Fraud detection network system and fraud detection method
US-2017048272-A1 · Feb 16, 2017 · US
Device, method, and system of differentiating between virtual machine and non-virtualized device
US10049209B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10049209-B2 |
| Application number | US-201615275504-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 26, 2016 |
| Priority date | Nov 29, 2010 |
| Publication date | Aug 14, 2018 |
| Grant date | Aug 14, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device (a desktop computer, a laptop computer, a smartphone, a tablet, or the like) interacts and communicates with a server of a computerized server (a banking website, an electronic commerce website, or the like). The interactions are monitored, tracked and logged. Communication interferences are intentionally introduced to the communication session; and the server tracks the response or the reaction of the end-user device to such communication interferences. The system determines whether the user is a legitimate human user; or a cyber-attacker posing as a legitimate human user but actually utilizing a Virtual Machine.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: determining whether a user, who utilizes a computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM); wherein the determining comprises: monitoring response of the computing device to an interference that was introduced to a communication session between the computerized service and the computing device; based on the monitored response, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 2. The method of claim 1 , comprising: generating said interference by duplicating a packet in said communication session between the computerized service and the computing device; wherein the determining comprises: based on the response of the computing device to said interference of a duplicated packet, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 3. The method of claim 1 , comprising: generating said interference by intentionally dropping a packet in said communication session between the computerized service and the computing device; wherein the determining comprises: based on the response of the computing device to said interference of a dropped packet, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 4. The method of claim 1 , comprising: generating said interference by inserting an error code into said communication session between the computerized service and the computing device; wherein the determining comprises: based on the response of the computing device to said interference of error code insertion, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 5. The method of claim 1 , comprising: generating said interference by generating network congestion in said communication session between the computerized service and the computing device; wherein the determining comprises: based on the response of the computing device to said interference of network congestion, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 6. The method of claim 1 , comprising: generating said interference by slowing-down network transport in said communication session between the computerized service and the computing device; wherein the determining comprises: based on the response of the computing device to said interference of slowed-down network transport, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 7. The method of claim 1 , comprising: generating said interference by generating latency in said communication session between the computerized service and the computing device; wherein the determining comprises: based on the response of the computing device to said interference of latency, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 8. The method of claim 1 , comprising: generating said interference by generating a communication error that causes a Virtual Machine Monitor (VMM) to handle the communication error without passing the communication error for handling by an underlying Virtual Machine (VM); based on the handling of said communication error, determining that the computing device is a Virtual Machine (VM) running on a Virtual Machine Monitor (VMM). 9. The method of claim 1 , comprising: generating a communication error that causes a packet to be handled by both (i) a virtualized network card of a Virtual Machine (VM), and (ii) a hardware network card of a computer on which said Virtual Machine (VM) is running; detecting dual-handling of said packet due to said communication error; based on said dual-handling, determining that said computing device is a Virtual Machine (VM). 10. The method of claim 1 , comprising: generating a communication error that causes a packet to be handled by both (i) a virtualized driver of a Virtual Machine (VM), and (ii) a non-virtualized driver of a computer on which said Virtual Machine (VM) is running; detecting dual-handling of said packet due to said communication error; based on said dual-handling, determining that said computing device is a Virtual Machine (VM). 11. The method of claim 1 , comprising: determining whether said computing device is defined by utilizing Network Address Translation (NAT) or by utilizing bridged networking; based on a determination that said computing device is defined by utilizing Network Address Translation (NAT), determining that said computing device is a Virtual Machine (VM). 12. The method of claim 1 , comprising: generating a communication error that is typically handled by an end-user device at a communication layer that is higher than data link layer (L2); monitoring the handling of said communication error by said computing device; detecting that said communication error was handled at the data link layer (L2); based on said detecting, determining that said computing device is a Virtual Machine (VM). 13. The method of claim 1 , comprising: measuring a time-to-live (TTL) value of packets transported from said computerized service to said computing device; based on said TTL value, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 14. The method of claim 1 , comprising: measuring a Transmission Control Protocol (TCP) window size of said computing device; based on said TCP window size of said computing device, determining whether said user, who utilizes the computing device to interact with a computerized service, (A) is a user interacting with a non-virtualized computing device, or (B) is a Virtual Machine (VM) running on top of a Virtual Machine Monitor (VMM). 15. The method of claim 1 , comprising: storing in a repository profiles of multiple computing stacks of Virtual Machines (VMs); during the communication session between said computerized service and said computing device, generating an ad-hoc computing stack profile of said computing device; if the ad-hoc computing stack profile of said computing device matches a previously-stored profile of computing stack of Virtual Ma
Assignees
Inventors
Classifications
- G06F21/554Primary
involving event detection and direct action · CPC title
by observing the pattern of computer usage, e.g. typical user behaviour · CPC title
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Digitisers, e.g. for touch screens or touch pads, characterised by the transducing means · CPC title
Monitoring or debugging support · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10049209B2 cover?
- Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. An end-user device (a desktop computer, a laptop computer, a smartphone, a tablet, or the like) interacts and communicates with a server of a computerized server (a banking website, an electronic commerce website, or the like). The interactions are m…
- Who is the assignee on this patent?
- Biocatch Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 14 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).