Techniques for optimizing authentication challenges for detection of malicious attacks
US-2016119304-A1 · Apr 28, 2016 · US
Method and apparatus to detect non-human users on computer systems
US9906544B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9906544-B1 |
| Application number | US-201514957485-A |
| Country | US |
| Kind code | B1 |
| Filing date | Dec 2, 2015 |
| Priority date | Dec 2, 2014 |
| Publication date | Feb 27, 2018 |
| Grant date | Feb 27, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods and systems for malicious non-human user detection on computing devices are described. The method includes collecting, by a processing device, raw data corresponding to a user action, converting, by the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user, and comparing, by the processing device, at least one of the features against a corresponding portion of a characteristic model to differentiate the human user from the malicious code acting as if it were the human user.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of improving a processing device having a client component and a server component, comprising: collecting, by the client component of the processing device, raw data corresponding to a user action; converting, at least in part by the client component of the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user; comparing, by the client component of the processing device, at least one of the features against a corresponding portion of a characteristic model to determine, in a replay check, whether the at least one feature is indicative of a replay by the malicious code; and upon a determination that the at least one feature is not indicative of a replay by the malicious code, further processing the features by the server component of the processing device against another portion of the characteristic model in a behavior check to determine whether the features represent a behavior of the human user; wherein performing the replay check at the client component while performing the behavior check at the server component provides for an improved operation of the processing device. 2. The method of claim 1 , further comprising processing the raw data to reduce an effect of noise, perturbation, or randomization. 3. The method of claim 1 , wherein the replay check comprises performing at least one of an exact match or a nearest neighbor match. 4. The method of claim 1 , further comprising hashing the raw data to perform the replay check. 5. The method of claim 1 , wherein collecting the raw data corresponding to the user action further comprises receiving the raw data from an input device comprising at least one of: a mouse, a keyboard, an accelerometer, a gyroscope, and a sensor. 6. The method of claim 1 , further comprising rejecting the user action in response to a detection that the user action is from the malicious code acting as if it were the human user. 7. A non-transitory computer readable storage medium comprising instructions that, when executed by a processing device having a client component and a server component, cause the processing device to perform operations, comprising: collecting, by the client component of the processing device, raw data corresponding to a user action; converting, at least in part by the client component of the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user; comparing, by the client component of the processing device, at least one of the features against a corresponding portion of a characteristic model to determine, in a replay check, whether the at least one feature is indicative of a replay by the malicious code; and upon a determination that the at least one feature is not indicative of a replay by the malicious code, further processing the features by the server component of the processing device against another portion of the characteristic model in a behavior check to determine whether the features represent a behavior of the human user; wherein performing the replay check at the client component while performing the behavior check at the server component provides for an improved operation of the processing device. 8. The non-transitory computer readable storage medium comprising instructions of claim 7 , wherein the operations further comprise processing the raw data to reduce an effect of noise, perturbation, or randomization. 9. The non-transitory computer readable storage medium comprising instructions of claim 7 , wherein the replay check comprises performing at least one of an exact match check or a nearest neighbor match. 10. The non-transitory computer readable storage medium comprising instructions of claim 7 , wherein the operations further comprise hashing the raw data to perform the replay check. 11. The non-transitory computer readable storage medium comprising instructions of claim 7 , wherein collecting the raw data corresponding to the user action further comprises receiving the raw data from an input device comprising at least one of: a mouse, a keyboard, an accelerometer, a gyroscope, and a sensor. 12. The non-transitory computer readable storage medium comprising instructions of claim 7 , wherein the operations further comprise rejecting the user action in response to a detection that the user action is from the malicious code acting as if it were the human user, wherein rejecting the user action further comprises at least one of denying access, performing an additional check, logging the event, or generating an alert. 13. A computing system, comprising: a data storage device; and a processing device having a client component and a server component, coupled to the data storage device, to: collect, by the client component of the processing device, raw data corresponding to a user action; convert, at least in part by the client component of the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user; compare, by the client component of the processing device, at least one of the features against a corresponding portion of a characteristic model to determine, in a replay check, whether the at least one feature is indicative of a replay by the malicious code; and upon a determination that the at least one feature is not indicative of a replay by the malicious code, further process the features by the server component of the processing device against another portion of the characteristic model in a behavior check to determine whether the features represent a behavior of the human user; wherein performing the replay check at the client component while performing the behavior check at the server component provides for an improved operation of the processing device. 14. The system of claim 13 , wherein the processing device is further to process the raw data to reduce an effect of noise, perturbation, or randomization of the at least one of the features against the corresponding portion of the characteristic model. 15. The system of claim 13 , wherein the replay check comprises performing at least one of an exact match check or a nearest neighbor match. 16. The system of claim 13 , wherein the processing device is further to receive the raw data from an input device comprising at least one of: a mouse, a keyboard, an accelerometer, a gyroscope, and a sensor. 17. The system of claim 13 , wherein the processing device is further operative to reject the user action in response to a detection that the user action is from the malicious code acting as if it were the human user.
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Event detection, e.g. attack signature detection · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
involving event detection and direct action · CPC title
involving long-term monitoring or reporting · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9906544B1 cover?
- Methods and systems for malicious non-human user detection on computing devices are described. The method includes collecting, by a processing device, raw data corresponding to a user action, converting, by the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user, and comparing, by the…
- Who is the assignee on this patent?
- Cyberfend Inc, Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 27 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).