Using link analysis in adversarial knowledge-based authentication model
First Claim
Patent Images
1. A method of performing knowledge-based authentication (KBA), the method comprising:
- receiving an adversary alert which identifies an adversary having knowledge of certain facts utilized by a KBA system to construct KBA questions;
in response to the adversary alert, altering operation of the KBA system to account for the adversary having knowledge of the certain facts; and
after the operation of the KBA system has been altered to account for the adversary having knowledge of the certain facts, selecting KBA questions from the KBA system to authenticate users, the KBA questions being selected based on adjustments made within the KBA system in response to the adversary alert;
wherein the method further comprises generating a link table that includes a set of entries, each entry of the set of entries including (i) a fact identifier identifying a fact of a set of facts and (ii) a user identifier identifying a user to whom the fact has a reference; and
wherein altering the operation of the KBA system includes;
finding a particular entry of the set of entries of the link table, the particular entry including a user identifier identifying the adversary, andfiltering, from the set of facts, the fact identified by the fact identifier of the particular entry to form a set of secure facts, a secure fact of the set of secure facts being utilized by the KBA system to construct a secure KBA question that the adversary is unlikely to answer correctly.
18 Assignments
0 Petitions
Accused Products
Abstract
An improved technique involves adjusting the operation of a KBA system based on facts that may contain information known to an adversary. Along these lines, the KBA system may receive an alert concerning an adversary that may know the answers to some of the KBA questions used by the KBA system in authenticating users. In response to alert, the KBA system may alter operations in order to account for the adversary. Subsequently, when a user requests authentication, the KBA system selects KBA questions based on adjustments made to the KBA system in order to avoid presenting the adversary with KBA questions derived from facts (s)he knows.
-
Citations
16 Claims
-
1. A method of performing knowledge-based authentication (KBA), the method comprising:
-
receiving an adversary alert which identifies an adversary having knowledge of certain facts utilized by a KBA system to construct KBA questions; in response to the adversary alert, altering operation of the KBA system to account for the adversary having knowledge of the certain facts; and after the operation of the KBA system has been altered to account for the adversary having knowledge of the certain facts, selecting KBA questions from the KBA system to authenticate users, the KBA questions being selected based on adjustments made within the KBA system in response to the adversary alert; wherein the method further comprises generating a link table that includes a set of entries, each entry of the set of entries including (i) a fact identifier identifying a fact of a set of facts and (ii) a user identifier identifying a user to whom the fact has a reference; and wherein altering the operation of the KBA system includes; finding a particular entry of the set of entries of the link table, the particular entry including a user identifier identifying the adversary, and filtering, from the set of facts, the fact identified by the fact identifier of the particular entry to form a set of secure facts, a secure fact of the set of secure facts being utilized by the KBA system to construct a secure KBA question that the adversary is unlikely to answer correctly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A KBA system constructed and arranged to perform a KBA operation, the KBA system comprising:
-
a network interface; memory; and a controller including controlling circuitry, the controlling circuitry being constructed and arranged to; receive an adversary alert which identifies an adversary who (i) is not authorized to access a resource and (ii) has knowledge of certain facts utilized by a KBA system to construct KBA questions; in response to the adversary alert, perform an adjustment operation on the KBA system to produce an adjustment to the KBA system, the adjustment to the KBA system accounting for the adversary having knowledge of the certain facts; and after performing the adjustment operation on the KBA system, select KBA questions from the KBA system to authenticate users, the KBA questions being selected based on the adjustment to the KBA system so that the adversary may be prevented from accessing the resource; wherein the controlling circuitry is further constructed and arranged to generate a link table that includes a set of entries, each entry of the set of entries including (i) a fact identifier identifying a fact of a set of facts and (ii) a user identifier identifying a user to whom the fact has a reference; and wherein the controlling circuitry constructed and arranged to alter the operation of the KBA system is further constructed and arranged to; find a particular entry of the set of entries of the link table, the particular entry including a user identifier identifying the adversary, and filter, from the set of facts, the fact identified by the fact identifier of the particular entry to form a set of secure facts, a secure fact of the set of secure facts being utilized by the KBA system to construct a secure KBA question that the adversary is unlikely to answer correctly. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer program product having a non-transitory,
computer-readable storage medium which stores code to perform KBA, the code including instructions to: -
receive an adversary alert which identifies an adversary having knowledge of certain facts utilized by a KBA system to construct KBA questions; in response to the adversary alert, alter operation of the KBA system to account for the adversary having knowledge of the certain facts; and after the operation of the KBA system has been altered to account for the adversary having knowledge of the certain facts, select KBA questions from the KBA system to authenticate users, the KBA questions being selected based on adjustments made within the KBA system in response to the adversary alert; wherein code further includes instructions to generate a link table that includes a set of entries, each entry of the set of entries including (i) a fact identifier identifying a fact of a set of facts and (ii) a user identifier identifying a user to whom the fact has a reference; and wherein altering the operation of the KBA system includes; finding a particular entry of the set of entries of the link table, the particular entry including a user identifier identifying the adversary, and filtering, from the set of facts, the fact identified by the fact identifier of the particular entry to form a set of secure facts, a secure fact of the set of secure facts being utilized by the KBA system to construct a secure KBA question that the adversary is unlikely to answer correctly.
-
-
16. A method of performing knowledge-based authentication (KBA), the method comprising:
-
receiving an adversary alert which identifies an adversary having knowledge of certain facts utilized by a KBA system to construct KBA questions; in response to the adversary alert, altering operation of the KBA system to account for the adversary having knowledge of the certain facts; and after the operation of the KBA system has been altered to account for the adversary having knowledge of the certain facts, selecting KBA questions from the KBA system to authenticate users, the KBA questions being selected based on adjustments made within the KBA system in response to the adversary alert; wherein the KBA system utilizes a plurality of facts to construct the KBA questions; wherein altering the operation of the KBA system includes filtering the certain facts from the plurality of facts to form a set of secure facts; wherein selecting the KBA questions from the KBA system to authenticate the users includes transmitting data representing an unsecure KBA question and a secure KBA question to a user requesting access to a resource, the unsecure KBA question having been constructed by the KBA system utilizing a certain fact, the secure KBA question having been constructed by the KBA system utilizing a secure fact of the set of secure facts; and wherein the method further comprises; after data representing an incorrect answer to the unsecure KBA question is received from the user, generating a first risk score; and after data representing an incorrect answer to the secure KBA question is received from the user, generating a second risk score, the second risk score being greater than the first risk score, the first risk score and the second risk score each indicating a likelihood that the user is not authorized to access the resource, a larger risk score indicating a larger likelihood that the user is not authorized to access the resource.
-
Specification