Providing malicious identity profiles from failed authentication attempts involving biometrics
First Claim
1. A method of providing malicious identity profiles, the method comprising:
- storing, by processing circuitry, unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users;
generating, by the processing circuitry, a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database, each malicious identity profile including a profile biometric record for comparison with new biometric records during new authentication attempts; and
outputting, by the processing circuitry, the set of malicious identity profiles;
wherein generating the set of malicious identity profiles includes;
performing comparison operations on the descriptions and the biometric records of the unsuccessful authentication entries to group at least some of the unsuccessful authentication entries into sets of similar unsuccessful authentication entries, each set of similar unsuccessful authentication entries including multiple unsuccessful authentication entries which are alike based on a set of similarity scores resulting from the comparison operations, andforming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries;
wherein forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries includes;
creating suspicion profiles from the sets of similar unsuccessful authentication entries, each suspicion profile including a particular profile biometric record created from a particular set of similar unsuccessful authentication entries, andcollecting historical data from the database for each created suspicion profile; and
wherein the method further comprises;
distributing, as the set of malicious identity profiles, the suspicion profiles and suspicion scores which are assigned to the suspicion profiles to a set of adaptive-authentication servers through a computerized network, each adaptive-authentication server being constructed and arranged to perform adaptive-authentication (i) which includes biometric authentication as an adaptive-authentication factor and (ii) which is based on the malicious identity profiles.
9 Assignments
0 Petitions
Accused Products
Abstract
A technique provides malicious identity profiles. The technique involves storing unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users. The technique further involves generating a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database. Each malicious identity profile includes a profile biometric record for comparison with new biometric records during new authentication attempts. The technique further involves outputting the set of malicious identity profiles. Such a set of malicious identity profiles is well suited for use in future authentication operations, i.e., well suited for predicting intruder attacks and fraud attempts, and for sharing risky identities among authentication systems (e.g., among different security products within a cybercrime detection network).
-
Citations
19 Claims
-
1. A method of providing malicious identity profiles, the method comprising:
-
storing, by processing circuitry, unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users; generating, by the processing circuitry, a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database, each malicious identity profile including a profile biometric record for comparison with new biometric records during new authentication attempts; and outputting, by the processing circuitry, the set of malicious identity profiles; wherein generating the set of malicious identity profiles includes; performing comparison operations on the descriptions and the biometric records of the unsuccessful authentication entries to group at least some of the unsuccessful authentication entries into sets of similar unsuccessful authentication entries, each set of similar unsuccessful authentication entries including multiple unsuccessful authentication entries which are alike based on a set of similarity scores resulting from the comparison operations, and forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries; wherein forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries includes; creating suspicion profiles from the sets of similar unsuccessful authentication entries, each suspicion profile including a particular profile biometric record created from a particular set of similar unsuccessful authentication entries, and collecting historical data from the database for each created suspicion profile; and wherein the method further comprises; distributing, as the set of malicious identity profiles, the suspicion profiles and suspicion scores which are assigned to the suspicion profiles to a set of adaptive-authentication servers through a computerized network, each adaptive-authentication server being constructed and arranged to perform adaptive-authentication (i) which includes biometric authentication as an adaptive-authentication factor and (ii) which is based on the malicious identity profiles. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
for each suspicion profile created, tabulating; (i) a total of the number of times a biometric record matching, within a set of predefined thresholds, the particular profile biometric record of that suspicion profile appears in the database, (ii) a total of the number of user accounts contributing the particular set of similar unsuccessful authentication entries of that suspicion profile, (iii) a total number of failed authentication attempts, (iv) a total number of successful authentication attempts, and (v) timestamp information for the particular set of similar unsuccessful authentication entries.
-
-
3. A method as in claim 1 wherein forming the set of malicious identity profiles further includes:
-
performing risk-based analytics operations on the suspicion profiles based on the historical data to generate the suspicion scores for the suspicion profiles, and assigning the suspicion scores to the suspicion profiles, each suspicion profile being assigned a respective suspicion score, the set of malicious identity profiles being based on a ranking of the suspicion scores assigned to the suspicion profiles.
-
-
4. A method as in claim 3 wherein performing the risk-based analytics operations on the suspicion profiles includes:
processing the historical data collected from the database through a machine learning circuit which is constructed and arranged to identify suspicion profiles based on correlation to successful authentication and unsuccessful authentication within a predefined time frame.
-
5. A method as in claim 3 wherein X is a number of malicious identity profiles in the set of malicious identity profiles;
- and wherein forming the set of malicious identity profiles further includes;
selecting, as the set of malicious identity profiles, the suspicion profiles assigned a highest X suspicion scores.
- and wherein forming the set of malicious identity profiles further includes;
-
6. A method as in claim 3, further comprising:
distributing, as at least some of the set of malicious identity profiles, the suspicion profiles and suspicion scores assigned to the suspicion profiles to a set of other authentication servers through the computerized network, each of the other authentication servers being constructed and arranged to perform multi-factor authentication which includes biometric authentication as an authentication factor.
-
7. A method as in claim 1, further comprising:
-
in response to a new authentication request, comparing a new biometric record captured from a user of the new authentication request to a biometric record of each suspicion profile, in response to a match detected between the new biometric record and the biometric record of a particular suspicion profile, including the suspicion score assigned to the particular suspicion profile in an adaptive authentication operation which generates an aggregate risk score indicating a level of riskiness for the new authentication request, and in response to no match detected between the new biometric record and the biometric record of a particular suspicion profile, not including the suspicion score assigned to any particular suspicion profile in the adaptive authentication operation which generates the aggregate risk score indicating the level of riskiness for the new authentication request.
-
-
8. A method as in claim 1 wherein storing the unsuccessful authentication entries in the database includes:
using circuitry to capture distance and geometry measurements for a facial scan, and storing the distance and geometry measurements electronically as biometric record data in the database.
-
9. A method as in claim 1 wherein storing the unsuccessful authentication entries in the database includes:
using circuitry to capture a typing speed measurement for a keystroke biometric, and storing the typing speed measurement electronically as biometric record data in the database.
-
10. A method as in claim 1 wherein storing the unsuccessful authentication entries in the database includes:
using circuitry to make an electronic fingerprint copy for a fingerprint biometric, and storing the electronic fingerprint copy as biometric record data in the database.
-
11. A method as in claim 1, further comprising:
performing a cybercrime detection operation using the set of malicious identity profiles to identify a cybercrime event.
-
12. A method as in claim 11 wherein the cybercrime event is an attempt to complete a fraudulent transaction.
-
13. A method as in claim 11 wherein the cybercrime event is an electronic intruder attack.
-
14. An electronic apparatus, comprising:
-
a network interface; memory; and control circuitry coupled to the network interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to; store unsuccessful authentication entries in a database residing in the memory, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users, generate a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database, each malicious identity profile including a profile biometric record for comparison with new biometric records during new authentication attempts, and output the set of malicious identity profiles; wherein the control circuitry, when generating the set of malicious identity profiles, is constructed and arranged to; perform comparison operations on the descriptions and the biometric records of the unsuccessful authentication entries to group at least some of the unsuccessful authentication entries into sets of similar unsuccessful authentication entries, each set of similar unsuccessful authentication entries including multiple unsuccessful authentication entries which are alike based on a set of similarity scores resulting from the comparison operations, and form the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries; wherein the control circuitry, when forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries, is constructed and arranged to; create suspicion profiles from the sets of similar unsuccessful authentication entries, each suspicion profile including a particular profile biometric record created from a particular set of similar unsuccessful authentication entries, and collect historical data from the database for each created suspicion profile; and wherein the control circuitry is further constructed and arranged to; distribute, as the set of malicious identity profiles, the suspicion profiles and suspicion scores which are assigned to the suspicion profiles to a set of adaptive-authentication servers through a computerized network, each adaptive-authentication server being constructed and arranged to perform adaptive-authentication (i) which includes biometric authentication as an adaptive-authentication factor and (ii) which is based on the malicious identity profiles. - View Dependent Claims (15, 16)
-
-
17. A computer program product having a non-transitory computer readable medium which stores a set of instructions to provide malicious identity profiles, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
-
storing, by the computerized circuitry, unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users; generating, by the computerized circuitry, a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database, each malicious identity profile including a profile biometric record for comparison with new biometric records during new authentication attempts; and outputting, by the computerized circuitry, the set of malicious identity profiles; wherein generating the set of malicious identity profiles includes; performing comparison operations on the descriptions and the biometric records of the unsuccessful authentication entries to group at least some of the unsuccessful authentication entries into sets of similar unsuccessful authentication entries, each set of similar unsuccessful authentication entries including multiple unsuccessful authentication entries which are alike based on a set of similarity scores resulting from the comparison operations, and forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries; wherein forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries includes; creating suspicion profiles from the sets of similar unsuccessful authentication entries, each suspicion profile including a particular profile biometric record created from a particular set of similar unsuccessful authentication entries, and collecting historical data from the database for each created suspicion profile; and wherein the method further comprises; distributing, as the set of malicious identity profiles, the suspicion profiles and suspicion scores which are assigned to the suspicion profiles to a set of adaptive-authentication servers through a computerized network, each adaptive-authentication server being constructed and arranged to perform adaptive-authentication (i) which includes biometric authentication as an adaptive-authentication factor and (ii) which is based on the malicious identity profiles. - View Dependent Claims (18, 19)
-
Specification