Adaptive client-aware session security

US 9,270,662 B1
Filed: 01/13/2014
Issued: 02/23/2016
Est. Priority Date: 01/13/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems configured with executable instructions,receiving requests to access one or more computing resources, the requests including a request from an application executing on a remote computing device associated by the request with a first source Internet Protocol address, the request including a cookie encoding information about a session including information usable to authenticate the request using a weak authentication process;

determining, based at least in part on the information about the session, whether the first source Internet Protocol address is different from a second source Internet Protocol address previously associated with the session;

as a result of determining that the first source Internet Protocol address is different from the second source Internet Protocol address, determining, based at least in part on a classification of the second source Internet Protocol address from a set of classifications that includes a fixed Internet Protocol address classification and a variable Internet Protocol Address classification, whether to require a strong authentication process for fulfillment of the request;

as a result of determining to require the strong authentication process, performing the strong authentication process; and

as a result of successful authentication by performance of the strong authentication process, performing one or more operations to fulfill the request and updating a database that maintains information about the classification of the second source Internet protocol address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Source information for requests submitted to a system are classified to enable differential handling of requests over a session whose source information changes over the session. For source information (e.g., an IP address) classified as fixed, stronger authentication may be required to fulfill requests when the source information changes during the session. Similarly, for source information classified as dynamic, source information may be allowed to change without requiring the stronger authentication.

Citations

24 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving requests to access one or more computing resources, the requests including a request from an application executing on a remote computing device associated by the request with a first source Internet Protocol address, the request including a cookie encoding information about a session including information usable to authenticate the request using a weak authentication process;
  
  determining, based at least in part on the information about the session, whether the first source Internet Protocol address is different from a second source Internet Protocol address previously associated with the session;
  
  as a result of determining that the first source Internet Protocol address is different from the second source Internet Protocol address, determining, based at least in part on a classification of the second source Internet Protocol address from a set of classifications that includes a fixed Internet Protocol address classification and a variable Internet Protocol Address classification, whether to require a strong authentication process for fulfillment of the request;
  
  as a result of determining to require the strong authentication process, performing the strong authentication process; and
  
  as a result of successful authentication by performance of the strong authentication process, performing one or more operations to fulfill the request and updating a database that maintains information about the classification of the second source Internet protocol address.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein:
    - the requests include a second request, after the request, from the application that associates the remote computing device with the first source Internet Protocol address and includes the cookie or a second cookie encoding second information about the session, the second information about the session usable to authenticate the request by the weak authentication process;
      
      as a result of the second request being associated with the first source Internet Protocol address, performing the weak authentication process without performing the strong authentication process; and
      
      as a result of successful authentication by performance of the weak authentication process, fulfilling the second request.
  - 3. The computer-implemented method of claim 1, wherein determining whether to require the strong authentication process comprises accessing, from the database, a database record corresponding to the second source Internet Protocol address.
  - 4. The computer-implemented method of claim 3, wherein updating the database comprises:
    - calculating a score for the second source Internet Protocol address;
      
      using the calculated score to make a determination whether to reclassify the second source Internet Protocol address as fixed or dynamic; and
      
      updating the database record as a result of determining to reclassify the second source Internet Protocol address.
  - 5. The computer-implemented method of claim 4, wherein:
    - the database record associates a categorization of fixed or dynamic with a plurality of Internet Protocol addresses that includes the first source Internet Protocol address; and
      
      reclassifying the second source Internet Protocol address comprises;
      
      dividing the plurality of Internet Protocol addresses into at least two subsets comprising a first subset and a second subset having an empty intersection with the first subset, the first subset having the second source Internet Protocol address; and
      
      reclassifying the first subset.
  - 6. The computer-implemented method of claim 1, wherein successful authentication by a set of strong authentication processes that include the strong authentication process is required by the one or more computer systems before the weak authentication process is usable to authenticate requests.

7. A system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the system to;
  
  receive a first request associated with an identifier and a first source;
  
  receive a second request associated with the identifier and a second source, the second source different from the first source;
  
  determine, based at least in part on a classification of the first source, whether a change from the first source to another source is unexpected;
  
  determine, based at least in part on whether the change is determined to be unexpected, whether to require performance of an authentication process as a result of the detected change; and
  
  cause performance of at least one operation to be contingent at least in part on successful fulfillment of the authentication process.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The system of claim 7, wherein the instructions that cause the system to determine whether to require performance of the authentication process as a result of the detected change cause the system to determine whether to require performance of the authentication process as a result of the detected change further based at least in part on the second source.
  - 9. The system of claim 7, wherein the at least one operation is part of fulfillment of a third request received after the second request.
  - 10. The system of claim 7, wherein the instructions, when executed by the one or more processors, further cause the system to calculate a confidence score for the classification and determine the classification of the first source based at least in part on the calculated confidence score.
  - 11. The system of claim 10, wherein calculating the confidence score is based at least in part on at least one of a network topology, public registration information about sources including the first source and second source, or geographic information associated with the first source and second source.
  - 12. The system of claim 10, wherein calculating the confidence score is based at least in part on at least one of a number of requests made during a session or a number of observations recorded involving the first source.
  - 13. The system of claim 7, wherein the instructions that cause the system to determine the classification cause the system to, in response to receipt of the request, calculate a classification score and determine the classification based at least in part on the calculated classification score.
  - 14. The system of claim 7, wherein determining the classification of the first source is based at least in part on a classification of a plurality of sources that includes the first source.
  - 15. The system of claim 7, wherein:
    - determining the classification of the first source is based at least in part on a confidence score for the classification; and
      
      the instructions, when executed by the one or more processors, further cause the system to, as a result of a lack of successful fulfillment of the authentication process, update the confidence score.
  - 16. The system of claim 7, wherein determining the classification of the first source is based at least in part on an account setting for an account associated with the identifier.

17. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
- detect a first change in first source network address information for requests submitted as part of a first session;
  
  detect a second change in second source network address information for requests submitted as part of a second session; and
  
  after detecting the first change, as a result of the first source network address information before the first change being classified differently than the second source network address information before the second change, cause an authentication requirement for the first session to be different than an authentication requirement for the second session after detecting the change in the second source network address information.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions that cause the authentication requirement for the first session to be different than the authentication requirement for the second session, when executed by the one or more processors, cause the system to require receipt of login credentials for fulfillment of at least one request submitted during the first session.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the change in the first source network address information and the change in the second source network address information each include a change of source Internet Protocol address.
  - 20. The non-transitory computer-readable storage medium of claim 17, further comprising instructions that, when executed by the one or more processors, cause the system to, as a result in detecting the first change, access a database to determine whether to require additional authentication for a pending request of the first session.
  - 21. The non-transitory computer-readable storage medium of claim 17, wherein:
    - the first change is a change from a first network address to a second network address; and
      
      the instructions further comprise instructions that, when executed by the one or more processors, cause the system to calculate a confidence score for a classification of the first network address as a fixed network address; and
      
      determine the classification based at least in part on the calculated confidence score.
  - 22. The non-transitory computer-readable storage medium of claim 17, wherein:
    - the first change is a change from a first network address to a second network address; and
      
      the instructions that cause the computer system to cause the authentication requirement for the first session to be different than the authentication requirement for the second session comprise instructions that, when executed by the one or more processors, cause the computer system to determine a classification for the first network address based at least in part on a security preference of an entity associated with the first session.
  - 23. The non-transitory computer-readable storage medium of claim 17, wherein:
    - the first change is a change from a first network address to a second network address; and
      
      the instructions further comprise instructions that, when executed by the one or more processors, further cause the computer system to reclassify the first network address from fixed to dynamic as a result of successful reauthentication in accordance with the authentication requirement for the first session.
  - 24. The non-transitory computer-readable storage medium of claim 17, wherein the authentication requirement for the first session includes successful fulfillment of a strong authentication requirement and the authentication requirement for the second session includes successful fulfillment of a weak authentication requirement.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Allen, Nicholas Alexander
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Kaplan, Benjamin

Application Number

US14/153,847
Time in Patent Office

771 Days
Field of Search

726/3, 726/28
US Class Current

1/1
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 21/62   Protecting access to data v...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Adaptive client-aware session security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive client-aware session security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links