Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
  • G06F21/31—User authentication
  • G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
  • G06F21/31—User authentication
  • G06F21/33—User authentication using certificates
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
  • G06F21/31—User authentication
  • G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/55—Detecting local intrusion or implementing counter-measures
  • G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
  • H04L63/1416—Event detection, e.g. attack signature detection
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2103—Challenge-response
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash

Definitions

• FIG. 2 is a flow chart that depicts a process for providing authentication and fraud detection services in accordance with an embodiment of the present invention.
• FIG. 3 is a flow chart that depicts a two-phase fraud detection process in accordance with an embodiment of the present invention.
• FIG. 4 is a graph upon which a clustering algorithm may be applied in accordance with an embodiment of the present invention.
• FIG. 5 is a block diagram that depicts a bulk provisioning process in accordance with an embodiment of the present invention.
• FIG. 6 is a block diagram that depicts a computing device in accordance with an embodiment of the present invention. Detailed Description
• the present invention addresses the deficiencies of current solutions by providing to a network of enterprises both authentication and fraud detection services that are hosted by a third party service provider. These services minimize costs and maximize security by sharing intelligence and resources among the network of enterprises that utilize the hosted services.
• the service provider is able to share authentication credentials among the participating enterprises utilizing the hosted authentication services, and Is able to share fraud intelligence (e.g., fraud data and signatures) among the participating enterprises utilizing the hosted fraud detection services.
• fraud intelligence e.g., fraud data and signatures
• Information stored in a database (115) used by the authentication service (110) may be used by the fraud detection service (120).
• information stored in a database (125) used by the fraud detection service (120) may be used by the authentication service (110).
• the relying parties (160, 162, 164) that utilize the hosted authentication service (110) are considered part of a shared authentication network (140), and the relying parties (162, 164, 166) that utilize the hosted fraud detection service (120) are considered part of a fraud intelligence network (150).
• each party in the shared authentication network (140) accepts the same authentication credentials as other participating members of the network.
• This enables end users to utilize a single authentication credential, no matter the form (e.g., OATH- compliant), across any sites of the participating network members. This helps solve the "necklace" problem that occurs when an end user needs a separate credential to transact with different relying parties.
• a credential refers to any electronic device or document used for authentication purposes.
• the value provided by a credential for validation is referred to as a credential response (e.g., an OTP ("One-Time Password") value, a digital signature, or a response to a challenge-response query).
• a credential response e.g., an OTP ("One-Time Password") value, a digital signature, or a response to a challenge-response query.
• OTP token (sometimes just called a token) is a hardware device credential that generates a unique code on demand that is usually used, for example, as a second factor for authentication.
• Second factor authentication refers to authenticating something that the user has or something the user is (the second factor) rather than or in addition to something the user knows (the first factor).
• first and second factor authentication if an attacker steals only a first factor, the attacker would not be able to forge the second factor and would be unable to authenticate. If an attacker steals the second factor, the attacker would not know the first factor and would be unable to authenticate.
• an authentication service may require more than two factors. For example, a system might require a pass phrase, digital certificate, and thumbprint sensor, combining something the user knows, something the user has, and something the user is.
• the fraud detection service (120) is therefore able to better combat criminals on the internet who use many different mechanisms to capture personal information, such as phishing web sites, key loggers, false store fronts, and database theft. Often, criminals try to use the same information on multiple web sites, testing login information by trial and error, establishing multiple fraudulent accounts, or other malicious activities.
• the user (170) may provide the credential response to the relying party (164), who then checks the information with the authentication service (110) via a backend integration.
• the relying party (164) may redirect the user (170) to the
• the relying party (164) then monitors (step 230) transactions associated with the user (170), which may include a login, purchase, click-thru, or any other activity by the user (170) on the relying party's (164) site, and provides information associated with the transactions to the fraud detection service (120) to be evaluated (240) for suspicious activity.
• the fraud detection service (120) evaluates the transaction information for suspicious activity based at least in part on other transaction information provided to the fraud detection service (120) by the fraud intelligence network (150) sites.
• FIG. 3 is a flow chart that depicts a two-phase fraud detection process in accordance with an embodiment of the present invention.
• a user (170) provides (step 300) login credentials to a relying party (164) for validation (step 310). If the credentials are bad, the login is refused (step 320), and if the credentials are good, then the relying party (164) forwards (step 330) information associated with the user's login to a fraud detection service (120).
• the fraud detection service (120) checks (step 340) for suspicious activity, and if no suspicious activity is found, the transaction passes (step 350), the relying party (164) is informed of the decision, and the user (170) is allowed (step 360) to log in.
• the fraud detection service (120) proceeds (step 370) to use more sophisticated, complex, and invasive techniques to validate that the credential is legitimate. After this secondary check, the fraud detection service (120) decides if the transaction is fraudulent or legitimate.
• the primary fraud checks may be based on properties of the transaction, properties of the user account, and transaction history. No human intervention is required; these checks may be completely automated. More importantly, no extra steps are added to the process.
• the secondary fraud checks add additional steps to the process.
• the fraud detection service (120) may require a telephone, email, or SMS confirmation of the user's identity. Alternately, the system may ask additional challenge/response questions of the user (170). The purpose of these checks is to provide additional information to validate the user's identity. If the secondary checks succeed, the fraud check succeeds (step 350), and the user is allowed to log in (step 360).
• the scoring engine is designed to distinguish between good and bad authentication attempts. There are two types of login transactions: legitimate authentication attempts and fraudulent authentication attempts. In order to distinguish between the two, the engine attempts to learn whether a login does not fit a pattern of other legitimate attempts, and whether a login fits the pattern of other fraudulent attempts.
• the fraud detection service (120) also needs to capture deep enough information. This means producing a historical record of transactions, going back at least 90 days and preferably for a year, for example. Over time, summary information could be built (such as the average number of logins per month) that could be used to look for suspicious activity.
• the fraud detection service (120) analyze s a transaction b y a policy engine and, depending on the policy, is passed through an anomaly engine which answer with a status (anomaly or not) and a confidence factor (how much the engine is confident in its decision) that is processed back by the policy engine.
• the following provides an embodiment of the data flow process: • Data arrives into the system through a data adapter
• the policy engine receives back a result which is structured as a status (is anomaly?) and confidence factor
• the fraud detection service (120) may use its determinations for further increasing accuracy. For example, if a transaction is tagged as anomalous, even with a high anomaly score and confidence factor, the system can increase its accuracy by comparing the transaction against a cluster of known fraudulent transactions or known "not" fraudulent transactions.
• the fraud detection service (120) may utilize clustering algorithms in its anomaly engine to decide which of the user's actions correspond to natural behavior and which are exceptional, without any assistance.
• the clustering algorithm may be based on the ROCK hierarchical clustering algorithm (RObust Clustering using HnKs), which is an agglomerative hierarchical clustering algorithm based on the notion of neighbors and links as follows.
• ROCK hierarchical clustering algorithm RObust Clustering using HnKs
• Two data elements are considered as neighbors if our similarity upon a domain expert or similarity matrix exceeds a certain threshold. At first, all n data elements are mapped to n clusters respectively. Then, with each iteration, the engine merges between the two closest clusters such that both clusters fulfill the maximum value of Link(GC0, for any pair of clusters C 1 and C 1 .
• the metric represents the number of common neighbors between every element in the first cluster to every element in the second one.
• This measure is normalized by the number of potential neighbors in both clusters, so that a large cluster will not swallow every other cluster and end up with all the elements. Grouping the data elements using links injects global knowledge into the clustering process, forming an optimal division between the elements. Thus, the formed clusters aren't too large or too small, and the clusters contain elements that are relatively similar one to another.
• the engine utilizes enhancements to the ROCK algorithm that adapt it to the overall anomaly detection process. Namely, the enhancements significantly improve the clustering phase's execution time and transform the ROCK's ability of finding clusters to the ability of finding anomalies. Additional to these enhancements, the engine utilizes enhancements on the algorithmic level as follows.
• the ROCK also expects an argument that determines the number of clusters to generate.
• the enhanced algorithm produces the real amount of clusters, representing each of the user's behavioral patterns, as they actually appear within the data.
• the algorithm introduces the notion of clustering execution levels, which allow for different clustering configurations to be defined for various situations. If, for example, the anomaly detection process is started with a relatively sparse data set, then engine may want to activate the clustering phase with reduced similarity thresholds, since the number of common neighbors between pairs of data elements is bound to be small.
• the number of common neighbors is 2.
• the link matrix for this example is shown IN TABLE 3: TABLE 3
• k be the parameter that is used to specify to the system the number of clusters to reach "possibly” - remember that k is not an absolute limit, and the system can try to merge more clusters but it will not "insist” on merging once k is reached.
• a credential issuer such as the service provider (100) may provide bulk back-end generation of seeds and their secure transport (530) to a token manufacturer (510) upon request (520). Utilizing a bulk provisioning protocol enables the sending of pre-provisioned tokens — devices that are ready to be activated and used - to users.
• the bulk provisioning protocol may be described as follows:
• TMU generates a key pair and token ID for each token • the TMU generates a random key pair, which includes a public key, for each token ID
• TMU can enroll for a certificate for each token, with the required token IDs as parameters
• an administrative shared secret may be requested for each token ID as well
• TMU may use the Registration Authority key to negotiate the establishment of an authenticated SSL channel. This channel persists until the enrollment process for each token is completed.
• the bulk provisioning protocol flow may be described in an embodiment of the invention as follows:
• TMU connects to the issuer's provisioning service and enrolls an for OTP certificate and optionally an administrative certificate for each token ID presented
• the issuer (500) stores a copy of the shared secrets at its site; OTP shared secrets are used to calculate the OTP values that are used to authenticate users; an administrative shared secret is used when resetting a lost password
• Network links may include telephone lines, DSL, cable networks, Tl or T3 lines, wireless network connections, or any other arrangement that implements the transmission and reception of network signals.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• General Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Software Systems (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• Computing Systems (AREA)
• General Physics & Mathematics (AREA)
• Physics & Mathematics (AREA)
• Health & Medical Sciences (AREA)
• General Health & Medical Sciences (AREA)
• Social Psychology (AREA)
• Storage Device Security (AREA)
• Management, Administration, Business Operations System, And Electronic Commerce (AREA)
• Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Priority Applications (4)

Applications Claiming Priority (2)

Publications (2)

Family

ID=38372092

Family Applications (1)

Country Status (6)

Cited By (7)

Families Citing this family (65)

Citations (3)

Family Cites Families (8)

• 2007
  • 2007-02-12 AU AU2007215180A patent/AU2007215180B2/en not_active Ceased
  • 2007-02-12 JP JP2008554432A patent/JP5231254B2/ja active Active
  • 2007-02-12 WO PCT/US2007/003822 patent/WO2007095242A2/en not_active Ceased
  • 2007-02-12 US US11/705,064 patent/US7861286B2/en active Active
  • 2007-02-12 EP EP07750645A patent/EP1987447A4/en not_active Withdrawn
  • 2007-02-12 CA CA2641995A patent/CA2641995C/en not_active Expired - Fee Related

Patent Citations (3)

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events