US 8,312,157 B2
`(10) Patent No.:
`a2) United States Patent
`Jakobsson et al.
`(45) Date of Patent:
`Nov.13, 2012
`
`
`US008312157B2
`
`(54)
`
`IMPLICIT AUTHENTICATION
`
`3/2010 Shortetal. ee 709/246
`7,689,716 B2*
`wa. 726/16
`6/2010 ROSS veces
`7,748,029 B2*
`
`.
`:
`:
`..
`. 705/35
`7,856,384 B1* 12/2010 Kulasooriyaet al.
`
`7.877.611 B2*
`Inventors: BjornMarkusJakobsson. Nowa
`(75)
`1/2011 Camachoetal. ...... 713/182
`
`
`
`iew,CA(US); Mark J. Grandcolas, 7,890,363 B2* 2/2011 Gross ween .. 705/7.31
`
`
`
`ccc. 726/17
`Burlingame, CA (US); Philippe J. P.
`7,958,552 B2*
`6/2011 Amoldetal.
`
`8,065,227 B1* 11/2011 Beckman oe 705/39
`Golle, San Francisco, CA (US); Richard
`
`.. 713/186
`2003/0208684 AL* 11/2003 Camachoet al.
`Chow, Sunnyvale, CA (US); Runting
`
`...
`713/166
`Shi. Sunnyvale. CA (US)
`;
`2005/0097320 Al*
`5/2005 Golanetal.
`
`2006/0273152 AL* 12/2006 Fields wees 235/380
`,
`yvale,
`6/2007 Singh «occ 379/114.14
`2007/0133768 AL*
`.
`(73) Assignee: Palo Alto Research Center
`nued
`Incorporated, Palo Alto, CA (US)
`(Continued)
`OTHER PUBLICATIONS
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`Weisstein, Eric W. “Quartile” From Mathworld—A Wolfram Web
`patent is extended or adjusted under 35
`
`U.S.C. 154(b) by 645 days. Resource.—http://mathworld.wolfram.com/quartile.html.|down-
`loaded Jul. 16, 2009.
`
`(21) Appl. No.: 12/504,159
`
`(22)
`
`Filed:
`
`Jul. 16, 2009
`
`(65)
`
`(51)
`
`Prior Publication Data
`US 2011/0016534A1
`Jan. 20, 2011
`Int. Cl.
`(2006.01)
`GO6F 15/16
`(52) US.Ch veccccccces 709/229; 709/217; 726/2; 726/3,
`726/7; 726/30; 705/51
`(58) Field of Classification Search .............. 705/64-67,
`726/7, 26, 27
`See applicationfile for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`6,098,052 A *
`8/2000 Kosibaet al. ccc: 705/40
`8/2001 Frenchetal. woe. 726/7
`6,282,658 B2*
`
`6,496,936 B1* 12/2002 Frenchetal.
`.......
`ce 726/7
`702/185
`..
`7,016,809 Bl :
`3/2006 Gotwalset al.
`
`vn6
`F38t14 BI , ee Ginsberg al
`ccccccccccssecsese 7126/5
`7,305,701 B2* 12/2007 Brezak et alo
`wee 726/19
`7,571,472 B2*
`8/2009 Royer
`..........
`
`« 713/186
`7,636,853 B2* 12/2009 Cluts etal.
`...
`
`(Continued)
`
`Primary Examiner — Mamon Obeid
`(74) Attorney, Agent, or Firm — Shun Yao; Park, Vaughan,
`Fleming & Dowler LLP
`(57)
`ABSTRACT
`Embodiments ofthe present disclosure provide a method and
`system for implicitly authenticating a user to access con-
`trolled resources. The system receives a request to access the
`controlled resources. The system then determines a user
`behavior score based on a user behavior model, and recent
`contextualdata abouttheuser. The user behaviorscore facili-
`tates identifying a level of consistency between one or more
`recent user events and a past user behavior pattern. The recent
`contextual data, which comprise a plurality of data streams,
`are collected from one or more user devices without prompt-
`ing the user to perform an action explicitly associated with
`authentication. The plurality of data streams provide basis for
`determining the user behavior score, but a data stream alone
`provides insufficient basis for the determination of the user
`behavior score. The system also provides the user behavior
`score to an access controller of the controlled resource.
`
`23 Claims, 11 Drawing Sheets
`
`
`CONTROLLED RESOURCES
` FILE APPLICATION DATABASE
`
`
`
`
`SERVER
`SERVER
`SERVER
`
`
`> 8
`eB
`IMPLICIT
`
`AUTHENTICATION
`150
`
`
`
`
`
`
`
`
`DEVICES
`
`Page 1 of 22
`
`1A1006
`
`UBER
`
`IA1006
`
`Page 1 of 22
`
`

`

`US 8,312,157 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`2007/0177768 A1*
`8/2007 Tsantes et al. assess 382/115
`2007/0288319 A1* 12/2007 Robinsonetal. ..
`705/14
`
`.....0.0..... 705/1
`2008/0103800 A1l*
`5/2008 Domenikoset al.
`2008/0162383 AL*
`7/2008 Kraft «cee 705/500
`2008/0189776 A1*
`8/2008 Constable
`occ 726/7
`2009/0006230 Al*
`1/2009 Lydaetal.
`705/35
`2009/0171723 A1*
`7/2009 Jenkins wee
`eeeeeeee 705/7
`2009/0198587 Al*
`8/2009 Wagneretal. oo... 705/26
`
`
`
`2010/0122347 A1*
`5/2010 Nadler wo. 726/26
`
`2011/0055373 A1l*
`3/2011 Bnayahu
`et
`al.
`709/224
`Sr 0968162 AL* 10011 Alawandaretal 76/7
`OTHER PUBLICATIONS
`Nisenson, Mordechaiet al., “Towards Behaviometric Security Sys-
`tems: Learning to Identify a Typist”, PKDD 2003, LNAI 2838,pp.
`363.474 2003.
`,
`* cited by examiner
`
`Page 2 of 22
`
`1A1006
`
`IA1006
`
`Page 2 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 1 of 11
`
`US 8,312,157 B2
`
`OECURITY
`
`180
`
`Page 3 of 22
`
`1A1006
`
`IA1006
`
`Page 3 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 2 of 11
`
`US 8,312,157 B2
`
` FILE
`SERVER
`
`
`APPLICATION
`SERVER
`
`DATABASE
`SERVER
`
`CONTROLLED RESOURCES
`
`
`
`
` “MPL
`
`AUTHENTICATION
`150
`
`\
`
`Ke
`a /
`SI
`SS
`SSL-
`DATA
`119
`COLLECTION
`a AUTHENTICATION
`130
`
`ON |
`ACCESS
`7
`REQUEST
`|
`|
`
`|
`
`DATA
`anaes |
`
`Zim
`
`
`
`
`
`DEVICES
`
`Page 4 of 22
`
`1A1006
`
`IA1006
`
`Page 4 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 3 of 11
`
`US 8,312,157 B2
`
`
`
`
`Re 130 DATA
`COLLECTION
`
` USER DEVICE
`122 IMPLICIT
`
`|
`
`‘gO
`
`if
`
`USER
`
`REQUEST
`
`CONTROLLED
`\, AUTHEN-
`
`f
`RESOURCES
`\ FICATION
`
`404 Noe:
`LOCAL
`}
`AN
`
`
`
`
`| ResouRcE |}
`
`
`
`nnACCESS
`
`
`AUTHENTICATION
`/
`|
`tom |
`
`
`MODULE
`t
`
`
`“| -RESOURCE |wet
`
`
`
`
`
`
` \ } LOCAL
`wey|RESOURCE |
`
`FIG. 10
`
`Page 5 of 22
`
`1A1006
`
`IA1006
`
`Page 5 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 4 of 11
`
`US 8,312,157 B2
`
`;
`aw
`
`USER ACCESS
`REQUEST
`210
`
`
`
`220 anwrey|USERACCESS
`at REQUEST RECEIVER|
`
`| CONTEXTUALDATA |
`|
`COLLECTOR
`«NG
`
`SYSTEM FOR IMPLICIT AUTHENTICATION
`
`CONTEXTUAL
`DATA
`
`USER BEHAVIOR
`MODELER
`
`IMPLICIT
`AUTHENTICATOR
`“ORF AUTHENTICATION
`INFORMATION
`AUTHENTICATION
`|
`INFORMATION
`PRESENTER
`
`FIG. 2
`
`Page 6 of 22
`
`1A1006
`
`IA1006
`
`Page 6 of 22
`
`

`

`U.S. Patent
`
`Nov. 13, 2012
`
`Sheet 5 of 11
`
`US 8,312,157 B2
`
` RECEIVE USER ACCESS REQUEST
`
`OBTAIN USER BEHAVIOR MODEL
`
`“
`
`ani
`
`DETERMINE USER BEHAVIORAL SCORE IN |
`ACCORDANCE WITH USER BEHAVIOR
`
` OBTAIN RECENT CONTEXTUAL DATA
`MODEL AND RECENT CONTEXTUAL DATA
`AUTHENTICATION INFORMATION
`PROVIDE AUTHENTICATION INFORMATION
`C RETURN
`
`CALCULATE IMPLICIT
`
`L300
`
`“350
`
`Page 7 of 22
`
`1A1006
`
`IA1006
`
`Page 7 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 6 of 11
`
`US 8,312,157 B2
`
`
`_Sitipeeo
`
`TRIGGERED BYAN
`“>_»|
`DECREASE SCORE BASED
`
`ee . OBSERVE EVENT? — ”
`ON LAPSED TIME
`
`
`WITH THE TYPE OF OBSERVATION
`
`CALCULATE QUALITY MEASURE 1-42)
`ASSOCIATED WITH THE EVENT
`
`CALCULATE WEIGHT ASSOCIATED | 43)
`
` og
`
`
`“OBSERVED EVENT ©
`
`<_CONSISTENTWTH >>
`
`
`~_QINERSHP?
`
`“TYES
`
`
` SCORE BELOW 7
`~~THRESHOLD?
`“TYES
`
`
`
`REQUEST USER
`AUTHENTICATE
`
`
`
` INCREASE SCORE BASED ONQUALITY MEASURE AND WEIGHT
`
`L.
`
`Page 8 of 22
`
`1A1006
`
`IA1006
`
`Page 8 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 7 of 11
`
`US 8,312,157 B2
`
`
` RECEIVE USER
`
`
`BEHAVIORAL SCORE
`
`Pa “TSTHRESHOLD ~—<— .
`— < ASSOCIATED WITH =U
`
`REQUEST? ee
`
`
`
`
`
`DETERMINE IMPLICIT
`t AUTHENTICATION INFORMATION
`| BASED ON CONFIDENCE LEVEL
`ASSOCIATED WITH USER
`BEHAVIORAL SCORE
`
`
`
`
`
`
`
`DETERMINE IMPLICIT
`AUTHENTICATION INFORMATION
`BASED ON WHETHER USER
`BEHAVIORAL SCORE MEETS
`THRESHOLD
`
`
`
`
`
`FIG. 9
`
`Page 9 of 22
`
`IA1006
`
`Page 9 of 22
`
`

`

`U.S. Patent
`
`Nov. 13, 2012
`
`Sheet 8 of 11
`
`US 8,312,157 B2
`
`“
`
`\
`
`G08
`
`PROVIDER DATA
`
`CONTEXTUAL DRIA
`.
`GPS DATAgod we
`VOICE DATASYS
`ACCELEROMETER 60
`TYPING PATTERN G10
`APPLICATION USAGE DATA611
`LOCAL AUTHENTICATION
`TEMPERATURE SENSOR DATA S72
`ATTEMPTS 617
`SENSOR DATA 613
`AUXILIARY
`LOCAL CONNECTION
`USER FINGERPRINTS 674
`ATTEMPTS 618
`CALENDAR DATAG1S
`
`\.
`
`oN
`
`p77 °
`
`DEVICE DATA
`
`4-620
`
`‘aletine
`Py te
`eS CARRIER
`
`21
`LOCATION DATA
`VOICE DATA 623
`NeTWORK AUTHENTICATION
`ATTEMPTS 625
`TRAFFIO PATTERN 627
`SNSRESUESSez J
`
`APPLICATION USAGE 631 XW.
`TIME OF APPLICATION USE 633
`DURATION OF APPLICATION USE 638
`APPLICATION CONTENT DATA 637
`
`THIRD-PARTY
`
`FIG. 6
`
`Page 10 of 22
`
`1A1006
`
`IA1006
`
`Page 10 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 9 of 11
`
`US 8,312,157 B2
`
`PHONE NUMBER
`AG
`
`CALL TYPE
`aie
`
`(Al [MOTHER
`
`
`
`DURATION
`720
`
`
`
`
`
`
`
`
`
`
`LOCATION
`730
`
`MOVEMENT
`749
`
`ENTITY
`CONFIDENCE
`750
`
`3 [Boe
`|
`(ag,GAN)EM | (fa
`
`
`
`NEN)ED SE
`
` Ho
`TYo>Cs
`
`USER BEHAVIOR
`MODEL
`
`~tmalt
`Ee
`t
`f
`'
`'
`y
`md
`“Ttcc
`a cam
`
`Page 11 of 22
`
`1A1006
`
`IA1006
`
`Page 11 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 10 of 11
`
`US 8,312,157 B2
`
`SER MODEL
`LOOK UP TABLE
`780
`
`[RISTORY (EVENTS, TIME INTERVAL? = (TIME-CPGAY=NOONTOJPH PHONE-ACTIVITVRECENE-CALLIAN, (0 MINS)
`[EVENT {] BROWSER-ACTIVITYSOPEN: PROBABILITY DISTR, 4: SCORING DISER, 3+
`
`[EVENT 2] LOCATION = LOCATION-E:PROBABILITYDISTR. Po: SCORING DISTR.dp
`
`|
`
`FIG. 7B
`
`Page 12 of 22
`
`1A1006
`
`IA1006
`
`Page 12 of 22
`
`

`

`U.S. Patent
`
`Nov.13, 2012
`
`Sheet 11 of 11
`
`US 8,312,157 B2
`
`
`
`NETWORK
`
`
`
`
` “PROCESSOR
`
`IMPLICIT-
`AUTHENTICATING
`F*
`
`MECHANISM
`
`
`
`
`REQUEST-
`BEHAVIOR.
`
`y
`SCORE:
`RECENVING
`SCORE.
`
`MECHANISM
`
`MECHANISM
`
`
`
`
`
`
`COLLECTING
`BEHAVIOR:
`
`
`
`MODELING
`MECHANISM
`
`
`
`
`
`MECHANISM
`
`
`
`
`
`
`
`
`
`
`
`
`POINTING
`DEVICE
`FIG. &
`
`Page 13 of 22
`
`1A1006
`
`IA1006
`
`Page 13 of 22
`
`

`

`US 8,312,157 B2
`
`1
`IMPLICIT AUTHENTICATION
`
`BACKGROUND
`
`1. Field
`
`This disclosure is generally related to user authentication.
`Morespecifically, this disclosure is related to a method and
`system for implicitly authenticating a user to access a con-
`trolled resource based on contextual data indicating the user’s
`behavior.
`2. Related Art
`
`A Mobile Internet Device (MID)is a multimedia-capable
`handheld computer providing wireless Internet access. MIDs
`are designed to provide entertainment, information and loca-
`tion-based services for personal use. As the market of MIDs
`expands, mobile commerce (also known as M-commerce)is
`experiencing rapid growth. There is a trend toward hosting
`applications and services on the Internet. This results in
`increased demand for Internet authentication—whether of
`
`devices, computers or users. Moreover, the use of digital
`rights management (DRM)policies will likely increase the
`need for frequent authentications. Some of such authentica-
`tions may happen simultaneously due to the increased use of
`mashups.
`Onthe other hand,the shift toward greater market penetra-
`tion of MIDs complicates password entry due to the limita-
`tions of MID input interfaces. Typing passwords on mobile
`devices, such as an iPhone™or a BlackBerry™, can become
`a tedious and error-prone process.
`Single sign-on (SSO) is an authentication mechanism to
`control the access of multiple, related, but independent soft-
`ware applications and services. With SSO,a user logs in once
`and gains access to all applications and services without
`being promptedto log in again at each ofthem. SSO addresses
`the problem of frequent authentications. However, SSO does
`not defend against theft and compromise of devices because
`it only vouchesfor the identity of the device, not its user.
`
`SUMMARY
`
`One embodimentprovides a system that implicitly authen-
`ticates a user of a Mobile Internet Device to access a con-
`
`trolled resource. The system first receives a request to access
`the controlled resource. Then, the system determines a user
`behavior score based on a user behavior model and recent
`
`contextual data, wherein the user behavior score facilitates
`identifying a level of consistency between one or more recent
`user events and a past user behavior pattern. The user behav-
`ior model is derived from historical contextual data of the
`user. The recent contextual data are recent data of the user
`
`collected from one or more user mobile devices indicating the
`user’s recent behavior or one or more recent user events. The
`
`recent contextual data can be collected without prompting the
`user to perform an action explicitly associated with authenti-
`cation. Further, the recent contextual data include multiple
`data streams, which provide basis for the determination ofthe
`user behavior score. However, a data stream alone provides
`insufficient basis for the determination of the user behavior
`
`score. Next, the system providesthe user behaviorscore to an
`access controller of the controlled resource, thereby making
`an authentication decision derived from the user behavior
`score for the user to access the controlled resource based at
`
`least on the user behaviorscore. In addition, the system can be
`used in combination with another form of authentication.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`In some embodiments, the system also collects contextual
`data of the user periodically from one or more user devices,
`and updates the user behavior model based on the collected
`contextual data of the user.
`the system also determines an
`In some embodiments,
`action based on the user behavior score. The action can be a
`demandfor a further authentication.
`
`In some embodiments, the system also determines whether
`the user behaviorscoreis higher than a predeterminedthresh-
`old value, and if so, authenticates the user to access the
`controlled resource using the authentication decision derived
`from the user behaviorscore.
`
`In some embodiments, the system also uses the authenti-
`cation decision derived from the user behavior score to
`increase or decrease an assurance associated with another
`form of authentication.
`
`In some embodiments, the system also:
`observes the recent event associated with the recent con-
`textual data of the user;
`calculates a quality measure associated with the recent
`event;
`calculates a weight associated with the type ofobservation;
`determines whether the observed event is consistent with
`the user behavior model; and
`increases (if consistent) or decreases (if inconsistent) the
`user behaviorscore based on the quality measure and the
`weight.
`In some embodiments, the system also determinesthat the
`user behavior score is lower than a predetermined threshold
`value, and requests the user to provide a user credential,
`thereby explicitly authenticating the user to access the con-
`trolled resource.
`In some embodiments, the system collects the contextual
`data with a number of measurements. The user behavior
`modeldescribes the past user behavior pattern by a combina-
`tion of one or more measurements.
`In some embodiments, the recent contextual data of the
`user are data from at least one of the following sources:
`device data that are available on a user device;
`carrier data that are available to a network carrier; and
`third-party provider data that are availableto a third-party
`provider providing an application to the user.
`In some embodiments, the recent contextual data of the
`user comprise one or more of: GPS data, accelerometer data,
`voice data, sensor data, application usage data, web browser
`data, authentication attempts, connection attempts, network
`traffic pattern, DNS requests, typing pattern, biometric data,
`social group membership information, and user demograph-
`ics data.
`In some embodiments, the user behavior modelis stored in
`a user model look-up table. The user model look-up table
`comprises historical information on whether a condition is
`satisfied, and information on a plurality of user events. Each
`event is associated with a probability distribution and a score
`distribution.
`In some embodiments, the system collects historical con-
`textual data via one or more of a survey of contextual infor-
`mation aboutthe user entered by a representative of the user,
`an accumulation of periodically transmitted contextual data
`ofthe user from one or more mobile devices, or an inheritance
`of the contextual information about the user from another
`device associated with the user.
`In some embodiments, the system derives the user behavior
`model from a second model of a group of users sharing
`similar characteristics.
`In some embodiments, the recent event belongs to one of a
`plurality of categories. The plurality of categories comprise
`
`Page 14 of 22
`
`1A1006
`
`IA1006
`
`Page 14 of 22
`
`

`

`US 8,312,157 B2
`
`3
`one or moreof: (1) a very positive event; (2) a positive event;
`(3) aneutral event; (4) a negative event; and (5) a very nega-
`tive event. The determination of increasing or decreasing the
`user behavior score and the amount of increment or decre-
`
`ment are associated with the category to which the recent
`event belongs.
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`FIG. 1A shows a diagram of the usability and security of
`different authentication techniques.
`FIG. 1B showsa schematic diagram ofa system for implic-
`itly authenticating a user to access a controlled network
`resource in accordance with an embodiment.
`
`FIG. 1C shows a schematic diagram of a computing envi-
`ronment for implicitly authenticating a user to access a con-
`trolled local resource in accordance with an embodiment of
`
`the present invention.
`FIG. 2 showsa block diagram ofa computing environment
`for implicitly authenticating a user to access a controlled
`resource in accordance with an embodimentof the present
`invention.
`
`FIG. 3 showsa flow chart illustrating a methodfor implic-
`itly authenticating a user to access a controlled resource in
`accordance with an embodimentof the present invention.
`FIG.4 showsa flow chart illustrating the determination of
`a user behavior score based on the user behavior model and
`recent contextual user behavioral data in accordance with an
`
`embodimentof the present invention.
`FIG. 5 shows a flow chart illustrating the calculation of
`implicit authenticating information in accordance with an
`embodimentof the present invention.
`FIG. 6 shows a diagram of contextual data in accordance
`with an embodimentof the present invention.
`FIG. 7A shows a diagram ofa user behavior modeldescrib-
`ing the user’s historical behavior patterns in accordance with
`an embodimentof the present invention.
`FIG. 7B showsa user model look-up table used to store a
`user behavior model in accordance with an embodiment of
`
`the present invention.
`FIG. 8 shows a block diagram ofan apparatusfor implicitly
`authenticating a user to access a controlled resource in accor-
`dance with an embodimentof the present invention.
`In the figures, like reference numerals refer to the same
`figure elements.
`
`DETAILED DESCRIPTION
`
`The following description is presented to enable any per-
`son skilled in the art to make and use the embodiments, and is
`provided in the context of a particular application and its
`requirements. Various modifications to the disclosed embodi-
`ments will be readily apparent to those skilledin theart, and
`the general principles defined herein may be applied to other
`embodiments and applications without departing from the
`spirit and scope of the present disclosure. Thus, the present
`invention is not limited to the embodiments shown,butis to
`be accorded the widest scope consistent with the principles
`and features disclosed herein.
`Overview
`
`Embodiments of the present invention provide a method
`for implicitly authenticating a user to access a controlled
`resource without the need for entering passwords or answer-
`ing any authentication questions. In addition, the method can
`be used as a second-factor mechanism for authentication in
`combination with another authentication method.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`In one embodiment, a mobile device automatically detects
`the environmentthat a useris in, and the activities that the user
`is engaged in. If the environment and the activities exhibit
`familiar patterns (for example,if the user is detected to be in
`her home,or if the user has just made a ten-minute phonecall
`to her significant other), then it is deemed safe to authenticate
`the user without prompting for a password or security ques-
`tion. On the other hand, if the detected environment and
`activities associated with the user exhibit anomalies or devia-
`tions from the user’s normal behavior,it is deemed unsafe to
`grant access to the user, as the device may have been lost or
`stolen.
`
`Furthermore, the system can periodically collect contex-
`tual data of the user from one or more user devices. The
`
`system can then update the user behavior model based on the
`periodically collected contextual data.
`In some embodiments, the system calculates a user behav-
`ior score based on a user behavior model derived from his-
`torical contextual data of the user, recent contextual data of
`the user collected from one or more user devices, and option-
`ally a request to access controlled resources from theuser.If
`the user behaviorscoreis higher than a predeterminedthresh-
`old, the system authenticates the user to access the controlled
`resource. If the user behavior score is lower than the prede-
`termined threshold, the system requires the user to be authen-
`ticated explicitly, for example, by requesting the userto pro-
`vide a user credential to access the controlled resource.
`FIG. 1A shows a diagram illustrating usability 170 and
`security 180 of different authentication techniques. In this
`diagram, the x-axis represents usability 170 and the y-axis
`represents security 180. Curve 190 represents an inverse rela-
`tionship between usability and security associated with a
`conventional authentication technique. For example, point
`182 oncurve 190 has a coordinate of (X15, Y; 2). That means
`for a given level ofusability X,,,, the conventional technique
`can achieve a certain degree of security Y,,,. With the con-
`ventional technique, in order to make the systems moreuser-
`friendly,
`the degree of security of the systems typically
`decreases accordingly. Likewise, in order to make a conven-
`tional system more secure, the level of usability of the system
`will typically decrease.
`Curve 195 represents a relationship between usability and
`security associated with embodiments of the present inven-
`tion, which uses implicit authentication. Implicit authentica-
`tion may be used as a complementto or a replacement for
`traditional password authentication.
`Point 184 on curve 195 represents the usability/security
`tradeoff when implicit authentication is used as a comple-
`ment to the traditional password authentication. Point 184
`shares the same x-coordinate as point 182 on curve 190,
`which meansthelevel ofusability does not change. However,
`point 184 has a larger y-coordinate compared to point 182,
`which means systems, which are used as complements to
`conventional forms of authentication, in accordance with the
`present invention increase the degree of security when the
`level of usability remains the same as conventional systems.
`The systems can use the implicit authentication decision to
`authenticate the user to access the controlled resource.
`Point 186 on curve 195 represents the usability/security
`tradeoffwhen implicit authentication is used as areplacement
`for the traditional password authentication. Point 186 shares
`the same y-coordinate as point 182 on curve 190, which
`meansthe degree of security does not change. However, point
`186 has a larger x-coordinate compared to point 182, which
`means systems, which are used as replacements of conven-
`tional formsof authentication, in accordance with the present
`invention increase the level of usability when the degree of
`
`Page 15 of 22
`
`1A1006
`
`IA1006
`
`Page 15 of 22
`
`

`

`US 8,312,157 B2
`
`5
`security remains the same as conventional systems. The sys-
`tems can use the implicit authentication decision to increase
`or decrease an assurance level associated with another form
`
`of authentication, e.g. password.
`Computing Environment
`FIG. 1B shows a schematic diagram of a computing envi-
`ronment for implicitly authenticating a user to access a con-
`trolled network resource in accordance with an embodiment
`
`ofthe present invention.In this example, the computing envi-
`ronmentincludescontrolled resources 100, an authentication
`server 110, a plurality of user devices 120 and a user 160.
`Controlled resources 100 can include any resources on a
`network, and a mechanism for providing access to such
`resources upon receiving requests from a user. For example,
`controlled resources 100 may include, but are not limited to,
`a file server 102, an application server 104, a database server
`106, a mailserver (not shown), etc. Authentication server 110
`can be any type of computational device capable of perform-
`ing an authorization or authentication operation of a user ora
`transaction. User devices 120 can generally include any node
`on a network including computational capability, a mecha-
`nism for communicating across the network, and a human
`interaction interface. This includes, but is not limited to, a
`smart phone device 121, a personal digital assistant (PDA)
`123, a tablet PC 125, a workstation 127, a laptop 129, etc.
`Note that although the present invention optimally is used
`with mobile Internet devices, it can be used with any type of
`computational devices.
`During operation, a user 160 sends a request 140 to access
`a network resource 100. Authentication server 110 collects
`contextual data about the user 160 from user devices 120
`(operation 130), and presents implicit authentication infor-
`mation 150 to the access controller of controlled resource 100
`to facilitate authentication of the user 160. In one embodi-
`ment, authentication server 110 collects contextual data about
`the user 160 after controlled resource 100 receives the access
`request 140 from user devices 120. In one embodiment,
`authentication server 110 collects contextual data from user
`devices 120 and periodically updates a user behavior model
`about user 160.
`FIG. 1C showsa schematic diagram ofa system for implic-
`itly authenticating a user to access a controlled local resource
`in accordance with an embodiment. In this embodiment, the
`computing environment includes a user 160, a specific user
`device 122 with controlled resources 100 and a plurality of
`other user devices 120. The specific user device 122 includes
`controlled resources 100 and authentication module 115.
`Controlled resources 100 can include any local resources
`located on the specific user device 122 and a mechanism for
`providing access to such resources upon receiving requests
`from user 160. Controlled resources 100 may include, but are
`not limitedto, a localfile 101, a local application 103, a local
`database 105, an email message (not shown), etc. Authenti-
`cation module 115 can be any type of computational module
`capable of authenticating a user or a transaction. Other user
`devices 120 can generally include any node on a network that
`user 160 has access to. Such devices include, but are not
`limited to, a smart phone device, a PDA,a tablet PC, a work-
`station, a laptop, etc.
`During operation, user 160 sends a request 140 to access
`local resource 100. Authentication module 115 collects con-
`textual data about user 160 from other user devices 120 as
`
`well as controlled local resources 100 (operation 130), and
`presents implicit authentication information 150 to the access
`controller of controlled resource 100 to facilitate authentica-
`tion of user 160.
`
`6
`
`Implicit Authentication
`FIG. 2 showsa block diagram of a system 200 for implic-
`itly authenticating a user to access a controlled resource in
`accordance with an embodiment. System 200 includes a user
`access request receiver 220, a behavioral score grader 250, an
`implicit authenticator 270, and an authentication information
`presenter 290. System 200 additionally includes a contextual
`data collector 230 and a user behavior modeler 240.
`User access request receiver 220 receives user access
`request 210 from a user 160, and can be a network port, a
`wireless receiver, a radio receiver, a media receiver, etc.,
`without any limitations. User access request 210 may be
`received from user 160, from a resource controller, or from
`another module that is capable of passing the request. User
`access request receiver 220 receives and analyzes the user
`access request 210 and forwards request 210 to the behavioral
`score grader 250. In some embodiments, user 160 may not be
`issuing any request, and the user’s device may be a passive
`responder. Also, the device may be non-operative and/or non-
`reachable at the time of the request, but have recently com-
`municated its state.
`
`Behavioral score grader 250 calculates a behavioral score
`ofuser 160, and can be any computing device with a process-
`ing logic and a communication mechanism. Behavioral score
`grader 250 receives forwarded user access request 210, recent
`data 245 from contextual data collector 230, anda user behav-
`ior model 255 from user behavior modeler 240. Behavioral
`score grader 250 then calculates a user behavioral score 260
`based on the request 210, the recent contextual data 245, and
`user behavior model 255. User behavior score 260 indicates
`
`the likelihood that user 160 who sendsuser access request 210
`from a user device is the owner of the user device. User
`behavior score 260 can be adjusted upwards or downwards
`based on a sequence of observed events associated with the
`user device. User behavior score 260 is then sent to implicit
`authenticator 270 to facilitate implicit authentication of the
`user.
`Contextual data collector 230 collects contextual data
`
`20
`
`25
`
`30
`
`35
`
`40
`
`about user 160, and can be any device with a storage and a
`communication mechanism. Contextual data 245 are data that
`
`serve to indicate a user’s behavior or environment. Examples
`ofcontextual data 245 include locations, movements,actions,
`biometrics, authentication outcomes, application usage, web
`browserdata (e.g., recently visited sites), etc. Contextual data
`245 can be collected from a device, a carrier, and/or a third-
`party provider. Contextual data collector 230 sends the col-
`lected recent contextual data 245 to behavioral score grader
`250, as well as user behavior modeler 240.
`The user behavior modeler 240 creates a user behavior
`model 255 based on the contextual data 245 about user 160.
`User behavior model 255 describes a user’s historical behav-
`ior patterns. User behavior model 255 can include a history
`string which corresponds to a sequence of observed events, a
`probability distribution which correspondsto the likelihood
`ofthe observed events happeningas a function of time, anda
`score distribution which corresponds to the change in user
`behavior score 260 resulting from the observed events as a
`function of time. User behavior modeler 240 can be any type
`of computing device or component with a computational
`mechanism.
`Implicit authenticator 270 calculates implicit authentica-
`tion information 280 based on user behavioral score 260.
`Implicit authentication information 280 is information that
`facilitates the access controller of controlled resources to
`
`Implicit authentication
`make an authentication decision.
`information 280 can be a binary decision ora confidencelevel
`based on user behavior score 260. Implicit authentication
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Page 16 of 22
`
`1A1006
`
`IA1006
`
`Page 16 of 22
`
`

`

`US 8,312,157 B2
`
`7
`information presenter 290 presents implicit authentication
`information 280 to the access controller of controlled
`resources.
`
`FIG. 3 showsa flow chart illustrating a methodfor implic-
`itly authenticating a user to access a controlled resource in
`accordance with an embodiment.
`During operation, the system receives a user access request
`(operation 300). The user access request can contain login
`credentials for resource authentication. In other embodi-
`
`the user access request can merely identify the
`ments,
`resource to be accessed without providing any login creden-
`tials or authentication information.
`
`The system then obtains a user behavior model (operation
`310) associated with the user who sends the access request.
`The system also obtains recent contextual data (operation
`320) associated with the user. Based on the request, the user
`behavior model, and the recent contextual data (which
`describes recent user behavior), the system determines a user
`behavioral score (operation 330). The user behavioral score
`indicates whether the user’s recent behavioral data fit the
`user’s behavioral pattern as described by the user behavior
`model, and a level of consistency between the user’s recent
`contextual behavioral data and the user behavior model. Note
`that for the same set ofrecent contextual data and user behav-
`
`ior model, the user behavioral score may vary depending on
`the nature of the request.
`Next, the system calculates implicit authentication infor-
`mation (operation 340). The implicit authentication informa-
`tion can be a binary authentication decision, or a confidence
`level. Finally, the system presents the authentication informa-
`tion to the resource controller, the user, or another external
`client (operation 350).
`User Behavior Score
`
`FIG.4 showsa flow chart illustrating the determination of
`a user behavior score based on the user behavior model, the
`request and recent contextual user behavioral data in accor-
`dance with an embodiment. The system starts by observing an
`event associated with a user device. When an event
`is
`
`observed, the system determines whethera rule is triggered
`by observed event (operation 400). Whena rule is triggered,
`the user behavior score is adjusted either upwards or down-
`wards. For example, the system may determinea user behav-
`ior score based on the user’s calling records. An observed
`event could be an incomingcall, an outgoing