Adaptive client-aware session security
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving requests to access one or more computing resources, the requests including a request from an application executing on a remote computing device associated by the request with a first source Internet Protocol address, the request including a cookie encoding information about a session including information usable to authenticate the request using a weak authentication process;
determining, based at least in part on the information about the session, whether the first source Internet Protocol address is different from a second source Internet Protocol address previously associated with the session;
as a result of determining that the first source Internet Protocol address is different from the second source Internet Protocol address, determining, based at least in part on a classification of the second source Internet Protocol address from a set of classifications that includes a fixed Internet Protocol address classification and a variable Internet Protocol Address classification, whether to require a strong authentication process for fulfillment of the request;
as a result of determining to require the strong authentication process, performing the strong authentication process; and
as a result of successful authentication by performance of the strong authentication process, performing one or more operations to fulfill the request and updating a database that maintains information about the classification of the second source Internet protocol address.
1 Assignment
0 Petitions
Accused Products
Abstract
Source information for requests submitted to a system are classified to enable differential handling of requests over a session whose source information changes over the session. For source information (e.g., an IP address) classified as fixed, stronger authentication may be required to fulfill requests when the source information changes during the session. Similarly, for source information classified as dynamic, source information may be allowed to change without requiring the stronger authentication.
-
Citations
24 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving requests to access one or more computing resources, the requests including a request from an application executing on a remote computing device associated by the request with a first source Internet Protocol address, the request including a cookie encoding information about a session including information usable to authenticate the request using a weak authentication process; determining, based at least in part on the information about the session, whether the first source Internet Protocol address is different from a second source Internet Protocol address previously associated with the session; as a result of determining that the first source Internet Protocol address is different from the second source Internet Protocol address, determining, based at least in part on a classification of the second source Internet Protocol address from a set of classifications that includes a fixed Internet Protocol address classification and a variable Internet Protocol Address classification, whether to require a strong authentication process for fulfillment of the request; as a result of determining to require the strong authentication process, performing the strong authentication process; and as a result of successful authentication by performance of the strong authentication process, performing one or more operations to fulfill the request and updating a database that maintains information about the classification of the second source Internet protocol address. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A system, comprising:
-
one or more processors; and memory including instructions that, when executed by the one or more processors, cause the system to; receive a first request associated with an identifier and a first source; receive a second request associated with the identifier and a second source, the second source different from the first source; determine, based at least in part on a classification of the first source, whether a change from the first source to another source is unexpected; determine, based at least in part on whether the change is determined to be unexpected, whether to require performance of an authentication process as a result of the detected change; and cause performance of at least one operation to be contingent at least in part on successful fulfillment of the authentication process. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
detect a first change in first source network address information for requests submitted as part of a first session; detect a second change in second source network address information for requests submitted as part of a second session; and after detecting the first change, as a result of the first source network address information before the first change being classified differently than the second source network address information before the second change, cause an authentication requirement for the first session to be different than an authentication requirement for the second session after detecting the change in the second source network address information. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification