Method and system for detection of clone authenticator

US 8,601,588 B1
Filed: 06/30/2011
Issued: 12/03/2013
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method of operating a data processing system to respond to potential use of a clone authenticator capable of mimicking behavior of a legitimate authenticator known to an authentication system of the data processing system, comprising:

by the authentication system, engaging in a series of authentication operations, each authentication operation involving apparent use of the legitimate authenticator based on an authenticator identifier supplied to the authentication system therefor, each authentication operation including receiving and storing corresponding values of one or more authenticator variables that normally change in a known authenticator-specific way during the series of authentication operations; and

by the authentication system, for each of the authentication operations as a current authentication operation;

applying a risk analysis function to the stored values of the authenticator variables to generate a risk indicator signal indicating a level of risk that the clone authenticator is in use, the risk analysis function including detection of an abnormal change of the authenticator variables during the series of authentication operations; and

outputting the risk indicator signal to an access controller that operates, based on the level of risk indicated by the risk indicator signal, to selectively inhibit an otherwise successful current authentication operation involving apparent use of the legitimate authenticator,wherein each of the series of authentication operations is performed as part of a corresponding one of a series of separate accesses to a service provided by a service system of the data processing system, each authentication operation including a respective application of the risk analysis function and outputting of the risk indicator signal based on values of the authenticator variables received and stored over corresponding preceding authentication operations, and wherein the otherwise successful authentication operation selectively inhibited by the risk indicator signal is a most recent one of the series of authentication operations.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes engaging in authentication operations each involving apparent use of a legitimate authenticator. Values of one or more authenticator variables are received and stored, where the authenticator variable(s) normally change in a known authenticator-specific way during the authentication operations, such as being calculated from a monotonically increasing dynamic variable. A risk analysis function is applied to the stored values to generate a risk indicator signal indicating a level of risk that the clone authenticator is in use. The risk analysis function includes detection of an abnormal change of the authenticator variable(s), such as use of non-monotonic dynamic variable values. The risk indicator signal is output to an access controller that operates, based on the level of risk indicated by the risk indicator signal, to selectively inhibit an otherwise successful authentication operation involving apparent use of the legitimate authenticator.

9 Citations

View as Search Results

24 Claims

1. A method of operating a data processing system to respond to potential use of a clone authenticator capable of mimicking behavior of a legitimate authenticator known to an authentication system of the data processing system, comprising:
- by the authentication system, engaging in a series of authentication operations, each authentication operation involving apparent use of the legitimate authenticator based on an authenticator identifier supplied to the authentication system therefor, each authentication operation including receiving and storing corresponding values of one or more authenticator variables that normally change in a known authenticator-specific way during the series of authentication operations; and
  
  by the authentication system, for each of the authentication operations as a current authentication operation;
  
  applying a risk analysis function to the stored values of the authenticator variables to generate a risk indicator signal indicating a level of risk that the clone authenticator is in use, the risk analysis function including detection of an abnormal change of the authenticator variables during the series of authentication operations; and
  
  outputting the risk indicator signal to an access controller that operates, based on the level of risk indicated by the risk indicator signal, to selectively inhibit an otherwise successful current authentication operation involving apparent use of the legitimate authenticator,wherein each of the series of authentication operations is performed as part of a corresponding one of a series of separate accesses to a service provided by a service system of the data processing system, each authentication operation including a respective application of the risk analysis function and outputting of the risk indicator signal based on values of the authenticator variables received and stored over corresponding preceding authentication operations, and wherein the otherwise successful authentication operation selectively inhibited by the risk indicator signal is a most recent one of the series of authentication operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1, wherein the authenticator variables include an authentication code generated by the authenticator using a secret value and a dynamic input variable.
  - 3. A method according to claim 2, wherein the dynamic input variable as generated by the legitimate authenticator changes monotonically over an operating period spanning the series of authentication operations.
  - 4. A method according to claim 3, wherein the dynamic input variable is time or an event count.
  - 5. A method according to claim 4, wherein the risk analysis function includes calculating a velocity of change of a time and/or event window defining acceptable current authentication codes, and comparing the calculated velocity with a threshold velocity corresponding to a normal rate of change of the time and/or event window.
  - 6. A method according to claim 4, wherein the risk analysis function includes examining an extent of failed authentication operations over an enlarged time and/or event window covering a longer period than a normal time and/or event window defining acceptable authentication codes.
  - 7. A method according to claim 2, wherein the dynamic input variable as generated by the legitimate authenticator changes in a known sequential way over an operating period spanning the series of authentication operations.
  - 8. A method according to claim 7, wherein the dynamic input variable is a response calculated by the authenticator based on a challenge presented to the authenticator by the authentication system during authentication operations.
  - 9. A method according to claim 1, wherein the authenticator variables include an environmental variable not used in generating the authentication codes.
  - 10. A method according to claim 9, wherein the environmental variable is a location variable indicating a geographic location of the authenticator, and wherein the risk analysis function is operative to check for authentication operations that are closely spaced in time and widely spaced in geographic location as indicated by values of the location variable.
  - 11. A method according to claim 1, wherein the risk analysis function looks for a pattern of repeated failed authentication attempts indicative of guessing or brute-force behavior.
  - 12. A method according to claim 1, wherein each authentication operation is augmented by transaction signing by which information specific to a current transaction is included and used by the risk analysis function in calculating the risk signal.

13. An authentication system usable in a data processing system and operable to respond to potential use of a clone authenticator capable of mimicking behavior of a legitimate authenticator known to the authentication system, comprising:
- one or more server computers each including one or more processors, memory, input/output circuitry, and interconnect circuitry coupling the processors, memory and input/output circuitry together, the input/output circuitry to be used to couple the server computers to other components of the data processing system including a service system with which the authentication system is to engage in authentication operations; and
  
  program instructions stored in the memory of the server computers and executable by the processors of the server computers to constitute an authentication controller and a risk analyzer, the authentication controller and risk analyzer being co-operative to;
  
  engage in a series of authentication operations, each authentication operation involving apparent use of the legitimate authenticator based on an authenticator identifier supplied to the authentication system therefor, each authentication operation including receiving and storing corresponding values of one or more authenticator variables that normally change in a known authenticator-specific way during the series of authentication operations; and
  
  for each of the authentication operations as a current authentication operation;
  
  (1) apply a risk analysis function to the stored values of the authenticator variables to generate a risk indicator signal indicating a level of risk that the clone authenticator is in use, the risk analysis function including detection of an abnormal change of the authenticator variables during the series of authentication operations; and
  
  (2) output the risk indicator signal to an access controller that operates, based on the level of risk indicated by the risk indicator signal, to selectively inhibit an otherwise successful current authentication operation involving apparent use of the legitimate authenticator,wherein each of the series of authentication operations is performed as part of a corresponding one of a series of separate accesses to a service provided by a service system of the data processing system, each authentication operation including a respective application of the risk analysis function and outputting of the risk indicator signal based on values of the authenticator variables received and stored over corresponding preceding authentication operations, and wherein the otherwise successful authentication operation selectively inhibited by the risk indicator signal is a most recent one of the series of authentication operations.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. An authentication system according to claim 13, wherein the authenticator variables include an authentication code generated by the authenticator using a secret value and a dynamic input variable.
  - 15. An authentication system according to claim 14, wherein the dynamic input variable as generated by the legitimate authenticator changes monotonically over an operating period spanning the series of authentication operations.
  - 16. An authentication system according to claim 15, wherein the dynamic input variable is time and/or an event count.
  - 17. An authentication system according to claim 16, wherein the risk analysis function includes calculating a velocity of change of a time and/or event window defining acceptable current authentication codes, and comparing the calculated velocity with a threshold velocity corresponding to a normal rate of change of the time and/or event window.
  - 18. An authentication system according to claim 16, wherein the risk analysis function includes examining an extent of failed authentication operations over an enlarged time and/or event window covering a longer period than a normal time and/or event window defining acceptable authentication codes.
  - 19. An authentication system according to claim 14, wherein the dynamic input variable as generated by the legitimate authenticator changes in a known sequential way over an operating period spanning the series of authentication operations.
  - 20. An authentication system according to claim 19, wherein the dynamic input variable is a response calculated by the authenticator based on a challenge presented to the authenticator by the authentication system during authentication operations.
  - 21. An authentication system according to claim 13, wherein the authenticator variables include an environmental variable not used in generating the authentication codes.
  - 22. An authentication system according to claim 21, wherein the environmental variable is a location variable indicating a geographic location of the authenticator, and wherein the risk analysis function is operative to check for authentication operations that are closely spaced in time and widely spaced in geographic location as indicated by values of the location variable.
  - 23. An authentication system according to claim 13, wherein the risk analysis function looks for a pattern of repeated failed authentication attempts indicative of guessing or brute-force behavior.
  - 24. An authentication system according to claim 13, wherein each authentication operation is augmented by transaction signing by which information specific to a current transaction is included and used by the risk analysis function in calculating the risk signal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Black, Robert, Duane, William, Philpott, Robert S.
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US13/173,726
Time in Patent Office

887 Days
Field of Search

726/16, 726/21, 726/25, 713/168
US Class Current

726/25
CPC Class Codes

G06F 11/008   Reliability or availability...

G06F 21/34   involving the use of extern...

G06F 21/44   Program or device authentic...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06Q 2220/00   Business processing using c...

G06Q 40/02   Banking, e.g. interest calc...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Method and system for detection of clone authenticator

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detection of clone authenticator

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links