Devices and methods for threat-based authentication for access to computing resources

US 9,787,723 B2
Filed: 07/16/2015
Issued: 10/10/2017
Est. Priority Date: 07/18/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory storing instructions and a processor operably coupled via a computer network to both (1) a compute device including a set of resources and (2) a client device, the processor configured to execute the instructions to;

to define a resource confidence criterion for each resource from the set of resources based on (1) a threat confidence vector associated with a set of risk mitigation scores for each threat from a set of threats and (2) a set of resource vulnerability scores for each threat from the set of threats;

receive from the client device a signal indicative of an authentication request (1) for a resource from the set of resources and (2) including a credential associated with an authentication mode from a set of authentication modes;

define a resource confidence value for the resource requested by the client device based on a threat confidence vector associated with the authentication mode and the set of resource vulnerability scores;

compare the resource confidence value for the resource and the resource confidence criterion for the resource to determine whether the resource confidence criterion for the resource is satisfied; and

send a signal indicative of a positive authentication when the resource confidence criterion for the resource is satisfied such that the client device is granted access to the resource.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, a method includes receiving, at a host device, a signal indicative of an authentication request for a client device to access a resource from a set of resources. A resource confidence value associated with the authentication request is calculated based at least in part on (1) a threat confidence vector associated with at least one risk mitigation score for each threat from a set of threats and (2) a set of resource vulnerability scores associated with the resource and each threat from the set of threats. The resource confidence value is compared to a resource confidence criterion associated with the resource from the set of resources. A signal indicative of a positive authentication is sent from the host device to the client device when the resource confidence value satisfies the resource confidence criterion such that the client device is granted access to the resource.

7 Citations

View as Search Results

22 Claims

1. An apparatus, comprising:
- a memory storing instructions and a processor operably coupled via a computer network to both (1) a compute device including a set of resources and (2) a client device, the processor configured to execute the instructions to;
  
  to define a resource confidence criterion for each resource from the set of resources based on (1) a threat confidence vector associated with a set of risk mitigation scores for each threat from a set of threats and (2) a set of resource vulnerability scores for each threat from the set of threats;
  
  receive from the client device a signal indicative of an authentication request (1) for a resource from the set of resources and (2) including a credential associated with an authentication mode from a set of authentication modes;
  
  define a resource confidence value for the resource requested by the client device based on a threat confidence vector associated with the authentication mode and the set of resource vulnerability scores;
  
  compare the resource confidence value for the resource and the resource confidence criterion for the resource to determine whether the resource confidence criterion for the resource is satisfied; and
  
  send a signal indicative of a positive authentication when the resource confidence criterion for the resource is satisfied such that the client device is granted access to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the processor is further configured to execute the instructions to:
    - store data representing at least one of the set of risk mitigation scores, the set of resource vulnerability scores, the resource confidence criterion for each resource from the set of resources, or a user profile associated with a user of the client device;
      
      define the resource confidence criterion for the resource from the set of resources based at least in part on data stored and associated with the user profile; and
      
      send a signal indicative of an instruction to store data representing the resource confidence criterion for the resource from the set of resources.
  - 3. The apparatus of claim 1, wherein the client device is a resource from the set of resources.
  - 4. The apparatus of claim 1, wherein each resource from the set of resources is at least one of an electronic device, a group of electronic devices, a magnetic device, or a network device.
  - 5. The apparatus of claim 1, wherein the processor is further configured to execute the instructions to:
    - send a signal indicative of a failed authentication when the resource confidence criterion for the resource from the set of resources is not satisfied.
  - 6. The apparatus of claim 1, wherein the resource confidence value is from a plurality of resource confidence values collectively defining a resource confidence vector, the resource confidence vector being based at least in part on an authentication probability matrix, a resource probability matrix, and a threat probability vector.
  - 7. The apparatus of claim 1, wherein the resource confidence value decreases over a period of time after the positive authentication of the resource from the set of resources, the processor further configured to execute the instructions to:
    - send a signal indicative of a request for authentication verification when the resource confidence value decreases to a predetermined level; and
      
      update the resource confidence value based on authentication data received in response to the request for authentication verification.
  - 8. The apparatus of claim 1, wherein the resource confidence value for the resource represents a degree of confidence associated with an ability of the authentication mode to mitigate each threat from the set of threats from affecting the resource.
  - 9. The apparatus of claim 1, wherein the set of threats includes at least a remote threat, a local threat, and a stolen credential threat.

10. A method, comprising:
- receiving, at a host device operably coupled via a computer network to both (1) a set of resources and (2) a client device, a signal indicative of an authentication request for the client device to access a resource from the set of resources, the authentication request including a credential associated with an authentication mode from a set of authentication modes;
  
  calculating a resource confidence value associated with the authentication request based at least in part on (1) a threat confidence vector associated with at least one risk mitigation score for each threat from a set of threats and (2) a set of resource vulnerability scores associated with the resource and each threat from the set of threats, the resource confidence value representing a degree of confidence associated with an ability of the authentication mode to mitigate each threat from the set of threats from affecting the resource;
  
  defining a resource confidence criterion for the resource based at least in part on (1) at least one risk mitigation score associated with each threat from the set of threats and (2) the set of resource vulnerability scores associated with each threat from the set of threats;
  
  comparing the resource confidence value to the resource confidence criterion to determine whether the resource confidence criterion is satisfied; and
  
  sending, from the host device, a signal indicative of a positive authentication when the resource confidence value satisfies the resource confidence criterion, such that the client device is granted access to the resource.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein the risk mitigation score represents a mitigation strength of the authentication mode as related to a threat.
  - 12. The method of claim 10, wherein the threat confidence vector includes a plurality of threat confidence values, each threat confidence value from the plurality of threat confidence values being uniquely associated with a threat from the set of threats.
  - 13. The method of claim 10, wherein the authentication mode is at least one of (1) an active authentication mode, in which a user performs an authentication action, or (2) a passive authentication mode, in which a user substantially does not perform an authentication action.
  - 14. The method of claim 10, further comprising:
    - sending, from the host device, a signal indicative of a failed authentication when the resource confidence value does not satisfy the resource confidence criterion.
  - 15. The method of claim 10, wherein the resource confidence value decreases over a period of time after the sending of the signal indicative of the positive authentication, the method further comprising:
    - sending, from the host device and at a predetermined time within the period of time, a signal indicative of a request for authentication verification;
      
      receiving, at the host device and in response to the request for authentication verification, a signal indicative of authentication data; and
      
      updating the resource confidence value based on the authentication data to define an updated resource confidence value.
  - 16. The method of claim 10, wherein the resource confidence value decreases over a period of time after the sending of the signal indicative of the positive authentication, the method further comprising:
    - sending, from the host device and at a predetermined time within the period of time, a signal indicative of a request for authentication verification;
      
      receiving, at the host device and in response to the request for authentication verification, a signal indicative of authentication data; and
      
      updating the resource confidence value based on the authentication data to define an updated resource confidence value different from the resource confidence value.

17. A method, comprising:
- receiving, at a host device operably coupled via a computer network to a client device, a signal indicative of an authentication request for a client device to access a resource, the signal including data associated with a first authentication mode and data associated with a second authentication mode different from the first authentication mode;
  
  calculating a threat confidence vector based on (1) a risk mitigation score associated with the first authentication mode and a set of threats, and (2) a risk mitigation score associated with the second authentication mode and the set of threats;
  
  calculating a resource confidence value for the resource based on (1) the threat confidence vector and (2) a set of resource vulnerability scores associated with the resource and each threat from the set of threats, the resource confidence value for the resource representing a degree of confidence associated with an ability of both the first authentication mode and the second authentication mode to mitigate each threat from the set of threats affecting the resource;
  
  defining a resource confidence criterion for the resource based at least in part on (1) at least one risk mitigation score associated with each threat from the set of threats and (2) the set of resource vulnerability scores associated with each threat from the set of threats;
  
  comparing the resource confidence value to the resource confidence criterion to determine whether the resource confidence criterion is satisfied; and
  
  sending, from the host device to the client device, a signal indicative of a positive authentication when the resource confidence value satisfies the resource confidence criterion such that the client device is granted access to the resource.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method of claim 17, wherein the first authentication mode is an active authentication mode and the second authentication mode a passive authentication mode.
  - 19. The method of claim 17, wherein the first authentication mode uses at least one of a voice recognition, or a biometric scan.
  - 20. The method of claim 17, wherein the second authentication mode uses at least one of a geolocation identifier, an internet protocol (IP) address, a hard token, a session cookie, a software version, a proximity sensor, or a transaction.
  - 21. The method of claim 17, wherein the resource confidence value decreases over a period of time after the sending of the signal indicative of the positive authentication, the method further comprising:
    - sending, from the host device and during the period of time, a signal indicative of a request for authentication verification when the resource confidence value satisfies a criterion;
      
      receiving, at the host device, a signal indicative of authentication data; and
      
      updating the resource confidence value based on the authentication data to define an updated resource confidence value.
  - 22. The method of claim 17, wherein the first authentication mode uses at least one of a knowledge-based authentication mode, a possession-based authentication mode, a biometric-based authentication mode, and a location-based authentication mode, the second authentication mode being different from the first authentication mode and using at least one of a knowledge-based authentication mode, a possession-based authentication mode, a biometric-based authentication mode, and a location-based authentication mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Ping Identity Corporation
Inventors
Harmon, Mance, Baird, III, Leemon C., Chase, David, Waite, David
Primary Examiner(s)
Dolly, Kendall

Application Number

US14/801,203
Publication Number

US 20160021117A1
Time in Patent Office

817 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

Devices and methods for threat-based authentication for access to computing resources

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Devices and methods for threat-based authentication for access to computing resources

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links