Using packet interception to integrate risk-based user authentication into online services

US 8,683,568 B1
Filed: 09/22/2011
Issued: 03/25/2014
Est. Priority Date: 09/22/2011
Status: Active Grant

First Claim

Patent Images

1. A method, performed by a network analyzer device connected to a network, the method comprising:

sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user;

analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and

sending the extracted event information to an authentication server for risk-based authentication of the user;

wherein;

analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server includes examining the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application layer;

the specific interaction events include events drawn from a set of application-layer events;

the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and

the web-based application server provides a secure online banking service to the user as the web-based application.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for using a network analyzer device connected to a network include (a) sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, (b) analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and (c) sending the extracted event information to an authentication server for risk-based authentication of the user.

Citations

22 Claims

1. A method, performed by a network analyzer device connected to a network, the method comprising:
- sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user;
  
  analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
  
  sending the extracted event information to an authentication server for risk-based authentication of the user;
  
  wherein;
  
  analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server includes examining the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application layer;
  
  the specific interaction events include events drawn from a set of application-layer events;
  
  the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and
  
  the web-based application server provides a secure online banking service to the user as the web-based application.
- View Dependent Claims (2, 3, 4, 5, 6, 8)
- - 2. The method of claim 1 wherein sniffing packets traversing the network between the web-based application server and the user machine includes capturing packets traversing the network having either a source or destination network-layer address corresponding to a network-layer address of the web-based application server.
  - 3. The method of claim 1 wherein examining the sniffed packets to detect the specific interaction events that occur between the user machine and the web-based application server at the application-layer includes:
    - parsing web-based messages within the sniffed packets to generate a set of extracted application-layer fields; and
      
      correlating the set of extracted application-layer fields with the specific interaction events.
  - 4. The method of claim 1 wherein the set of application-layer events including:
    - the user logging in to the web-based application server;
      
      the user changing a login password; and
      
      the user changing a user e-mail address.
  - 5. The method of claim 4 wherein the set of application-layer events further includes:
    - the user directing the secure online banking service to make a monetary transfer;
      
      the user adding an approved destination account for transfers;
      
      the user modifying information associated with an approved destination account; and
      
      the user changing a customer mailing address.
  - 6. The method of claim 4 wherein the method further comprises:
    - analyzing the sniffed packets to extract ancillary information from a networking layer below the application-layer, the ancillary information relating to the detected specific interaction events between the user machine and the web-based application server; and
      
      sending the extracted ancillary information to the authentication server for risk-based authentication of the user in connection with the extracted event information.
  - 8. A method of adding a risk-based user authentication capability to a pre-existing web-based application service running on the web-based application server, the method comprising installing a network analyzer device configured to perform the method of claim 1, without making a non-trivial modification to the pre-existing web-based application service running on the web-based application server to support risk-based user authentication.

7. A method, performed by a network analyzer device connected to a network, the method comprising:
- sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user;
  
  analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
  
  sending the extracted event information to an authentication server for risk-based authentication of the user;
  
  wherein;
  
  analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server includes examining the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application layer;
  
  the specific interaction events include events drawn from a set of application-layer events including;
  
  the user logging in to the web-based application server;
  
  the user changing a login password; and
  
  the user changing a user e-mail address; and
  
  the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events;
  
  the method further comprises;
  
  analyzing the sniffed packets to extract ancillary information from a networking layer below the application-layer, the ancillary information relating to the detected specific interaction events between the user machine and the web-based application server; and
  
  sending the extracted ancillary information to the authentication server for risk-based authentication of the user in connection with the extracted event information; and
  
  analyzing the sniffed packets to extract ancillary information from the networking layer below the application-layer includes detecting specific ancillary information from the networking layer below the application-layer drawn from a set of data including;
  
  packet size;
  
  clock skew between packets;
  
  number of simultaneous sessions operated by the user;
  
  browser type used by the user;
  
  operating system type used by the user; and
  
  time interval between service of a web-page by the web-based application server and response by the user machine.

9. A computer program product comprising a non-transitory tangible computer-readable storage medium, the tangible computer-readable storage medium storing instructions, which, when performed by a computing device, cause the computing device to perform the operations of:
- sniffing packets traversing a network between a web-based application server and a user machine, the user machine being operated by a user;
  
  analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
  
  sending the extracted event information to an authentication server for risk-based authentication of the user;
  
  wherein;
  
  the instructions direct the computer to, when analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, examine the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application-layer, wherein the specific interaction events include events drawn from a set of application-layer events;
  
  the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and
  
  the web-based application server provides a secure online banking service to the user as the web-based application.
- View Dependent Claims (10, 11, 12, 13, 19, 20)
- - 10. The computer program product of claim 9 wherein, the instructions direct the computer to, when sniffing packets traversing the network between the web-based application server and the user machine, capture packets traversing the network having either a source or destination network-layer address corresponding to a network-layer address of the web-based application server.
  - 11. The computer program product of claim 9 wherein the instructions direct the computer to, when analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server:
    - examine the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application-layer, wherein examining the sniffed packets to detect the specific interaction events that occur between the user machine and the web-based application server at the application-layer includes;
      
      parsing web-based messages within the sniffed packets to generate a set of extracted application-layer fields; and
      
      correlating the set of extracted application-layer fields with the specific interaction events.
  - 12. The computer program product of claim 9 wherein the set of application-layer events includes:
    - the user logging in to the web-based application server;
      
      the user changing a login password; and
      
      the user changing a user e-mail address.
  - 13. The computer program product of claim 12 wherein the instructions, when performed by the computer, further cause the computer to perform the operations of:
    - analyzing the sniffed packets to extract ancillary information from a networking layer below the application-layer, the ancillary information relating to the detected specific interaction events between the user machine and the web-based application server; and
      
      sending the extracted ancillary information to the authentication server for risk-based authentication of the user in connection with the extracted event information.
  - 19. The computer program product of claim 13 wherein analyzing the sniffed packets to extract ancillary information from the networking layer below the application-layer includes detecting specific ancillary information from the networking layer below the application-layer drawn from a set of data including:
    - packet size;
      
      clock skew between packets;
      
      number of simultaneous sessions operated by the user;
      
      browser type used by the user;
      
      operating system type used by the user; and
      
      time interval between service of a web-page by the web-based application server and response by the user machine.
  - 20. The computer program product of claim 12 wherein the set of application-layer events further includes:
    - the user directing the secure online banking service to make a monetary transfer;
      
      the user adding an approved destination account for transfers;
      
      the user modifying information associated with an approved destination account; and
      
      the user changing a customer mailing address.

14. A network analyzer device comprising:
- a processor;
  
  means for sniffing packets traversing a network; and
  
  memory, the memory storing instructions, which, when performed by the processor, cause the processor to perform the operations of;
  
  directing the packet sniffing means to sniff packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user;
  
  analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
  
  sending the extracted event information to an authentication server for risk-based authentication of the user;
  
  wherein;
  
  the instructions direct the processor to, when analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, examine the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application-layer, wherein the specific interaction events include events drawn from a set of application-layer events;
  
  the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and
  
  the web-based application server provides a secure online banking service to the user as the web-based application.
- View Dependent Claims (15, 16, 17, 21, 22)
- - 15. The network analyzer device of claim 14 wherein the instructions direct the processor to, when sniffing packets traversing the network between the web-based application server and the user machine, direct the packet sniffing means to capture packets traversing the network having either a source or destination network-layer address corresponding to a network-layer address of the web-based application server.
  - 16. The network analyzer device of claim 14 wherein the set of application-layer events includes:
    - the user logging in to the web-based application server;
      
      the user changing a login password; and
      
      the user changing a user e-mail address.
  - 17. The network analyzer device of claim 16 wherein the instructions, when performed by the processor, further cause the processor to perform the operations of:
    - analyzing the sniffed packets to extract ancillary information from a networking layer below the application-layer, the ancillary information relating to the detected specific interaction events between the user machine and the web-based application server; and
      
      sending the extracted ancillary information to the authentication server for risk-based authentication of the user in connection with the extracted event information.
  - 21. The network analyzer device of claim 17 wherein analyzing the sniffed packets to extract ancillary information from the networking layer below the application-layer includes detecting specific ancillary information from the networking layer below the application-layer drawn from a set of data including:
    - packet size;
      
      clock skew between packets;
      
      number of simultaneous sessions operated by the user;
      
      browser type used by the user;
      
      operating system type used by the user; and
      
      time interval between service of a web-page by the web-based application server and response by the user machine.
  - 22. The network analyzer device of claim 16 wherein the set of application-layer events further includes:
    - the user directing the secure online banking service to make a monetary transfer;
      
      the user adding an approved destination account for transfers;
      
      the user modifying information associated with an approved destination account; and
      
      the user changing a customer mailing address.

18. A system comprising:
- a network gateway device, configured to connect a remote user machine to a network;
  
  a web-based application server, connected to the network, the web-based application server being configured to provide, across the network gateway device, a web-based application service to a user operating the user machine; and
  
  a network analyzer device, connected to the network gateway device, the network analyzer device configured to;
  
  sniff packets traversing the network gateway device between the web-based application server and the user machine;
  
  analyze the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
  
  send the extracted event information to an authentication server for risk-based authentication of the user;
  
  wherein;
  
  analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server includes examining the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application layer;
  
  the specific interaction events include events drawn from a set of application-layer events;
  
  the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and
  
  the web-based application server provides a secure online banking service to the user as the web-based application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Peer, Oded, Freylafert, Oleg, Khitrenovich, Anton
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Jackson, Jenise

Application Number

US13/239,863
Time in Patent Office

915 Days
Field of Search

726/7, 726/13, 726/26, 713151-152, 713/154
US Class Current

726/7
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/168   above the transport layer

H04L 67/1001   for accessing one among a p...

Using packet interception to integrate risk-based user authentication into online services

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Using packet interception to integrate risk-based user authentication into online services

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links