Device, method, and system of generating fraud-alerts for cyber-attacks

US 10,404,729 B2
Filed: 12/05/2016
Issued: 09/03/2019
Est. Priority Date: 11/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

(a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;

(b) for each particular type of data entry method that the user utilizes during said usage session;

(b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;

(b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and

generating output corresponding to said ratio;

(b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;

wherein the determining of step (b3) is performed by;

(A) determining that in the current usage session of said user, K percent of interactions with a particular user-interface element are performed via a computer mouse;

(B) determining that in previous usage sessions of said user, M percent of interactions with said particular user-interface element were performed via the computer mouse;

(C) determining that K is different than M by at least N percent, wherein N is a pre-defined threshold number of percent-points;

(D) based on the determining of step (C), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device (a desktop computer, a laptop computer, a smartphone, a tablet, or the like) interacts and communicates with a server of a computerized server (a banking website, an electronic commerce website, or the like). The interactions are monitored, tracked and logged. User Interface (UI) interferences are intentionally introduced to the communication session; and the server tracks the response or the reaction of the end-user to such communication interferences. The system determines whether the user is a legitimate human user; or a cyber-attacker posing as the legitimate human user. The system displays gauges indicating cyber fraud scores or cyber-attack threat-levels. The system extrapolates from observed fraud incidents and utilizes a rules engine to automatically search for similar fraud events and to automatically detect fraud events or cyber-attackers.

460 Citations

11 Claims

1. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) determining that in the current usage session of said user, K percent of interactions with a particular user-interface element are performed via a computer mouse;
  
  (B) determining that in previous usage sessions of said user, M percent of interactions with said particular user-interface element were performed via the computer mouse;
  
  (C) determining that K is different than M by at least N percent, wherein N is a pre-defined threshold number of percent-points;
  
  (D) based on the determining of step (C), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

2. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) determining that in the current usage session of said user, K percent of interactions with a particular user-interface element are performed by a touch-pad;
  
  (B) determining that in previous usage sessions of said user, M percent of interactions with said particular user-interface element were performed via the touch-pad;
  
  (C) determining that K is different than M by at least N percent, wherein N is a pre-defined threshold number of percent-points;
  
  (D) based on the determining of step (C), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

3. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) determining that in the current usage session of said user, K percent of interactions with a particular user-interface element are performed by a keyboard;
  
  (B) determining that in previous usage sessions of said user, M percent of interactions with said particular user-interface element were performed via the keyboard;
  
  (C) determining that K is different than M by at least N percent, wherein N is a pre-defined threshold number of percent-points;
  
  (D) based on the determining of step (C), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

4. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) determining that in the current usage session of said user, K percent of interactions with a particular user-interface element are performed by a touch-screen;
  
  (B) determining that in previous usage sessions of said user, M percent of interactions with said particular user-interface element were performed via the touch-screen;
  
  (C) determining that K is different than M by at least N percent-points, wherein N is a pre-defined threshold number of percent-points;
  
  (D) based on the determining of step (C), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

5. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) determining that in the current usage session of said user, a majority of interactions with a particular user-interface element are performed via a keyboard;
  
  (B) determining that in previous usage sessions of said user, a majority of interactions with said particular user-interface element were performed via an input-unit other than the keyboard;
  
  (C) based on the cumulative determining operations of steps (A) and (B), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

6. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) determining that in the current usage session of said user, a majority of interactions with a particular user-interface element are performed via a touch-screen;
  
  (B) determining that in previous usage sessions of said user, a majority of interactions with said particular user-interface element were performed via an input-unit other than the touch-screen;
  
  (C) based on the cumulative determining operations of steps (A) and (B), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

7. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) determining that in the current usage session of said user, a majority of interactions with a particular user-interface element are performed via a computer mouse;
  
  (B) determining that in previous usage sessions of said user, a majority of interactions with said particular user-interface element were performed via an input-unit other than the computer mouse;
  
  (C) based on the cumulative determining operations of steps (A) and (B), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

8. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) determining that in the current usage session of said user, a majority of interactions with a particular user-interface element are performed via a touch-pad;
  
  (B) determining that in previous usage sessions of said user, a majority of interactions with said particular user-interface element were performed via an input-unit other than the touch-pad;
  
  (C) based on the cumulative determining operations of steps (A) and (B), determining that the current usage session is attributed to a cyber-attacker and not to the authorized user.

9. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) defining a first data-entry method that users can utilize to engage with a particular user-interface element;
  
  (B) defining a second, different, data-entry method that users can utilize to engage with said particular user-interface element;
  
  (C) for a particular usage session of said user, which is being reviewed for possible fraud, comparing between;
  
  (I) a number of times that said user utilized the first data-entry method to engage with said particular user-interface element during said particular usage session being reviewed, and (II) a number of times that said user utilized the second data-entry method to engage with said particular user-interface element during said particular usage session being reviewed.
- View Dependent Claims (10)
- - 10. The method of claim 9,wherein step (b2) further comprises:
    - determining also a user-to-population ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session by said user, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of a group of users; and
      
      generating output corresponding to said user-to-population ratio.

11. A method comprising:
- (a) monitoring user interactions of a user, who utilizes a computing device to interact with a computerized service during a usage session;
  
  (b) for each particular type of data entry method that the user utilizes during said usage session;
  
  (b1) determining a current number of occurrences of utilization of said particular type of data entry method during said usage session, and generating output corresponding to said current number of occurrences during said usage session;
  
  (b2) determining a ratio between (A) said current number of occurrences of utilization of said particular type of data entry method during said usage session, and (B) an average number of occurrences of utilization of said particular type of data entry method during previous usage sessions of said user; and
  
  generating output corresponding to said ratio;
  
  (b3) based on (i) said current number of occurrences, and (ii) said average number of occurrences during previous usage sessions of said user, determining whether said user is an authorized user or a cyber-attacker;
  
  wherein the determining of step (b3) is performed by;
  
  (A) defining a first data-entry method that users can utilize to engage with a particular user-interface element;
  
  (B) defining a second, different, data-entry method that users can utilize to engage with said particular user-interface element;
  
  (C) for all previous usage session of said user with said computerized service, comparing between;
  
  (I) an aggregate number of times that said user utilized the first data-entry method to engage with said particular user-interface element during all previous usage sessions, and (II) an aggregate number of times that said user utilized the second data-entry method to engage with said particular user-interface element during all previous usage sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocatch Ltd.
Original Assignee
Biocatch Ltd.
Inventors
Turgeman, Avi
Primary Examiner(s)
Gee, Jason K

Application Number

US15/369,106
Publication Number

US 20170085587A1
Time in Patent Office

1,002 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2133   Verifying human interaction...

G06F 3/03543   Mice or pucks G06F3/03541 t...

G06F 3/03547   Touch pads, in which finger...

G06F 3/041   Digitisers, e.g. for touch ...

G06F 3/0488   using a touch-screen or dig...

G06F 3/0489   using dedicated keyboard ke...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Device, method, and system of generating fraud-alerts for cyber-attacks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

460 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Device, method, and system of generating fraud-alerts for cyber-attacks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

460 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links