Transparent adaptive authentication and transaction monitoring

US 9,282,094 B1
Filed: 06/27/2014
Issued: 03/08/2016
Est. Priority Date: 06/27/2014
Status: Active Grant

First Claim

Patent Images

1. A method of adding increased security to communications exchanged between a server and a client device, comprising:

receiving an intercepted and re-routed communication between the server and the client device, the communication having an intended recipient;

storing the re-routed communication in a memory, and communicating with the client device requesting additional security information;

performing a security operation including the additional security information and generating a security decision;

sending the stored communication to the intended recipient when the security decision indicates that it is safe to continue; and

preventing the stored communication from being sent when the security decision indicates that it is not safe to continue,wherein receiving the intercepted and re-routed communication further comprises (1) determining whether the re-routed communication requires increased security, (2) transmitting a call to a security analysis device including information related to the intercepted communication, for generating a step-up security decision when the re-routed communication requires increased security, and (3) transmitting a challenge to the client when the step-up security decision indicates that a step-up security procedure is indicated,and wherein performing the security operation including the additional security information and generating a security decision further includes receiving a response to the challenge from the client and comparing the response to information in the memory to determine confirmation,and wherein determining whether the re-routed communication requires increased security includes determining whether the communication from the server is a communication allowing access to a resource to the client.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Enhanced security processes are integrated into online service provider workflow activities in a transparent fashion with little or no impact on the servers. Enhanced security processes may include adaptive authentication and transaction monitoring. The enhanced security processes are partially implemented in a network device, such as a network communication device, a firewall, or a load balancing system, or a separate security device, rather than being implemented in the server systems hosting on-line websites. With such an arrangement, server software is minimally modified or rewritten, and third party software, such as security applications, remains in operation.

Citations

20 Claims

1. A method of adding increased security to communications exchanged between a server and a client device, comprising:
- receiving an intercepted and re-routed communication between the server and the client device, the communication having an intended recipient;
  
  storing the re-routed communication in a memory, and communicating with the client device requesting additional security information;
  
  performing a security operation including the additional security information and generating a security decision;
  
  sending the stored communication to the intended recipient when the security decision indicates that it is safe to continue; and
  
  preventing the stored communication from being sent when the security decision indicates that it is not safe to continue,wherein receiving the intercepted and re-routed communication further comprises (1) determining whether the re-routed communication requires increased security, (2) transmitting a call to a security analysis device including information related to the intercepted communication, for generating a step-up security decision when the re-routed communication requires increased security, and (3) transmitting a challenge to the client when the step-up security decision indicates that a step-up security procedure is indicated,and wherein performing the security operation including the additional security information and generating a security decision further includes receiving a response to the challenge from the client and comparing the response to information in the memory to determine confirmation,and wherein determining whether the re-routed communication requires increased security includes determining whether the communication from the server is a communication allowing access to a resource to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the receiving, storing and performing are performed by a challenger, and further including intercepting the communication at a network gateway positioned between the server and the client and re-routing the communication from the network gateway to the challenger.
  - 3. The method of claim 1, wherein generating a step-up security decision includes performing adaptive authentication for an intercepted login communication message being sent from the server to the client.
  - 4. The method of claim 1, wherein generating a step-up security decision includes performing transaction monitoring for an intercepted transaction request message being sent from the client to the server.
  - 5. The method of claim 1, wherein the transmitting of a challenge to the client includes requesting the client to provide more security information and transmitting to the client via a communications channel separate from the network gateway.
  - 6. The method of claim 5, wherein transmitting the call to the security analysis device further includes transmitting the call via a communications channel separate from the network gateway.
  - 7. The method of claim 1, wherein preventing the stored communication from being sent when the security decision indicates that it is not safe to continue includes transmitting a redirect communication to a logout page to the client.
  - 8. The method of claim 7, wherein transmitting the redirect communication includes transmitting a modified version of the stored communication.

9. A system for integrating security operations into a server workflow transparently to the server, comprising:
- a controller;
  
  a memory device;
  
  a local area network communicatively coupled to an external client by at least one network gateway device;
  
  at least one server hosting a resource communicatively coupled to the local network; and
  
  a challenger communicatively coupled to the at least one network gateway device and communicatively coupled to a security analysis device;
  
  the network gateway device constructed and arranged to intercept and redirect communications between the server and the external client to the challenger;
  
  the challenger constructed and arranged to i) store information from the redirected communication in the memory and determine whether the redirected communication requires increased security, ii) transmit a call containing security information from the redirected communication to the security analysis device, for generating a step-up security decision when the redirected communication requires increased security, iii) receive a security analysis from the security analysis device, iv) transmit a challenge to the client when the step-up security decision indicates that a step-up security procedure is indicated, v) receive a response to the challenge from the client, vi) compare the response from the client to information in the memory, and vii) generate a decision on continuing the communication when the comparison to the information in the memory indicates a valid response, wherein determining whether the redirected communication requires increased security includes determining whether the communication from the server is a communication allowing access to a resource to the client.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, further including:
    - the network gateway device constructed and arranged to receive a login request from the client to access a resource, and transmit the login request to the server;
      
      the server constructed and arranged to compare information received with the login request with information stored in a database, and determine whether the information received with the login request matches the information in the database; and
      
      the server constructed and arranged to i) transmit a communication permitting the client to access the resource to the network gateway device when the information matches the information in the database, and ii) transmit a communication not permitting the client to access the resource to the network gateway device when the information does not match the information in the database.
  - 11. The system of claim 9, further including wherein transmitting a call to a security analysis device further includes:
    - the security analysis device constructed and arranged to determine, via a risk analysis process, whether the step-up security procedure is indicated; and
      
      the security analysis device constructed and arranged to i) transmit an approval to the challenger for the stored communication to be transmitted when the risk analysis process determines that a low risk exists, ii) transmit a challenge to the challenger requesting the client to provide more security information when the risk analysis process determines that a moderate risk exists, and iii) transmit a denial of approval to the challenger for the stored communication to be transmitted analysis device when the risk analysis process determines that a high risk exists.
  - 12. The system of claim 9, wherein the security analysis device includes an adaptive authentication system for authenticating an intercepted login communication message being sent from the server to the client.
  - 13. The system of claim 9, wherein the security analysis device includes a transaction monitoring system for authenticating an intercepted transaction request message being sent from the client to the server.
  - 14. The system of claim 9, wherein the security analysis device and the challenger are part of the same physical system.
  - 15. The system of claim 9, wherein the challenger includes a direct communication link to an external network.

16. A computer program product having a non-transitory, computer-readable storage medium which stores code including instructions for adding increased security to communications exchanged between a server and a client device, which, when executed cause a controller to:
- receive an intercepted and re-routed communication between the server and the client device, the communication having an intended recipient;
  
  store the re-routed communication in a memory, and communicate with the client device to request additional security information;
  
  perform a security operation including the additional security information and generate a security decision;
  
  send the stored communication to the intended recipient when the security decision indicates that it is safe to continue; and
  
  prevent the stored communication from being sent when the security decision indicates that it is not safe to continue,wherein receiving the intercepted and re-routed communication further comprises (1) determining whether the re-routed communication requires increased security, (2) transmitting a call to a security analysis device including information related to the intercepted communication, for generating a step-up security decision when the re-routed communication requires increased security, and (3) transmitting a challenge to the client when the step-up security decision indicates that a step-up security procedure is indicated,and wherein performing the security operation including the additional security information and generating a security decision further includes receiving a response to the challenge from the client and comparing the response to information in the memory to determine confirmation,and wherein determining whether the re-routed communication requires increased security includes determining whether the communication from the server is a communication allowing access to a resource to the client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16, wherein the receiving, storing and performing are performed by a challenger, and further including intercepting the communication at a network gateway positioned between the server and the client and re-routing the communication from the network gateway to the challenger.
  - 18. The computer program product of claim 16, wherein generating a step-up security decision includes performing adaptive authentication for an intercepted login communication message being sent from the server to the client.
  - 19. The computer program product of claim 16, wherein generating a step-up security decision includes performing transaction monitoring for an intercepted transaction request message being sent from the client to the server.
  - 20. The computer program product of claim 16, wherein the transmitting of a challenge to the client includes requesting the client to provide more security information and transmitting to the client via a communications channel separate from the network gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Hunold, Philipp, Chapman, Daniel
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/318,068
Time in Patent Office

620 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/554   involving event detection a...

G06F 2221/2103   Challenge-response

H04L 63/083   using passwords cryptograph...

H04L 63/14   for detecting or protecting...

Transparent adaptive authentication and transaction monitoring

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent adaptive authentication and transaction monitoring

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links