JP2019192197A - System and method of identifying new devices during user's interaction with banking services - Google Patents

Abstract

To provide systems and methods of identifying a new device during a user's interaction with online services, such as banking services.SOLUTION: A method comprises: collecting a fingerprint for a device associated with a user; isolating, from the fingerprint, one or more key characteristics of the device which affect device security; clustering known devices used by the user on the basis of the one or more key characteristics; computing a difference between the one or more key characteristics of the device and the one or more key characteristics of one or more devices which the user previously used to access an online service, wherein the one or more devices are from among the clustering of previously known devices; and determining that the device is a new device used by the user when the difference exceeds a threshold value.SELECTED DRAWING: Figure 3

Description

  The present disclosure relates generally to solutions that ensure secure interaction between a user and a banking service, and more specifically to a system and method for identifying a new device during an interaction between a user and a banking service.

  In recent years, the area of banking services has expanded significantly. Bank customers (also referred to as “users”) are provided with new ways to interact with the bank and new ways to pay and transfer funds. There are many banking services such as payment systems, plastic cards, and remote banking that allow users to perform various transactions using computing devices. Online banking and mobile banking allow money operations to be performed without the need for plastic cards or bank account information.

  In addition, there are various mechanisms for protecting user funds from access by third parties. When a user uses online banking, a method such as double authentication is often used. When banking sites enter authentication data (such as login names and passwords that may have become accessible to third parties) into the browser, the bank must, for example, enter in special fields Send a message containing the additional authentication code to the user's mobile phone.

  However, it should be noted that there are many attacks by criminals that use the vulnerable aspects of user-banking service interaction to access user funds. Such an attack is well known as fraud. For example, a phishing site can be used to obtain a user login name and password for accessing an online bank account and service. Criminals can use malicious software for mobile devices to access the authorization code from the bank, verify without being noticed by the user, and execute a transaction using the compromised bank account.

  Current solutions use "user device print" to protect the user from fraud. In general, users consistently use the same device to access banking services. Each device contains a specific set of software and features known to the bank. If the software group is changed on the device, or if the device itself is changed, there is a high possibility that fraud is taking place. If fraud is done on a device, the bank considers the device dangerous.

  Thus, in some solutions, systems and methods are provided for authenticating user transactions. In authentication, a “print” of a device is used, along with a vector of various combinations of parameters (device characteristics, geographical location, information about the transaction itself).

  However, the user may access the online banking service using the exact same device with different programs, different firmware, and different browsers. Known systems and methods for comparing device prints identify whether a user has previously used a device. If the device has been used before and the device is reliable, the procedure for interaction with the bank is simplified. For example, the user does not have to wait for SMS by entering a login name and password each time the bank application is used. That is, the application PIN code set for a predetermined user may be used. However, if the program and firmware groups are changed as described above, the bank security system can identify the device as a new device that the user has never used before when interacting with the banking service. There is sex. In this case, it is necessary to identify and authenticate the same device again, which is inconvenient to use. The above-described determination that a certain device is a user's new device is also known as a false alarm of the security system.

  The present disclosure effectively solves the problem of identifying a new device during user interaction with a banking service.

  Disclosed are systems and methods for identifying new devices during user interaction with online services such as banking services.

  In one exemplary aspect, a method for identifying a new device during user interaction with an online service is provided. In this aspect, the method is used by a user to collect a fingerprint of a device associated with the user, to decouple one or more key characteristics of the device that affect device security from the fingerprint. Clustering known devices based on one or more key characteristics; one or more key characteristics of the device; and one or more of the clustered known devices. Calculating a difference of one or more key characteristics of one or more devices previously used by the user to access the online service, and if the difference exceeds a threshold, Determining that the device is a new device to be used.

  In another exemplary aspect, in the method, the one or more key characteristics are: device operating system version, device firmware, application and application version installed on the device, device identifier, device serial number , Device international mobile equipment identity (IMEI), and device hardware features.

  In another exemplary aspect, the step of calculating the difference includes calculating a distance between the vectors of the one or more main characteristics and calculating a rate of change of the distance for the one or more clusters. If the rate of change is greater than the threshold value, the device is determined to be a new device.

  In another exemplary aspect, the step of calculating the rate of change determines one or more risk factors that the device has based on the calculated difference and prevents fraud on the online service. Transmitting data relating to the one or more risk factors to a server providing an online service.

  In another exemplary aspect, a system for identifying a new device during user interaction with an online service is provided. The system includes an online server providing an online service, and a collection module connected to the online server and executed by a hardware processor, and collecting a fingerprint of a device related to a user accessing the online service And an analysis module connected to the online server and the collection module and executed on a hardware processor, the analysis module comprising: 1) one or more key devices from the fingerprint that affect device security Disconnect characteristics, 2) cluster known devices used by the user based on the one or more key characteristics, 3) one or more key characteristics of the new device, and clustered known devices One of Or a difference between one or more key characteristics of one or more devices previously used by the user to access the online service, and 4) the difference threshold If the value is exceeded, it is determined that the device is a new device used by the user to access the online service.

  In another exemplary aspect, a computer-readable medium is provided that stores instructions that, when executed, perform the methods described in this disclosure.

  The above summary of exemplary aspects serves to provide a basic understanding of the present disclosure. This summary is not an extensive overview of all possible aspects, and is intended to identify key or critical elements of all aspects, but does not depart from the scope of some or all aspects of this disclosure. It is not intended to be. Its sole purpose is to present one or more aspects in a simplified form as a prelude to the more detailed description that is presented in the following disclosure. To the accomplishment of the foregoing objects, one or more aspects of the present disclosure include the features described in the claims and pointed out by way of example.

  The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate one or more exemplary aspects of the present disclosure and, together with the detailed description, serve to explain its principles and embodiments. Fulfill.

FIG. 1 is a block diagram illustrating a system for identifying a user's new device in an exemplary aspect of the present disclosure. FIG. 2A to FIG. 2C are diagrams illustrating examples in which device characteristics change over time in an exemplary aspect of the present disclosure. FIG. 2A to FIG. 2C are diagrams illustrating examples in which device characteristics change over time in an exemplary aspect of the present disclosure. FIG. 2A to FIG. 2C are diagrams illustrating examples in which device characteristics change over time in an exemplary aspect of the present disclosure. FIG. 3 is a flowchart illustrating a method for identifying a user's new device in an exemplary aspect of the disclosure. FIG. 4 is a diagram illustrating an example of a general-purpose computer system that implements aspects of the system in the exemplary aspects of this disclosure.

  Described herein are exemplary aspects of systems, methods, and computer program products for identifying new devices during user interaction with online services such as banking services. Those skilled in the art will appreciate that the following description is illustrative only and is not intended to be in any way limiting. Other aspects will be readily appreciated by those skilled in the art having the benefit of this disclosure. Reference will now be made in detail to embodiments of the exemplary aspects illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings and the following description to refer to the same or like elements.

  FIG. 1 is a block diagram illustrating a system 100 for identifying a user's new device in an exemplary aspect of the disclosure. The system 100 for identifying a new device 190 provides a remote service to a user as the user interacts with the remote service from the device 190 using an account. In one aspect, the system 100 comprises a collection module 110 and an analysis module 120 and is configured to identify a new device 190 during a user-remote service interaction. In an exemplary aspect, the remote service may be a network service or an online service where a user interacts using an account. Examples of these services include online services such as banking services, email, and social networks (hereinafter referred to as banking services 199 without limitation). In some aspects of the present disclosure, the network service or online service is executed and provided on one or more remote servers (distributed systems of servers) or provided as a cloud service.

  In one aspect of the present disclosure, device 190 is a computing device such as a computer or mobile device that provides an execution environment for software. In some aspects, the device 190 may execute a browser or bank application.

In one aspect, the collection module 110 is configured to collect or collect fingerprints (hereinafter, the term “print”) of the new device 190. In general, the print includes the characteristics of device 190. In one aspect of the present disclosure, device 190 includes the following characteristics.
-Operating system (OS) identifier of device 190-Location of device 190 (geographic location)
-Firmware version installed on device 190 and regional characteristics of firmware (continent / country / city etc.)
Account identifier used on device 190 (eg, Microsoft (MICROSOFT®), Google (GOOGLE®), or Apple (APPLE®) account identifier)
Data regarding whether the device 190 is operating in a virtual machine or emulator (whether the device can be emulated) Presence of root access in the device 190 Browser type and version installed on the device 190 Plug-ins installed on the browser • Vulnerable applications installed on the device 190 and known vulnerabilities of the applications • Device model • Device identifier • Device hardware characteristics (eg processor type, memory capacity, number of disks) Rare devices such as professional sound cards)
-Serial number of device 190-Device IMEI
Other recognized device characteristics

  In one aspect, the fingerprint collection described above is performed by a script (eg, JavaScript (registered trademark)) executed by the browser of the device 190. In some aspects, the script may be stored on a bank server and executed when the device 190 accesses the banking service 199. Thus, in this aspect, the collection module 110 is stored on the bank server and executed on the user device 190.

  In yet another aspect, a fingerprint is collected from the device 190 by a security application (such as an anti-virus application). In this case, the collection module 110 is a module of a security application installed in the computer system.

  In yet another aspect, a fingerprint is collected from the device 190 by an application running on the device 190. The application may be configured to access a banking service 199 (eg, Citibank® online application). In this embodiment, the application is created using a software development kit (SDK), and is provided by a manufacturer of an anti-virus application (for example, Kaspersky (registered trademark) Mobile Security SDK). The In this aspect, the collection module 110 is the application module described above.

  In one aspect, the collection module 110 collects a fingerprint of the device 190 when the device 190 is used to interact with a user and a banking service. In another aspect, the collection module 110 collects the prints of the device 190 at certain times (eg, once a day on holidays, twice a day on business days, etc., according to a schedule). In yet another aspect, the collection module 110 collects the prints of the device 190 at regular intervals (eg, every 6 hours).

  Data regarding the device 190 collected by the collection module 110 is transmitted to the analysis module 120. In one aspect, the fingerprint for the device 190 collected by the collection module 110 is stored in the database 111 by the collection module 110.

  The analysis module 120 is executed (functions) in a remote server (or a distributed system of servers) or as a cloud service. In general, the analysis module 120 calculates a vector of main characteristics from a print of the device 190 based on data obtained from the collection module 110 or the database 111.

  In general, the analysis module 120 determines the main characteristics. The main characteristic is a characteristic that affects the security of the device 190 used by the user to interact with the banking service 199. In general, the main characteristics are determined statistically during the operation of the system. For example, the “Calculator Application Version” characteristic cannot be a key characteristic. This is because the characteristics do not affect the security of the device 190 that the user is using to interact with the banking service 199. In some aspects, the primary characteristic is a characteristic that affects the security of the device. Key characteristics may include software on the device itself, or versions of applications that do not interact frequently with the Internet or the like. In one aspect, the analysis module 120 does not consider device characteristics that do not affect device security. In this aspect, the characteristics to consider are either pre-specified by the system administrator or determined dynamically based on the device 190. Furthermore, the main characteristics are those that change during the “life cycle” of the device, ie during device use. For example, the device serial number or IMEI does not change, but the phone's official firmware and unofficial firmware show the same IMEI. However, the system 100 recognizes this device as a different device even though this device is physically the same device.

  In one aspect, the analysis module 120 generates (clusters) a cluster of devices 190 based on at least one key characteristic of the device 190 determined from the device 190 print. In one aspect, clustering is the learning process of the system. In this aspect, clustering is performed based on some of the determined key characteristics of the device 190, and these key characteristics become a vector of key characteristics of the device 190. Thus, the vector of key characteristics includes at least some of the determined key characteristics of the device. As a result, the analysis module 120 forms a cluster group composed of known devices 190 for each user. This cluster group includes not only devices for specific users but also devices for devices having main characteristics. A cluster group including known devices is formed for each different user.

  Next, the distance calculation module 122 allows the user to interact with an online service, such as the banking service 199, and a vector of key characteristics of the device 190 that the user is using to interact with the banking service 199. The distance from the vector of the main characteristic of at least one device 190 that has been used is calculated. In this aspect, devices that the user has previously interacted with form part of a cluster previously generated by the analysis module 120. If the calculated distance exceeds the threshold, the device 190 is considered a new device. In this aspect, “new” means that the user has not previously interacted with an online service such as banking service 199 with the device.

  In general, basic security policies such as two-factor authentication may be used for the new device 190. The identification of new devices 190 is an important process, but not all devices 190 can be considered new. This is because it is necessary to continue to apply the same security policy, which is very inconvenient for the user. For example, for a device previously used by the user to interact with the banking service 199, no additional password request (two-factor authentication) or data entry check (eg CAPTCHA) is performed. When a user enters an online bank for the first time from a different browser or a new mobile phone, the device is new. However, if the browser version of the device 190 has been updated, or if the user has updated the phone firmware to a new version, the device 190 is not new.

  However, in some aspects, the distance function is insufficient. This is because the distance function does not fully reflect the nature of possible variations in the vector of key characteristics of device 190. For example, a user may update his device 190 many times over a fairly long period of time. In this process, the firmware version is changed (eg, Android is updated from version 6 to version 7), as well as the application group in the firmware, the user application group, and the installed application version group. As a result, the distance between the vector of the main characteristics of the same device at the start point and end point of the period (where the firmware of the device 190 and some installed applications are updated) is greater than the threshold. This means that the current system assumes that the user has obtained a new device 190 even though it is actually the same device 190. In this way, system misinformation occurs. In order to solve the problem of reducing false alarms, the distance may be calculated according to the time taken for collecting the characteristics of each device 190.

  Accordingly, in one aspect, the analysis module 120 calculates the rate of change of the distance between the vector of characteristics of the device 190. In general, the analysis module 120 calculates the change rate of the distance based on information on the change rate of the distance in all known devices 190 of other users corresponding to the generated cluster. A cluster is created for all devices (all users' devices) and a particular user's device is compared to the cluster assigned to that device. If there is a change between the cluster of all devices and the assigned cluster, the rate of change is calculated according to how much the two types of clusters correspond to the change compared to other users. For example, if the device (not necessarily a mobile phone) deviates significantly from the cluster (eg, if the user has a WINDOWS 10 device with an older version of Internet Explorer) Is new. An analysis is performed in the authentication process of a new device, and the normal behavior of the device cluster is a browser version upgrade, not a rollback to an “old” version.

  If the distance is calculated and the rate of change of the distance is calculated to be greater than the threshold, the device 190 is considered new to the user. In one aspect, the threshold is set taking into account the time elapsed since the last print collection of the device 190.

  The change rate of the distance may be calculated, for example, by normalizing the change over time in the distance between the main characteristic vectors of the device 190. For example, an acceptable standard value of the main characteristic is calculated for the devices 190 of all users corresponding to the cluster to which the device 190 belongs. In one aspect, an acceptable standard value is calculated as an arithmetic average. In another aspect, the acceptable standard value is statistically calculated based on a normal distribution (Gaussian distribution).

  2A to 2C show an example of the rate of change with time. FIG. 2A is a graph showing a change in firmware version over time. In one example, Android 6 is first installed as an operating system on the device. At t1, the user interacts with the banking service 199. Thereafter, the user interacted with the banking service 199 at t2 and t3, but the version of the device's operating system was already updated to Android 7.0 at t2 and Android 7.1.1 at t3. Therefore, at time t4, if the device 190 has already been updated to the Android 8 version, there is a possibility that the user is updating the phone with a third party firmware (CyanogenMod (registered trademark) or the like). Thus, the device may be considered a new device 190 because the firmware and its defects and vulnerabilities are unknown. Specifically, because a manufacturer has not officially released its firmware, a given key characteristic value may not correspond to a previously generated cluster, so a device may be considered new. A portion indicated by shading represents an allowable deviation of the change rate of the distance. For example, if the user has a Samsung Galaxy S6 phone, there is no official firmware from Android 5 and Android 8. If these firmwares are detected on the device (and the device has the same IMEI and SN), the user is probably installing custom firmware. Therefore, the security of such devices has changed and the user needs to authenticate the device. The system 100 considers the device as new.

  FIG. 2B is a diagram illustrating a change in browser version with time. At t1, the user is accessing the online bank using a version 25.6 browser. Later, at t2, the user is using version 28.3, but there are other clusters of devices 190 with similar key characteristics at this time. However, if the browser version becomes 16.3 at t3, the device 190 may have been compromised or changed. Thus, the analysis module determines to substantially consider device 190 as a new device. FIG. 2C is a diagram showing a change with time of the serial number of the device 190. In general, the serial number does not change.

  In an exemplary aspect of the present disclosure, the calculated rate of change of the distance between vectors of key characteristics of all other user's known devices 190 may be stored by the analysis module 120 in the database 111.

  In one aspect of the present disclosure, the sequence of key characteristic vectors of device 190 is provided by analysis module 120 in the form of an event chain, where the nodes of the chain become the vector of key characteristics of device 190 and the chain link itself is the time. Depends directly on.

  In one aspect, the analysis module 120 determines (eg, statistically) the probability that a vector of key characteristics of the device 190 will change over time based on the cluster of devices 190 of the user or user group. Even if the probability is small, if the vector of the main characteristic changes, the analysis module 120 determines that the change event is a risk factor.

  In general, the change probability of the main characteristic according to the change rate of the distance is selected by the analysis module 120 from the database 111. Probability of change of key characteristics may be automatically added to database 111 based on statistical data (eg, by analysis module 120) or by computer security professionals.

  In one aspect, the analysis module 120 analyzes the variability of the rate of change for each segment along the entire chain. The rapid change or rapid increase in the rate of change is determined by the analysis module 120 as a risk factor.

  In yet another aspect, the analysis module 120 determines a time course pattern and tolerance deviations of the device 190 characteristics. Thus, for example, as a result of an update, certain characteristics of the device 190 will always change in the same direction (eg, the version number will usually always increase). However, if the change in key characteristics in this directional event chain is pointing in the opposite direction to that expected for one of the nodes, the analysis module 120 considers this a risk factor. judge.

  In yet another aspect, the analysis module 120 determines the reliability of changes that have occurred in the characteristics of the device 190. This may require knowledge from an external source (eg, data from Kaspersky Security Network (KSN)) regarding the nature of the expected change. For example, if it is known that a new version of device 190 has not been released over a period of time, the corresponding change will not appear in the observed event chain. Upon detecting such a change, the analysis module 120 determines that there is a risk factor for fraud.

  In general, the appearance of a risk factor proves that there is a high probability that fraudulent activity has been performed from the device 190 where the risk factor has appeared. In one aspect, if a risk factor appears, the analysis module 120 may pass data regarding the risk factor to the banking service 199 security system to determine to prevent fraud (eg, to block the transaction). Send.

  FIG. 3 is a diagram illustrating a method 300 for identifying a user's new device.

  Method 300 is an example of a portion of system 100, such as collection module 110 and analysis module 120, executed in a computer system, such as computer system 20 shown in FIG.

  In step 310, the collection module 110 may collect or collect a fingerprint of the user's device. In an exemplary aspect, the fingerprint includes at least one characteristic of the device 190 when the user interacts with the banking service 199.

  In step 320, the analysis module 120 may determine the main characteristics that affect the security of the device 190 from the collected characteristics.

  In step 330, the analysis module 120 may form a cluster group composed of the user's known devices 190. In one aspect of the present disclosure, clustering is performed based on a vector of key characteristics of device 190. The vector includes at least some of the determined key characteristics of device 190.

  In step 340, analysis module 120 provides a vector of device key characteristics and a key for at least one device 190 that previously provided banking service 199 to the user and forms part of the cluster generated in step 330. The distance from the characteristic vector may be calculated.

  In step 350, the analysis module 120 may calculate the rate of change of the distance calculated in step 340 for the formed cluster group. In one aspect, a rate of change is calculated for a cluster group based on information about the rate of change of distance in all known devices 190 of other users.

  In step 360, if the calculated distance change rate is greater than the threshold, the analysis module 120 may determine that the device 190 is the user's new device 190.

  In general, any rule may be used to compare the deviation with a threshold value. Some characteristics have been described above, but many other characteristics are possible. For example, the OS version has three values (Android 6, 7, and 7.1), while the browser version may have more values. For example, there are 300 versions of Chrome (62.0.3282 to 64.1.3132). The number of versions is determined according to the implementation content of the system 100. If the device OS deviates to Android 5.1, this is excessive. If the chrome version deviates to 61.0.1000, this is a “relative” new browser and the deviation may not exceed the threshold. However, if the chrome version becomes “25.000.0001”, the version is suspicious for the current system and the deviation exceeds the threshold.

  In one aspect, at step 370, the analysis module 120 may further determine a risk factor for the device 190 based on the calculated distance change rate and the probability of change of the primary characteristic.

  In one aspect, if a risk factor appears at step 380, the analysis module 120 data regarding the determined risk factor is sent to the security system of the banking service 199 to take action to prevent fraud.

  FIG. 4 is a diagram illustrating a general-purpose computer system. In the computer system, aspects of a system and method for identifying a new device during user interaction with an online service are implemented in accordance with exemplary aspects of the present disclosure.

  As shown, the computer system 20 (which may be a personal computer or a server) includes various system components including a central processing unit 21, a system memory 22, and a memory corresponding to the central processing unit 21. Including a system bus 23. As will be appreciated by those skilled in the art, the system bus 23 includes a bus memory or bus memory controller, a peripheral bus, and a local bus that can interact with other bus architectures. The system memory includes a permanent memory (Read-Only Memory: ROM) 24 and a random access memory (Random Access Memory: RAM) 25. A basic input / output system (BIOS) 26 stores a basic procedure for transmitting information between the components of the computer system 20 such as when an operating system is loaded using the ROM 24.

  The computer system 20 also has removable hard disks 27 for reading and writing data, magnetic disk drives 28 for reading and writing on removable magnetic disks 29, and removable CD-ROMs, DVD-ROMs, and other optical media. And an optical drive 30 for reading and writing the optical disc 31. The hard disk 27, magnetic disk drive 28, and optical drive 30 are connected to the system bus 23 via a hard disk interface 32, a magnetic disk interface 33, and an optical drive interface 34, respectively. The drive and the corresponding computer information media are stand-alone power modules for storing computer instructions, data structures, program modules, and other data of the computer system 20.

  The computer system 20 includes a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, which are connected to the system bus 23 via a controller 55. Those skilled in the art will recognize that any type of medium 56 (Solid State Drive (SSD), flash memory card, digital disk, random access memory (RAM)) capable of storing data in a computer readable format. You will understand that you can use

  The computer system 20 also includes a file system 36 in which an operating system 35 can be stored, as well as additional program applications 37, other program modules 38 and program data 39. A user of computer system 20 may enter commands and information using keyboard 40, mouse 42, or any other input device known to those skilled in the art. Examples of input devices include, but are not limited to, a microphone, joystick, game controller, scanner, and the like. Such input devices are typically connected to the computer system 20 via a serial port 46, which is connected to the system bus. Here, those skilled in the art will appreciate that, although not limited, it can be connected in other ways via a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device may also be connected to the system bus 23 via an interface, such as a video adapter 48. In addition to the monitor 47, the personal computer may include other peripheral output devices (not shown) such as a loudspeaker and a printer.

  The computer system 20 may be operated in a network environment using a network connection with one or more remote computers 49. The single (or multiple) remote computers 49 may be local computer workstations or servers that include most or all of the components described above as the nature of the computer system 20. Other devices such as, but not limited to, routers, network stations, peer devices, or other network nodes may also be present in the computer network.

  The network connection can form a local area computer network (LAN) 50 and a wide area computer network (WAN). These networks are utilized in corporate computer networks and corporate networks and generally have access to the Internet. In the LAN or WAN, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When a network is utilized, the computer system 20 uses a modem 54 or other module known to those skilled in the art to implement communication with a wide area computer network such as the Internet. A modem 54 that is an internal or external device may be connected to the system bus 23 via the serial port 46. One skilled in the art will appreciate that a network connection is a non-limiting example of many well-known methods of connecting one computer to another using a communication module.

  In various aspects, the systems and methods described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the method may be stored on a non-transitory computer readable medium as one or more instructions or code. The computer readable medium includes data storage. By way of example only and not limitation, such computer readable media may be RAM, ROM, EEPROM, CD-ROM, flash memory, or other electrical, magnetic, optical storage media, or other media. There may be. Other media can be used to transmit or store the desired program code in the form of instructions or data structures and can be accessed by a processor in a general purpose computer.

  In various aspects, the systems and methods described by this disclosure can be processed by modules. As used herein, the term “module” refers to, for example, hardware such as an application specific integrated circuit (ASIC) or a field-programmable gate array (FPGA), or a module. Refers to a real device, component, or set of components that are executed by a combination of hardware and software such as a microprocessor system and a set of instructions to implement the functions of Convert the microprocessor system into a dedicated device. A module may be implemented as two combinations of certain functions facilitated by a single piece of hardware and other functions facilitated by a combination of hardware and software. In certain implementations, at least some, and in some cases, all of the modules can be executed on a general purpose computer processor (such as those described in more detail in FIG. 4 above). Thus, each module can be implemented in a variety of suitable configurations and is not limited to the specific implementations illustrated herein.

  For the sake of clarity, not all of the usual features of the embodiments are disclosed herein. In developing any actual implementation of this disclosure, many implementation-specific decisions must be made to achieve the developer's specific goals, which are specific to the implementation and the developer. It should be understood that it is different. While such development efforts are complex and time consuming, it will be understood that those skilled in the art who are able to enjoy the benefits of this disclosure are routine tasks of the engineer's job.

  Moreover, the terminology or terminology used herein is for the purpose of description and not limitation. It is to be understood that the terminology or expression herein should be construed by those skilled in the art in light of the teachings and guidance presented herein in combination with the knowledge of persons skilled in the relevant art. Moreover, unless expressly stated otherwise, any term in the specification or claims is not intended to have an uncommon or special meaning.

  Various aspects disclosed herein include present and future known equivalents of known modules referred to herein by way of example. Further, while embodiments and application examples have been shown and described, it will be appreciated by those skilled in the art having the benefit of this disclosure that many more modifications may be made without departing from the inventive concepts disclosed herein. It will be clear.

Claims (22)

A method for identifying a new device during user interaction with an online service, comprising:
Collecting device fingerprints associated with the user;
Separating one or more key characteristics of the device that affect device security from the fingerprint;
Clustering known devices used by the user based on the one or more key characteristics;
The one or more key characteristics of the device and one or more of the clustered known devices, the one previously used by the user to access an online service; Or calculating a difference of one or more key characteristics of a plurality of devices;
Determining that the device is a new device for use by the user if the difference exceeds a threshold;
Including a method.   The one or more key characteristics include: the operating system version of the device, the firmware of the device, the application installed on the device and the version of the application, a device identifier, a device serial number, a device international mobile device identification number The method of claim 1, comprising one or more of (International Mobile Equipment Identity: IMEI) and device hardware features.   The method of claim 1, wherein the online service is a banking service. The step of calculating the difference includes
Calculating a distance between the vectors of the one or more main characteristics;
Calculating the rate of change of the distance for one or more clusters generated by the clustering of known devices;
Including
If the rate of change is greater than a threshold, determine that the device is a new device;
The method of claim 1.   The method of claim 4, wherein the threshold is set taking into account the time that has elapsed since the fingerprint was last collected.   The method according to claim 4, wherein the rate of change is calculated based on the rate of change of the distance for all of a plurality of devices corresponding to the clustering used by other users.   The method according to claim 6, wherein the rate of change of the distance is calculated by normalizing a change in the distance of the vector over time. Calculating the rate of change is
Determining one or more risk factors of the device based on the calculated difference;
Sending data relating to the one or more risk factors to a server providing the online service in order to prevent fraud on the online service;
The method of claim 4, further comprising: The fingerprint is
The operating system identifier of the device, the device firmware, the user account identifier, the device emulation data, the device access information, the browser version information installed on the device, and the plug-in installed on the browser And one or more of vulnerable applications installed on the new device.   The method of claim 1, further comprising collecting the fingerprint according to a schedule or after a period of time. A system for identifying new devices during user interaction with an online service,
An online server providing online services;
A collection module connected to the online server and executed on a hardware processor for collecting a fingerprint of a device associated with the user accessing the online service;
An analysis module connected to the online server and the collection module and executed by the hardware processor,
Separating from the fingerprint one or more key characteristics of the device that affect device security;
Cluster known devices used by the user based on the one or more key characteristics;
The one or more key characteristics of the new device and one or more of the clustered known devices that the user previously used to access the online service Calculate the difference of one or more devices from one or more key characteristics;
An analysis module that determines that the device is a new device used by the user to access the online service if the difference exceeds a threshold;
Including system. The analysis module includes:
Calculating a distance between the vectors of the one or more main characteristics;
Calculating the difference by calculating the rate of change of the distance for the one or more clusters generated by the clustering of known devices;
The system of claim 11, wherein if the rate of change is greater than a threshold, the device is determined to be a new device.   The system of claim 12, wherein the threshold is set taking into account the time that has elapsed since the fingerprint was last collected.   The system of claim 12, wherein the analysis module calculates a rate of change based on the rate of change of the distance for all of a plurality of devices corresponding to the clustering used by other users.   The system according to claim 14, wherein the rate of change of the distance is calculated by normalizing a change with time of the distance of the vector.   The one or more key characteristics are: operating system version of the device, firmware of the device, application installed on the device and version of the application, device identifier, device serial number, device IMEI, and device hardware The system of claim 11, comprising one or more of the features. The fingerprint is
The operating system identifier of the device, the device firmware, the user account identifier, the device emulation data, the device access information, the browser version information installed on the device, and the plug-in installed on the browser And one or more of the vulnerable applications installed on the new device,
The system of claim 11. A method for identifying a new device during user interaction with an online service when executed by a hardware processor, comprising:
Collecting device fingerprints associated with the user;
Separating one or more key characteristics of the device that affect device security from the fingerprint;
Clustering known devices used by the user based on the one or more key characteristics;
The one or more key characteristics of the new device and one or more of the clustered known devices, the one previously used by the user to access online services Or calculating a difference of one or more key characteristics of a plurality of devices;
Determining that the device is a new device for use by the user if the difference exceeds a threshold;
A non-transitory computer readable medium storing instructions for performing a method comprising: The step of calculating the difference includes
Calculating a distance between the vectors of the one or more main characteristics;
Calculating a rate of change of the distance for the one or more clusters generated by the clustering of known devices;
Including
The medium of claim 18, wherein if the rate of change is greater than a threshold, the device is determined to be a new device.   The medium according to claim 19, wherein the threshold is set in consideration of a time elapsed since the fingerprint was collected last time.   20. The medium of claim 19, wherein the rate of change is calculated based on the rate of change of the distance for all of the plurality of devices corresponding to the clustering used by other users.   The medium according to claim 21, wherein the change rate of the distance is calculated by normalizing a change with time of the distance of the vector.

Images