Providing malicious identity profiles from failed authentication attempts involving biometrics

US 9,509,688 B1
Filed: 03/13/2013
Issued: 11/29/2016
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method of providing malicious identity profiles, the method comprising:

storing, by processing circuitry, unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users;

generating, by the processing circuitry, a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database, each malicious identity profile including a profile biometric record for comparison with new biometric records during new authentication attempts; and

outputting, by the processing circuitry, the set of malicious identity profiles;

wherein generating the set of malicious identity profiles includes;

performing comparison operations on the descriptions and the biometric records of the unsuccessful authentication entries to group at least some of the unsuccessful authentication entries into sets of similar unsuccessful authentication entries, each set of similar unsuccessful authentication entries including multiple unsuccessful authentication entries which are alike based on a set of similarity scores resulting from the comparison operations, andforming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries;

wherein forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries includes;

creating suspicion profiles from the sets of similar unsuccessful authentication entries, each suspicion profile including a particular profile biometric record created from a particular set of similar unsuccessful authentication entries, andcollecting historical data from the database for each created suspicion profile; and

wherein the method further comprises;

distributing, as the set of malicious identity profiles, the suspicion profiles and suspicion scores which are assigned to the suspicion profiles to a set of adaptive-authentication servers through a computerized network, each adaptive-authentication server being constructed and arranged to perform adaptive-authentication (i) which includes biometric authentication as an adaptive-authentication factor and (ii) which is based on the malicious identity profiles.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique provides malicious identity profiles. The technique involves storing unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users. The technique further involves generating a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database. Each malicious identity profile includes a profile biometric record for comparison with new biometric records during new authentication attempts. The technique further involves outputting the set of malicious identity profiles. Such a set of malicious identity profiles is well suited for use in future authentication operations, i.e., well suited for predicting intruder attacks and fraud attempts, and for sharing risky identities among authentication systems (e.g., among different security products within a cybercrime detection network).

Citations

19 Claims

1. A method of providing malicious identity profiles, the method comprising:
- storing, by processing circuitry, unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users;
  
  generating, by the processing circuitry, a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database, each malicious identity profile including a profile biometric record for comparison with new biometric records during new authentication attempts; and
  
  outputting, by the processing circuitry, the set of malicious identity profiles;
  
  wherein generating the set of malicious identity profiles includes;
  
  performing comparison operations on the descriptions and the biometric records of the unsuccessful authentication entries to group at least some of the unsuccessful authentication entries into sets of similar unsuccessful authentication entries, each set of similar unsuccessful authentication entries including multiple unsuccessful authentication entries which are alike based on a set of similarity scores resulting from the comparison operations, andforming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries;
  
  wherein forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries includes;
  
  creating suspicion profiles from the sets of similar unsuccessful authentication entries, each suspicion profile including a particular profile biometric record created from a particular set of similar unsuccessful authentication entries, andcollecting historical data from the database for each created suspicion profile; and
  
  wherein the method further comprises;
  
  distributing, as the set of malicious identity profiles, the suspicion profiles and suspicion scores which are assigned to the suspicion profiles to a set of adaptive-authentication servers through a computerized network, each adaptive-authentication server being constructed and arranged to perform adaptive-authentication (i) which includes biometric authentication as an adaptive-authentication factor and (ii) which is based on the malicious identity profiles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as in claim 1 wherein collecting the historical data from the database for each created suspicion profile includes:
3. A method as in claim 1 wherein forming the set of malicious identity profiles further includes:
- performing risk-based analytics operations on the suspicion profiles based on the historical data to generate the suspicion scores for the suspicion profiles, andassigning the suspicion scores to the suspicion profiles, each suspicion profile being assigned a respective suspicion score, the set of malicious identity profiles being based on a ranking of the suspicion scores assigned to the suspicion profiles.
4. A method as in claim 3 wherein performing the risk-based analytics operations on the suspicion profiles includes:
- processing the historical data collected from the database through a machine learning circuit which is constructed and arranged to identify suspicion profiles based on correlation to successful authentication and unsuccessful authentication within a predefined time frame.
5. A method as in claim 3 wherein X is a number of malicious identity profiles in the set of malicious identity profiles;
- and wherein forming the set of malicious identity profiles further includes;
  
  selecting, as the set of malicious identity profiles, the suspicion profiles assigned a highest X suspicion scores.
6. A method as in claim 3, further comprising:
- distributing, as at least some of the set of malicious identity profiles, the suspicion profiles and suspicion scores assigned to the suspicion profiles to a set of other authentication servers through the computerized network, each of the other authentication servers being constructed and arranged to perform multi-factor authentication which includes biometric authentication as an authentication factor.
7. A method as in claim 1, further comprising:
- in response to a new authentication request, comparing a new biometric record captured from a user of the new authentication request to a biometric record of each suspicion profile,in response to a match detected between the new biometric record and the biometric record of a particular suspicion profile, including the suspicion score assigned to the particular suspicion profile in an adaptive authentication operation which generates an aggregate risk score indicating a level of riskiness for the new authentication request, andin response to no match detected between the new biometric record and the biometric record of a particular suspicion profile, not including the suspicion score assigned to any particular suspicion profile in the adaptive authentication operation which generates the aggregate risk score indicating the level of riskiness for the new authentication request.
8. A method as in claim 1 wherein storing the unsuccessful authentication entries in the database includes:
- using circuitry to capture distance and geometry measurements for a facial scan, and storing the distance and geometry measurements electronically as biometric record data in the database.
9. A method as in claim 1 wherein storing the unsuccessful authentication entries in the database includes:
- using circuitry to capture a typing speed measurement for a keystroke biometric, and storing the typing speed measurement electronically as biometric record data in the database.
10. A method as in claim 1 wherein storing the unsuccessful authentication entries in the database includes:
- using circuitry to make an electronic fingerprint copy for a fingerprint biometric, and storing the electronic fingerprint copy as biometric record data in the database.
11. A method as in claim 1, further comprising:
- performing a cybercrime detection operation using the set of malicious identity profiles to identify a cybercrime event.
12. A method as in claim 11 wherein the cybercrime event is an attempt to complete a fraudulent transaction.
13. A method as in claim 11 wherein the cybercrime event is an electronic intruder attack.

14. An electronic apparatus, comprising:
- a network interface;
  
  memory; and
  
  control circuitry coupled to the network interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to;
  
  store unsuccessful authentication entries in a database residing in the memory, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users,generate a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database, each malicious identity profile including a profile biometric record for comparison with new biometric records during new authentication attempts, andoutput the set of malicious identity profiles;
  
  wherein the control circuitry, when generating the set of malicious identity profiles, is constructed and arranged to;
  
  perform comparison operations on the descriptions and the biometric records of the unsuccessful authentication entries to group at least some of the unsuccessful authentication entries into sets of similar unsuccessful authentication entries, each set of similar unsuccessful authentication entries including multiple unsuccessful authentication entries which are alike based on a set of similarity scores resulting from the comparison operations, andform the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries;
  
  wherein the control circuitry, when forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries, is constructed and arranged to;
  
  create suspicion profiles from the sets of similar unsuccessful authentication entries, each suspicion profile including a particular profile biometric record created from a particular set of similar unsuccessful authentication entries, andcollect historical data from the database for each created suspicion profile; and
  
  wherein the control circuitry is further constructed and arranged to;
  
  distribute, as the set of malicious identity profiles, the suspicion profiles and suspicion scores which are assigned to the suspicion profiles to a set of adaptive-authentication servers through a computerized network, each adaptive-authentication server being constructed and arranged to perform adaptive-authentication (i) which includes biometric authentication as an adaptive-authentication factor and (ii) which is based on the malicious identity profiles.
- View Dependent Claims (15, 16)
- - 15. An electronic apparatus as in claim 14 wherein the control circuitry, when forming the set of malicious identity profiles, is further constructed and arranged to:
    - perform risk-based analytics operations on the suspicion profiles based on the historical data to generate the suspicion scores for the suspicion profiles, andassign the suspicion scores to the suspicion profiles, each suspicion profile being assigned a respective suspicion score, the set of malicious identity profiles being based on a ranking of the suspicion scores assigned to the suspicion profiles.
  - 16. An electronic apparatus as in claim 15 wherein the control circuitry, when performing the risk-based analytics operations on the suspicion profiles, is constructed and arranged to:
    - process the historical data collected from the database through a machine learning circuit which is constructed and arranged to identify suspicion profiles based on correlation to successful authentication and unsuccessful authentication within a predefined time frame.

17. A computer program product having a non-transitory computer readable medium which stores a set of instructions to provide malicious identity profiles, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of:
- storing, by the computerized circuitry, unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users;
  
  generating, by the computerized circuitry, a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database, each malicious identity profile including a profile biometric record for comparison with new biometric records during new authentication attempts; and
  
  outputting, by the computerized circuitry, the set of malicious identity profiles;
  
  wherein generating the set of malicious identity profiles includes;
  
  performing comparison operations on the descriptions and the biometric records of the unsuccessful authentication entries to group at least some of the unsuccessful authentication entries into sets of similar unsuccessful authentication entries, each set of similar unsuccessful authentication entries including multiple unsuccessful authentication entries which are alike based on a set of similarity scores resulting from the comparison operations, andforming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries;
  
  wherein forming the set of malicious identity profiles from at least some of the sets of similar unsuccessful authentication entries includes;
  
  creating suspicion profiles from the sets of similar unsuccessful authentication entries, each suspicion profile including a particular profile biometric record created from a particular set of similar unsuccessful authentication entries, andcollecting historical data from the database for each created suspicion profile; and
  
  wherein the method further comprises;
  
  distributing, as the set of malicious identity profiles, the suspicion profiles and suspicion scores which are assigned to the suspicion profiles to a set of adaptive-authentication servers through a computerized network, each adaptive-authentication server being constructed and arranged to perform adaptive-authentication (i) which includes biometric authentication as an adaptive-authentication factor and (ii) which is based on the malicious identity profiles.
- View Dependent Claims (18, 19)
- - 18. A computer program product as in claim 17 wherein forming the set of malicious identity profiles further includes:
    - performing risk-based analytics operations on the suspicion profiles based on the historical data to generate the suspicion scores for the suspicion profiles, andassigning the suspicion scores to the suspicion profiles, each suspicion profile being assigned a respective suspicion score, the set of malicious identity profiles being based on a ranking of the suspicion scores assigned to the suspicion profiles.
  - 19. A computer program product as in claim 18 wherein performing the risk-based analytics operations on the suspicion profiles includes:
    - processing the historical data collected from the database through a machine learning circuit which is constructed and arranged to identify suspicion profiles based on correlation to successful authentication and unsuccessful authentication within a predefined time frame.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Magi Shaashua, Triinu, Kaufman, Alon, Villa, Yael
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
AMORIN, CARLOS E

Application Number

US13/801,103
Time in Patent Office

1,357 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0861   using biometrical features,...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

Providing malicious identity profiles from failed authentication attempts involving biometrics

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Providing malicious identity profiles from failed authentication attempts involving biometrics

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links