method comprising:
- receiving at an identity server machine a plurality of user-authentication credentials each being different from the others and associated with a different computer application;
  
  monitoring activities attributed to each respective user-authentication credential;
  
  inferring association between different ones of the plurality of user-authentication credentials and a single individual, based on consistencies among the associated authentication credentials and observed application usage patterns attributed to each user-authentication credential, the observed application usage comprising one or more of logging into an operating system, logging into an application, using one or more functions within an application and navigating to one or more screens within an application; and
  
  based on the monitored activities and the inferred association, and notwithstanding the differences among the user-authentication credentials, determining at the identity server machine whether a likelihood that a new activity is associated with a single user exceeds a predetermined threshold.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19 wherein the monitored activities comprise logging on to one or more secure computer systems.
  - 21. The method of claim 19 wherein the monitored activities comprise physically entering a secure environment.
  - 22. The method of claim 19 wherein the monitored activities comprise computer application usage activities.

23. A method of detecting shared usage of user-authentication credentials, the method comprising:
- receiving, at an identity server machine, a plurality of requests for access to a secure resource, each request comprising one or more user-authentication credentials attributed to a different user;
  
  constructing, at the identity server machine, a request profile for each request based at least in part on the provided user-authentication credentials;
  
  inferring association, at the identity server machine, between different ones of the plurality of request profiles and a single set of user-authentication credentials, based on consistencies among the associated authentication credentials and observed application usage patterns attributed to each user-authentication credential, the observed application usage comprising one or more of logging into an operating system, logging into an application, using one or more functions within an application and navigating to one or more screens within an application; and
  
  identifying, at the identity server machine and based on the inferred association, identical user-authentication credentials received in two or more of the requests having different request profiles, thereby detecting shared usage of the identical user-authentication credentials.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The method of claim 23 wherein the identical user-authentication credentials are exact matches.
  - 25. The method of claim 23 wherein the user-authentication credentials comprise one or more of an identification code, a secure access code, a screen name, and/or a password for granting a user'"'"'s access to one or more applications.
  - 26. The method of claim 23 wherein the plurality of user-authentication credentials are encrypted.
  - 27. The method of claim 26 wherein the plurality of user-authentication credentials are encrypted prior to receipt.
  - 28. The method of claim 26 wherein the encryption comprises application of a hash to the plurality of user-authentication credentials, and the associating step using the hashed user-authentication credentials.
  - 29. The method of claim 23 wherein the user-authentication credentials comprise biometric data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imprivata Incorporated
Original Assignee
Imprivata Incorporated
Inventors
Ting, David M. T.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US11/699,756
Publication Number

US 20080184349A1
Time in Patent Office

2,135 Days
Field of Search

726/7, 726/8, 713/186, 713/201
US Class Current

726/5
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3247   involving digital signatures

System and method for identity consolidation

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identity consolidation

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links