Method, device, and system of protecting a log-in process of a computerized service

US 9,558,339 B2
Filed: 04/01/2015
Issued: 01/31/2017
Est. Priority Date: 11/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining whether a user, who utilizes a computing device to interact with a computerized service, is either an authorized user or an attacker;

wherein the determining comprises;

modifying a log-in screen of the computerized service to cause said log-in screen to exhibit a temporary input/output interference that causes an anomaly between (A) input gestures that the user performs via an input unit of said computing device, and (B) output that is displayed on a display unit of said computing device;

tracking user interactions via said input unit in response to said temporary input/output interference at the log-in screen;

if said tracking of user interactions indicates that said user performed a manual correction operation to correct said anomaly, then determining that said user is an authorized user;

if said tracking of user interactions indicates that said user did not perform manual correction operations that adequately correct said anomaly, then determining that said user is an attacker.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device (a desktop computer, a laptop computer, a smartphone, a tablet, or the like) interacts and communicates with a server of a computerized server (a banking website, an electronic commerce website, or the like). The interactions are monitored, tracked and logged. User Interface (UI) interferences or irregularities are intentionally introduced to the communication session; and the server tracks the response or the reaction of the end-user to such communication interferences. The system determines whether the user is a legitimate human user, or a cyber-attacker or automated script posing as the legitimate human user. The system further detects click-fraud, and prevents or mitigates Application Distributed Denial-of-Service attacks.

35 Citations

View as Search Results

15 Claims

1. A method comprising:
- determining whether a user, who utilizes a computing device to interact with a computerized service, is either an authorized user or an attacker;
  
  wherein the determining comprises;
  
  modifying a log-in screen of the computerized service to cause said log-in screen to exhibit a temporary input/output interference that causes an anomaly between (A) input gestures that the user performs via an input unit of said computing device, and (B) output that is displayed on a display unit of said computing device;
  
  tracking user interactions via said input unit in response to said temporary input/output interference at the log-in screen;
  
  if said tracking of user interactions indicates that said user performed a manual correction operation to correct said anomaly, then determining that said user is an authorized user;
  
  if said tracking of user interactions indicates that said user did not perform manual correction operations that adequately correct said anomaly, then determining that said user is an attacker.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the tracking of step (ii) comprises:
    - determining whether or not said user performed any manual correction operations;
      
      if it is determined that said user did not perform any manual correction operations, then determining that said user is an attacker.
  - 3. The method of claim 1, wherein the tracking of step (ii) comprises:
    - determining whether or not said user performed any manual correction operations;
      
      if it is determined that said user performed manual correction operations, then further determining whether the manual correction operations that the user performed adequately correct said anomaly; and
      
      if it is determined that the manual correction operations did not adequately correct said anomaly, then determining that said user is an attacker.
  - 4. The method of claim 1, wherein the tracking of step (ii) comprises:
    - determining whether or not said user performed any manual correction operations;
      
      if it is determined that said user performed manual correction operations, then further determining whether the manual correction operations that the user performed adequately correct said anomaly;
      
      if it is determined that the manual correction operations did not adequately correct said anomaly, then determining that said user is possibly an authorized user and performing an additional authentication challenge for said user.
  - 5. The method of claim 1, wherein modifying the log-in screen of the computerized service comprises:
    - causing a deviation of an on-screen pointer that is being moved by said user, relative to a regular on-screen route of said on-screen pointer.
  - 6. The method of claim 1, wherein modifying the log-in screen of the computerized service comprises:
    - temporarily hiding an on-screen pointer that is being moved by said user.
  - 7. The method of claim 1, wherein modifying the log-in screen of the computerized service comprises:
    - causing an on-screen pointer that is being moved by said user, to appear in a different on-screen location relative to an intended movement route of said on-screen pointer.
  - 8. The method of claim 1, wherein modifying the log-in screen of the computerized service comprises:
    - defining an account creation process that comprises at least three screens in which said user enters information to create a new account for the computerized service;
      
      pseudo-randomly shuffling an order in which said at least three screens are presented to said user during said account creation process of said computerized service.
  - 9. The method of claim 1, wherein modifying the log-in screen of the computerized service comprises:
    - defining an account creation process that comprises at least a first screen, a second screen and a third screen;
      
      wherein the first screen of said account creation process is fixed and is always the first screen to be displayed to all users during creation of new accounts;
      
      presenting to said user the first, fixed, screen of the account creation process;
      
      pseudo-randomly selecting whether to present to said user, during the account creation process and immediately after the first fixed screen, either;
      
      (A) the second screen of the account creation process, and then the third screen of the account creation process;
      
      or (B) the third screen of the account creation process, and then the second screen of the account creation process.
  - 10. The method of claim 1, wherein modifying the log-in screen of the computerized service comprises:
    - defining an account creation process that comprises at least a first screen, a second screen and a third screen;
      
      wherein the first screen of said account creation process is fixed and is always the first screen to be displayed to all users during creation of new accounts;
      
      presenting to said user the first, fixed, screen of the account creation process;
      
      pseudo-randomly selecting whether to present to said user, after the first fixed screen of the account creation process, either;
      
      (A) the second screen of the account creation process, and then the third screen of the account creation process;
      
      or (B) the third screen of the account creation process, and then the second screen of the account creation process;
      
      if step (B) is pseudo-randomly selected, then;
      
      (a) presenting to the user the third screen of the log-in process prior to the second screen of the account creation process;
      
      (b) tracking user interactions during with said third screen that is presented instead of said second screen;
      
      (c) determining whether or not the user interactions at the third screen reflect a user surprise from a change in an expected order of screens of the account creation process;
      
      (d) if the determining of step (c) is positive, then determining that said user is an attacker.
  - 11. The method of claim 1, wherein modifying the log-in screen of the computerized service comprises:
    - defining an account creation process that comprises at least a first screen, a second screen and a third screen;
      
      wherein the first screen of said account creation process is fixed and is always the first screen to be displayed to all users during creation of new accounts;
      
      presenting to said user the first, fixed, screen of the account creation process;
      
      when said user interacts with the first fixed screen of the account creation process, generating said temporary input/output interference that causes anomaly between (A) input gestures that the user performs via the input unit of said computing device, and (B) output that is displayed on the display unit of said computing device;
      
      tracking user interactions in response to said temporary input/output interference that is introduced into the first fixed screen;
      
      if the user interactions in response to said temporary input/output interference that is introduced into the first fixed screen, indicate that the user did not perform manual correction operations that adequately fix said anomaly, then determining that said user is a possible attacker;
      
      if it is determined that said user is a possible attacker, then;
      
      pseudo-randomly selecting whether to present to said user, after the first fixed screen of the account creation process, either;
      
      (A) the second screen of the account creation process, and then the third screen of the account creation process;
      
      or (B) the third screen of the account creation process, and then the second screen of the account creation process.
  - 12. The method of claim 1, wherein modifying the log-in screen of the computerized service comprises:
    - defining an account creation process that comprises at least a first screen, a second screen and a third screen;
      
      wherein the first screen of said account creation process is fixed and is always the first screen to be displayed to all users during creation of new accounts;
      
      presenting to said user the first, fixed, screen of the account creation process;
      
      when said user interacts with the first fixed screen of the account creation process, generating said temporary input/output interference that causes anomaly between (A) input gestures that the user performs via the input unit of said computing device, and (B) output that is displayed on the display unit of said computing device;
      
      tracking user interactions in response to said temporary input/output interference that is introduced into the first fixed screen;
      
      if the user interactions in response to said temporary input/output interference that is introduced into the first fixed screen, indicate that the user did not perform manual correction operations that adequately fix said anomaly, then determining that said user is a possible attacker;
      
      if it is determined in step (e) that said user is a possible attacker, then;
      
      pseudo-randomly selecting whether to present to said user, after the first fixed screen of the account creation process, either;
      
      (A) the second screen of the account creation process, and then the third screen of the account creation process;
      
      or (B) the third screen of the account creation process, and then the second screen of the account creation process;
      
      if step (B) is pseudo-randomly selected, then;
      
      (a1) presenting to the user the third screen of the log-in process prior to the second screen of the account creation process;
      
      (b1) tracking user interactions during with said third screen that is presented instead of said second screen;
      
      (c1) determining whether or not the user interactions at the third screen reflect a user surprise from a change in an expected order of screens of the account creation process;
      
      (d1) if the determining of step (c1) is positive, then determining that said user is an attacker.
  - 13. The method of claim 1, comprising:
    - detecting that a rate of incorrect log-in attempts to said computerized service, within a pre-defined time period, is greater than a threshold rate;
      
      determining that the computerized service is possibly undergoing an Application Distributed Denial-of-Service (Application DDoS) attack;
      
      based on said determining, modifying a log-in process to the computerized service by generating said temporary input/output interference, and tracking user interactions in response to said temporary input/output interference.
  - 14. The method of claim 1, comprising:
    - detecting that a rate of incorrect log-in attempts to said computerized service, within a pre-defined time period, is greater than a threshold rate;
      
      determining that the computerized service is possibly undergoing an Application Distributed Denial-of-Service (Application DDoS) attack;
      
      based on the determination of step (b), modifying a log-in process to the computerized service by generating said temporary input/output interference, and tracking user interactions in response to said temporary input/output interference;
      
      determining which Internet packets incoming to the computerized service from a source that does not perform manual correction operations in response to said temporary input/output interference;
      
      selectively steering said Internet packets to a fraud mitigation module of said computerized service, while steering other incoming Internet packets to a primary server of said computerized service.
  - 15. The method of claim 1, comprising:
    - detecting that a rate of incorrect log-in attempts to said computerized service, within a pre-defined time period, is greater than a threshold rate;
      
      determining that the computerized service is possibly undergoing an Application Distributed Denial-of-Service (Application DDoS) attack;
      
      based on the determination of step (b), modifying a log-in process to the computerized service by generating said temporary input/output interference, and tracking user interactions in response to said temporary input/output interference;
      
      determining which Internet packets incoming to the computerized service from a source that does not perform manual correction operations in response to said temporary input/output interference;
      
      selectively steering said Internet packets to a secondary server of said computerized service, while steering other incoming Internet packets to a primary server of said computerized service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocatch Ltd.
Original Assignee
Biocatch Ltd.
Inventors
Turgeman, Avi
Primary Examiner(s)
To, Baotran N

Application Number

US14/675,769
Publication Number

US 20150213251A1
Time in Patent Office

671 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

G06F 21/36   by graphic or iconic repres...

G06F 21/554   involving event detection a...

G06F 2221/2133   Verifying human interaction...

G06F 3/041   Digitisers, e.g. for touch ...

G06F 3/04812   Interaction techniques base...

G06F 3/04883   for inputting data by handw...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04W 12/06   Authentication

H04W 12/12   Detection or prevention of ...

Method, device, and system of protecting a log-in process of a computerized service

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method, device, and system of protecting a log-in process of a computerized service

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links