Method, device, and system of differentiating between a cyber-attacker and a legitimate user
First Claim
1. A process comprising:
- (a) monitoring input-unit interactions of a user, who utilizes during a usage session one or more input units of an electronic device to fill-out data in a fillable form of a computerized service;
(b1) if said input-unit interactions indicate that said user utilized keyboard shortcuts for data entry and for in-page navigation, then increasing an attack-relatedness score of said usage session;
(b2) detecting a particular typing rhythm of said user in said usage session; and
if said particular typing rhythm matches one or more typing rhythms that are pre-defined as typing rhythms of attackers, then increasing said attack-relatedness score of said usage session;
wherein steps (b1) and (b2) analyze a batch of input-unit interactions which includes interactions that were performed across multiple fillable forms that were filled by said user;
wherein steps (b1) and (b2) analyze a batch of input-unit interactions which includes interactions across multiple web-pages that belong to a single usage session of said user;
(c) if said attack-relatedness score is greater than a particular threshold value, then;
determining that said input-unit interactions are part of an attack, and initiating one or more mitigation operations.
4 Assignments
0 Petitions
Accused Products
Abstract
Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. A user utilizes a desktop computer, a laptop computer, a smartphone, a tablet, or other electronic device, to interact with a banking website or application, a retailer website or application, or other computerized service. Input-unit interactions are monitored, logged, and analyzed. Based on several types of analysis of the input-unit interactions, a score is generated to reflect fraud-relatedness or attack-relatedness of the input-unit interactions. Based on the score, the system estimates or determines whether the user is an attacker, and initiates attach-mitigation operations or fraud-mitigation operations.
589 Citations
7 Claims
-
1. A process comprising:
-
(a) monitoring input-unit interactions of a user, who utilizes during a usage session one or more input units of an electronic device to fill-out data in a fillable form of a computerized service; (b1) if said input-unit interactions indicate that said user utilized keyboard shortcuts for data entry and for in-page navigation, then increasing an attack-relatedness score of said usage session; (b2) detecting a particular typing rhythm of said user in said usage session; and
if said particular typing rhythm matches one or more typing rhythms that are pre-defined as typing rhythms of attackers, then increasing said attack-relatedness score of said usage session;wherein steps (b1) and (b2) analyze a batch of input-unit interactions which includes interactions that were performed across multiple fillable forms that were filled by said user; wherein steps (b1) and (b2) analyze a batch of input-unit interactions which includes interactions across multiple web-pages that belong to a single usage session of said user; (c) if said attack-relatedness score is greater than a particular threshold value, then;
determining that said input-unit interactions are part of an attack, and initiating one or more mitigation operations. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory storage medium having stored thereon instructions that, when executed by one or more hardware processors, cause the one or more hardware processors to perform a method comprising:
-
(a) monitoring input-unit interactions of a user, who utilizes during a usage session one or more input units of an electronic device to fill-out data in a fillable form of a computerized service; (b1) if said input-unit interactions indicate that said user utilized keyboard shortcuts for data entry and for in-page navigation, then increasing an attack-relatedness score of said usage session; (b2) detecting a particular typing rhythm of said user in said usage session; and
if said particular typing rhythm matches one or more typing rhythms that are pre-defined as typing rhythms of attackers, then increasing said attack-relatedness score of said usage session;wherein steps (b1) and (b2) analyze a batch of input-unit interactions which includes interactions that were performed across multiple fillable forms that were filled by said user; wherein steps (b1) and (b2) analyze a batch of input-unit interactions which includes interactions across multiple web-pages that belong to a single usage session of said user; (c) if said attack-relatedness score is greater than a particular threshold value, then;
determining that said input-unit interactions are part of an attack, and initiating one or more mitigation operations.
-
-
7. A system comprising:
-
one or more hardware processors, that are configured to perform; (a) monitoring input-unit interactions of a user, who utilizes during a usage session one or more input units of an electronic device to fill-out data in a fillable form of a computerized service; (b1) if said input-unit interactions indicate that said user utilized keyboard shortcuts for data entry and for in-page navigation, then increasing an attack-relatedness score of said usage session; (b2) detecting a particular typing rhythm of said user in said usage session; and
if said particular typing rhythm matches one or more typing rhythms that are pre-defined as typing rhythms of attackers, then increasing said attack-relatedness score of said usage session;wherein steps (b1) and (b2) analyze a batch of input-unit interactions which includes interactions that were performed across multiple fillable forms that were filled by said user; wherein steps (b1) and (b2) analyze a batch of input-unit interactions which includes interactions across multiple web-pages that belong to a single usage session of said user; (c) if said attack-relatedness score is greater than a particular threshold value, then;
determining that said input-unit interactions are part of an attack, and initiating one or more mitigation operations.
-
Specification