ATTORNEY DOCKET NO. PARC-20090232-US—NP
`
`PATENT APPLICATION
`
`IMPLICIT AUTHENTICATION
`
`Invent0r(s): Bjorn Markus Jakobsson, Mark J. Grandcolas, Philippe J.P. Golle,
`Richard Chow, and Runting Shi
`
`5
`
`10
`
`15
`
`BACKGROUND
`
`
`Field
`
`[0001] This disclosure is generally related to user authentication. More
`
`20
`
`specifically, this disclosure is related to a method and system for implicitly
`
`authenticating a user to access a controlled resource based on contextual data
`
`indicating the user’s behavior.
`
`Related Art
`
`25
`
`[0002] A Mobile Internet Device (MID) is a multimedia-capable handheld
`
`computer providing wireless Internet access. MIDs are designed to provide
`
`entertainment, information and location-based services for personal use. As the
`
`market of MIDs expands, mobile commerce (also known as M-commerce) is
`
`experiencing rapid growth. There is a trend toward hosting applications and
`
`30
`
`services on the Internet. This results in increased demand for Internet
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`Page 1 of50
`
`M1016
`
`IA1016
`
`Page 1 of 50
`
`

`

`authentication — whether of devices, computers or users. Moreover, the use of
`
`digital rights management (DRM) policies will likely increase the need for
`
`frequent authentications. Some of such authentications may happen
`
`simultaneously due to the increased use of mashups.
`
`[0003] On the other hand, the shift toward greater market penetration of
`
`MIDs complicates password entry due to the limitations of MID input interfaces.
`
`Typing passwords on mobile devices, such as an iPhoneTM or a BlackBerryTM, can
`
`become a tedious and error-prone process.
`
`[0004] Single sign-on (SSO) is an authentication mechanism to control the
`
`10
`
`access of multiple, related, but independent software applications and services.
`
`With SSO, a user logs in once and gains access to all applications and services
`
`without being prompted to log in again at each of them. SSO addresses the
`
`problem of frequent authentications. However, SSO does not defend against theft
`
`and compromise of devices because it only vouches for the identity of the device,
`
`15
`
`not its user.
`
`SUMMARY
`
`[0005] One embodiment provides a system that implicitly authenticates a
`
`user of a Mobile Internet Device to access a controlled resource. The system first
`
`20
`
`receives a request to access the controlled resource. Then, the system determines
`
`a user behavior score based on a user behavior model and recent contextual data,
`
`wherein the user behavior score facilitates identifying a level of consistency
`
`between one or more recent user events and a past user behavior pattern. The user
`
`behavior model is derived from historical contextual data of the user. The recent
`
`25
`
`contextual data are recent data of the user collected from one or more user mobile
`
`devices indicating the user’s recent behavior or one or more recent user events.
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`Page 2 of 50
`
`LAIOI6
`
`IA1016
`
`Page 2 of 50
`
`

`

`The recent contextual data can be collected without prompting the user to perform
`
`an action explicitly associated with authentication. Further, the recent contextual
`
`data include multiple data streams, which provide basis for the determination of
`
`the user behavior score. However, a data stream alone provides insufficient basis
`
`for the determination of the user behavior score. Next, the system provides the
`
`user behavior score to an access controller of the controlled resource, thereby
`
`making an authentication decision derived from the user behavior score for the
`
`user to access the controlled resource based at least on the user behavior score. In
`
`addition, the system can be used in combination with another form of
`
`10
`
`authentication.
`
`[0006] In some embodiments, the system also collects contextual data of
`
`the user periodically from one or more user devices, and updates the user behavior
`
`model based on the collected contextual data of the user.
`
`[0007] In some embodiments, the system also determines an action based
`
`15
`
`on the user behavior score. The action can be a demand for a fiarther
`
`authentication.
`
`[0008] In some embodiments, the system also determines whether the user
`
`behavior score is higher than a predetermined threshold value, and if so,
`
`authenticates the user to access the controlled resource using the authentication
`
`20
`
`decision derived from the user behavior score.
`
`[0009] In some embodiments, the system also uses the authentication
`
`decision derived from the user behavior score to increase or decrease an assurance
`
`associated with another form of authentication.
`
`[0010] In some embodiments, the system also:
`
`25
`
`0
`
`observes the recent event associated with the recent contextual data
`
`of the user;
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`Page 3 of 50
`
`M1016
`
`IA1016
`
`Page 3 of 50
`
`

`

`o
`
`0
`
`0
`
`calculates a quality measure associated with the recent event;
`
`calculates a weight associated with the type of observation;
`
`determines whether the observed event is consistent with the user
`
`behavior model; and
`
`0
`
`increases (if consistent) or decreases (if inconsistent) the user
`
`behavior score based on the quality measure and the weight.
`
`[0011] In some embodiments, the system also determines that the user
`
`behavior score is lower than a predetermined threshold value, and requests the
`
`user to provide a user credential, thereby explicitly authenticating the user to
`
`10
`
`access the controlled resource.
`
`[0012] In some embodiments, the system collects the contextual data with
`
`a number of measurements. The user behavior model describes the past user
`
`behavior pattern by a combination of one or more measurements.
`
`[0013] In some embodiments, the recent contextual data of the user are
`
`15
`
`data from at least one of the following sources:
`
`0
`
`0
`
`0
`
`device data that are available on a user device;
`
`carrier data that are available to a network carrier; and
`
`third-party provider data that are available to a third-party provider
`
`providing an application to the user.
`
`20
`
`25
`
`[0014] In some embodiments, the recent contextual data of the user
`
`comprise one or more of: GPS data, accelerometer data, voice data, sensor data,
`
`application usage data, web browser data, authentication attempts, connection
`
`attempts, network traffic pattern, DNS requests, typing pattern, biometric data,
`
`social group membership information, and user demographics data.
`
`[0015] In some embodiments, the user behavior model is stored in a user
`
`model look-up table. The user model look-up table comprises historical
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`4
`
`Page 4 of 50
`
`M1016
`
`IA1016
`
`Page 4 of 50
`
`

`

`information on whether a condition is satisfied, and information on a plurality of
`
`user events. Each event is associated with a probability distribution and a score
`
`distribution.
`
`[0016] In some embodiments, the system collects historical contextual
`
`5
`
`data via one or more of a survey of contextual information about the user entered
`
`by a representative of the user, an accumulation of periodically transmitted
`
`contextual data of the user from one or more mobile devices, or an inheritance of
`
`the contextual information about the user from another device associated with the
`
`user.
`
`10
`
`[0017] In some embodiments, the system derives the user behavior model
`
`from a second model of a group of users sharing similar characteristics.
`
`[0018] In some embodiments, the recent event belongs to one of a
`
`plurality of categories. The plurality of categories comprise one or more of: (1) a
`
`very positive event; (2) a positive event; (3) a neutral event; (4) a negative event;
`
`15
`
`and (5) a very negative event. The determination of increasing or decreasing the
`
`user behavior score and the amount of increment or decrement are associated with
`
`the category to which the recent event belongs.
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`20
`
`[0019] FIG. 1A shows a diagram of the usability and security of different
`
`authentication techniques.
`
`[0020] FIG. 1B shows a schematic diagram of a system for implicitly
`
`authenticating a user to access a controlled network resource in accordance with
`
`an embodiment.
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et a1.
`
`Page 5 of 50
`
`M1016
`
`IA1016
`
`Page 5 of 50
`
`

`

`[0021] FIG. 1C shows a schematic diagram of a computing environment
`
`for implicitly authenticating a user to access a controlled local resource in
`
`accordance with an embodiment of the present invention.
`
`[0022] FIG. 2 shows a block diagram of a computing environment for
`
`5
`
`implicitly authenticating a user to access a controlled resource in accordance with
`
`an embodiment of the present invention.
`
`[0023] FIG. 3 shows a flow chart illustrating a method for implicitly
`
`authenticating a user to access a controlled resource in accordance with an
`
`embodiment of the present invention.
`
`10
`
`[0024] FIG. 4 shows a flow chart illustrating the determination of a user
`
`behavior score based on the user behavior model and recent contextual user
`
`behavioral data in accordance with an embodiment of the present invention.
`
`[0025] FIG. 5 shows a flow chart illustrating the calculation of implicit
`
`authenticating information in accordance with an embodiment of the present
`
`1 5
`
`invention.
`
`[0026] FIG. 6 shows a diagram of contextual data in accordance with an
`
`embodiment of the present invention.
`
`[0027] FIG. 7A shows a diagram of a user behavior model describing the
`
`user’s historical behavior patterns in accordance with an embodiment of the
`
`20
`
`present invention.
`
`[0028] FIG. 7B shows a user model look-up table used to store a user
`
`behavior model in accordance with an embodiment of the present invention.
`
`[0029] FIG. 8 shows a block diagram of an apparatus for implicitly
`
`authenticating a user to access a controlled resource in accordance with an
`
`25
`
`embodiment of the present invention.
`
`Attorney Docket No. PARC-20090232-US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`Page 6 of 50
`
`M1016
`
`IA1016
`
`Page 6 of 50
`
`

`

`[0030] In the figures, like reference numerals refer to the same figure
`
`elements.
`
`DETAILED DESCRIPTION
`
`[0031] The following description is presented to enable any person skilled
`
`in the art to make and use the embodiments, and is provided in the context of a
`
`particular application and its requirements. Various modifications to the disclosed
`
`embodiments will be readily apparent to those skilled in the art, and the general
`
`principles defined herein may be applied to other embodiments and applications
`
`without departing from the spirit and scope of the present disclosure. Thus, the
`
`present invention is not limited to the embodiments shown, but is to be accorded
`
`the widest scope consistent with the principles and features disclosed herein.
`
`Overview
`
`[0032] Embodiments of the present invention provide a method for
`
`implicitly authenticating a user to access a controlled resource without the need
`
`for entering passwords or answering any authentication questions. In addition, the
`
`method can be used as a second-factor mechanism for authentication in
`
`combination with another authentication method.
`
`[0033] In one embodiment, a mobile device automatically detects the
`
`environment that a user is in, and the activities that the user is engaged in. If the
`
`environment and the activities exhibit familiar patterns (for example, if the user is
`
`detected to be in her home, or if the user has just made a ten-minute phone call to
`
`her significant other), then it is deemed safe to authenticate the user without
`
`prompting for a password or security question. On the other hand, if the detected
`
`environment and activities associated with the user exhibit anomalies or
`
`10
`
`15
`
`20
`
`25
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`Page 7 of 50
`
`M1016
`
`IA1016
`
`Page 7 of 50
`
`

`

`deviations from the user’s normal behavior, it is deemed unsafe to grant access to
`
`the user, as the device may have been lost or stolen.
`
`[0034] Furthermore, the system can periodically collect contextual data of
`
`the user from one or more user devices. The system can then update the user
`
`behavior model based on the periodically collected contextual data.
`
`[0035] In some embodiments, the system calculates a user behavior score
`
`based on a user behavior model derived from historical contextual data of the
`
`user, recent contextual data of the user collected from one or more user devices,
`
`and optionally a request to access controlled resources from the user. If the user
`
`behavior score is higher than a predetermined threshold, the system authenticates
`
`the user to access the controlled resource. If the user behavior score is lower than
`
`the predetermined threshold, the system requires the user to be authenticated
`
`explicitly, for example, by requesting the user to provide a user credential to
`
`access the controlled resource.
`
`[0036] FIG. 1A shows a diagram illustrating usability 170 and security
`
`180 of different authentication techniques. In this diagram, the x-axis represents
`
`usability 170 and the y-axis represents security 180. Curve 190 represents an
`
`inverse relationship between usability and security associated with a conventional
`
`authentication technique. For example, point 182 on curve 190 has a coordinate
`
`of (X182, Ylgz). That means for a given level of usability X182, the conventional
`
`technique can achieve a certain degree of security Ylgz. With the conventional
`
`technique, in order to make the systems more user-friendly, the degree of security
`
`of the systems typically decreases accordingly. Likewise, in order to make a
`
`conventional system more secure, the level of usability of the system will typically
`
`10
`
`15
`
`20
`
`25
`
`decrease.
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`Page 8 of 50
`
`M1016
`
`IA1016
`
`Page 8 of 50
`
`

`

`[0037] Curve 195 represents a relationship between usability and security
`
`associated with embodiments of the present invention, which uses implicit
`
`authentication. Implicit authentication may be used as a complement to or a
`
`replacement for traditional password authentication.
`
`[0038] Point 184 on curve 195 represents the usability/security tradeoff
`
`when implicit authentication is used as a complement to the traditional password
`
`authentication. Point 184 shares the same x-coordinate as point 182 on curve 190,
`
`which means the level of usability does not change. However, point 184 has a
`
`larger y-coordinate compared to point 182, which means systems, which are used
`
`as complements to conventional forms of authentication, in accordance with the
`
`present invention increase the degree of security when the level of usability
`
`remains the same as conventional systems. The systems can use the implicit
`
`authentication decision to authenticate the user to access the controlled resource.
`
`[0039] Point 186 on curve 195 represents the usability/security tradeoff
`
`when implicit authentication is used as a replacement for the traditional password
`
`authentication. Point 186 shares the same y-coordinate as point 182 on curve 190,
`
`which means the degree of security does not change. However, point 186 has a
`
`larger x-coordinate compared to point 182, which means systems, which are used
`
`as replacements of conventional forms of authentication, in accordance with the
`
`present invention increase the level of usability when the degree of security
`
`remains the same as conventional systems. The systems can use the implicit
`
`authentication decision to increase or decrease an assurance level associated with
`
`another form of authentication, e. g. password.
`
`10
`
`15
`
`20
`
`25
`
`Attorney Docket No. PARC-20090232-US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`Page 9 of 50
`
`L41016
`
`IA1016
`
`Page 9 of 50
`
`

`

`Computing Environment
`
`[0040] FIG. 1B shows a schematic diagram of a computing environment
`
`for implicitly authenticating a user to access a controlled network resource in
`
`accordance with an embodiment of the present invention. In this example, the
`
`computing environment includes controlled resources 100, an authentication
`
`server 110, a plurality of user devices 120 and a user 160. Controlled resources
`
`100 can include any resources on a network, and a mechanism for providing
`
`access to such resources upon receiving requests from a user. For example,
`
`controlled resources 100 may include, but are not limited to, a file server 102, an
`
`application server 104, a database server 106, a mail server (not shown), etc.
`
`Authentication server 110 can be any type of computational device capable of
`
`performing an authorization or authentication operation of a user or a transaction.
`
`User devices 120 can generally include any node on a network including
`
`computational capability, a mechanism for communicating across the network,
`
`and a human interaction interface. This includes, but is not limited to, a smart
`
`phone device 121, a personal digital assistant (PDA) 123, a tablet PC 125, a
`
`workstation 127, a laptop 129, etc. Note that although the present invention
`
`optimally is used with mobile Internet devices, it can be used with any type of
`
`computational devices.
`
`[0041] During operation, a user 160 sends a request 140 to access a
`
`network resource 100. Authentication server 110 collects contextual data about
`
`the user 160 from user devices 120 (operation 130), and presents implicit
`
`authentication information 150 to the access controller of controlled resource 100
`
`10
`
`15
`
`20
`
`to facilitate authentication of the user 160. In one embodiment, authentication
`
`25
`
`server 110 collects contextual data about the user 160 after controlled resource
`
`100 receives the access request 140 from user devices 120. In one embodiment,
`
`Attorney Docket No. PARC-20090232-US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`10
`
`Page 10 of 50
`
`LAIOI6
`
`IA1016
`
`Page 10 of 50
`
`

`

`authentication server 110 collects contextual data from user devices 120 and
`
`periodically updates a user behavior model about user 160.
`
`[0042] FIG. 1C shows a schematic diagram of a system for implicitly
`
`authenticating a user to access a controlled local resource in accordance with an
`
`embodiment. In this embodiment, the computing environment includes a user
`
`160, a specific user device 122 with controlled resources 100 and a plurality of
`
`other user devices 120. The specific user device 122 includes controlled resources
`
`100 and authentication module 1 15. Controlled resources 100 can include any
`
`local resources located on the specific user device 122 and a mechanism for
`
`providing access to such resources upon receiving requests from user 160.
`
`Controlled resources 100 may include, but are not limited to, a local file 101, a
`
`local application 103, a local database 105, an email message (not shown), etc.
`
`Authentication module 115 can be any type of computational module capable of
`
`authenticating a user or a transaction. Other user devices 120 can generally
`
`include any node on a network that user 160 has access to. Such devices include,
`
`but are not limited to, a smart phone device, a PDA, a tablet PC, a workstation, a
`
`laptop, etc.
`
`[0043] During operation, user 160 sends a request 140 to access local
`
`resource 100. Authentication module 115 collects contextual data about user 160
`
`from other user devices 120 as well as controlled local resources 100 (operation
`
`130), and presents implicit authentication information 150 to the access controller
`
`of controlled resource 100 to facilitate authentication of user 160.
`
`Implicit Authentication
`
`[0044] FIG. 2 shows a block diagram of a system 200 for implicitly
`
`authenticating a user to access a controlled resource in accordance with an
`
`Attorney Docket No. PARC-20090232-US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`ll
`
`10
`
`15
`
`20
`
`25
`
`Page 11 of50
`
`M1016
`
`IA1016
`
`Page 11 of 50
`
`

`

`embodiment. System 200 includes a user access request receiver 220, a
`
`behavioral score grader 250, an implicit authenticator 270, and an authentication
`
`information presenter 290. System 200 additionally includes a contextual data
`
`collector 230 and a user behavior modeler 240.
`
`[0045] User access request receiver 220 receives user access request 210
`
`from a user 160, and can be a network port, a wireless receiver, a radio receiver, a
`
`media receiver, etc., without any limitations. User access request 210 may be
`
`received from user 160, from a resource controller, or from another module that is
`
`capable of passing the request. User access request receiver 220 receives and
`
`analyzes the user access request 210 and forwards request 210 to the behavioral
`
`score grader 250. In some embodiments, user 160 may not be issuing any request,
`
`and the user’s device may be a passive responder. Also, the device may be non-
`
`operative and/or non-reachable at the time of the request, but have recently
`
`communicated its state.
`
`[0046] Behavioral score grader 250 calculates a behavioral score of user
`
`160, and can be any computing device with a processing logic and a
`
`communication mechanism. Behavioral score grader 250 receives forwarded user
`
`access request 210, recent data 245 from contextual data collector 230, and a user
`
`behavior model 255 from user behavior modeler 240. Behavioral score grader
`
`250 then calculates a user behavioral score 260 based on the request 210, the
`
`recent contextual data 245, and user behavior model 255. User behavior score
`
`260 indicates the likelihood that user 160 who sends user access request 210 from
`
`a user device is the owner of the user device. User behavior score 260 can be
`
`adjusted upwards or downwards based on a sequence of observed events
`
`associated with the user device. User behavior score 260 is then sent to implicit
`
`authenticator 270 to facilitate implicit authentication of the user.
`
`Attorney Docket No. PARC-20090232-US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`12
`
`10
`
`15
`
`20
`
`25
`
`Page 12 of 50
`
`LAIOI6
`
`IA1016
`
`Page 12 of 50
`
`

`

`[0047] Contextual data collector 230 collects contextual data about user
`
`160, and can be any device with a storage and a communication mechanism.
`
`Contextual data 245 are data that serve to indicate a user’s behavior or
`
`environment. Examples of contextual data 245 include locations, movements,
`
`actions, biometrics, authentication outcomes, application usage, web browser data
`
`(e.g., recently visited sites), etc. Contextual data 245 can be collected from a
`
`device, a carrier, and/or a third-party provider. Contextual data collector 230
`
`sends the collected recent contextual data 245 to behavioral score grader 250, as
`
`well as user behavior modeler 240.
`
`[0048] The user behavior modeler 240 creates a user behavior model 255
`
`based on the contextual data 245 about user 160. User behavior model 255
`
`describes a user’s historical behavior patterns. User behavior model 255 can
`
`include a history string which corresponds to a sequence of observed events, a
`
`probability distribution which corresponds to the likelihood of the observed events
`
`happening as a fianction of time, and a score distribution which corresponds to the
`
`change in user behavior score 260 resulting from the observed events as a function
`
`of time. User behavior modeler 240 can be any type of computing device or
`
`component with a computational mechanism.
`
`[0049] Implicit authenticator 270 calculates implicit authentication
`
`information 280 based on user behavioral score 260. Implicit authentication
`
`information 280 is information that facilitates the access controller of controlled
`
`resources to make an authentication decision. Implicit authentication information
`
`280 can be a binary decision or a confidence level based on user behavior score
`
`10
`
`15
`
`20
`
`260. Implicit authentication information presenter 290 presents implicit
`
`25
`
`authentication information 280 to the access controller of controlled resources.
`
`Attorney Docket No. PARC-20090232-US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`13
`
`Page 13 of50
`
`M1016
`
`IA1016
`
`Page 13 of 50
`
`

`

`[0050] FIG. 3 shows a flow chart illustrating a method for implicitly
`
`authenticating a user to access a controlled resource in accordance with an
`
`embodiment.
`
`[0051] During operation, the system receives a user access request
`
`(operation 300). The user access request can contain login credentials for
`
`resource authentication. In other embodiments, the user access request can merely
`
`identify the resource to be accessed without providing any login credentials or
`
`authentication information.
`
`[0052] The system then obtains a user behavior model (operation 310)
`
`associated with the user who sends the access request. The system also obtains
`
`recent contextual data (operation 320) associated with the user. Based on the
`
`request, the user behavior model, and the recent contextual data (which describes
`
`recent user behavior), the system determines a user behavioral score (operation
`
`330). The user behavioral score indicates whether the user’s recent behavioral
`
`data fit the user’s behavioral pattern as described by the user behavior model, and
`
`a level of consistency between the user’s recent contextual behavioral data and the
`
`user behavior model. Note that for the same set of recent contextual data and user
`
`behavior model, the user behavioral score may vary depending on the nature of
`
`the request.
`
`[0053] Next, the system calculates implicit authentication information
`
`(operation 340). The implicit authentication information can be a binary
`
`authentication decision, or a confidence level. Finally, the system presents the
`
`authentication information to the resource controller, the user, or another external
`
`client (operation 350).
`
`10
`
`15
`
`20
`
`25
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`14
`
`Page 14 of 50
`
`LAIOI6
`
`IA1016
`
`Page 14 of 50
`
`

`

`User Behavior Score
`
`[0054] FIG. 4 shows a flow chart illustrating the determination of a user
`
`behavior score based on the user behavior model, the request and recent
`
`contextual user behavioral data in accordance with an embodiment. The system
`
`starts by observing an event associated with a user device. When an event is
`
`observed, the system determines whether a rule is triggered by observed event
`
`(operation 400). When a rule is triggered, the user behavior score is adjusted
`
`either upwards or downwards. For example, the system may determine a user
`
`behavior score based on the user’s calling records. An observed event could be an
`
`incoming call, an outgoing call, or initiation of a mobile application from the
`
`mobile phone, etc.
`
`[0055] In one embodiment, the system monitors the user’s calling records,
`
`including but not limited to, identity of incoming callers, identity of recipients for
`
`outgoing calls, call durations, voice analysis of sound input from the microphone,
`
`etc. If no rule is associated with the observed event, the system decreases the
`
`user’s behavioral score based on the lapsed time (operation 410). Otherwise, the
`
`system calculates a quality measure associated with the event (operation 420).
`
`The quality measure is a scale indicating how likely an observed event is to
`
`happen for the user in the given context. For example, a quality measure can be
`
`based on the location of the device, and can be described by clusters of previous
`
`observed locations of the device. If a cluster of locations has more previous
`
`observations, it has a higher quality than a cluster of locations with fewer previous
`
`observations. Likewise, a cluster of locations with a small diameter has a higher
`
`quality than a cluster of locations with large diameter.
`
`[0056] In addition to quality measures, the system also calculates a weight
`
`associated with the type of observation (operation 430). A weight is a scale that
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`15
`
`10
`
`15
`
`20
`
`25
`
`Page 15 of50
`
`M1016
`
`IA1016
`
`Page 15 of 50
`
`

`

`describes the relative importance of the particular type of observation for the
`
`purposes of asserting identity. As described above, there are many types of
`
`observations, e.g., location, identity of an incoming caller, call duration, etc. Each
`
`type of observation is associated with a weight. For example, for a user who
`
`works at regular hours in an office, the location of the device has great weight
`
`because it is very indicative of whether the device is being used by the user. By
`
`contrast, for a second user who often travels around without any fixed schedule,
`
`the location of the device has less weight than for the previous user. However, if
`
`the second user always reports to his or her boss on the road, the call recipient’s
`
`identity has a great weight because it is indicative of the likelihood of the device
`
`being used by the user.
`
`[0057] Next, the system determines whether the observed event is
`
`consistent with the user’s ownership of the device (operation 440). If so, the
`
`user’s behavior score is increased based on the quality measure and the weight
`
`(operation 480). On the other hand, if the observed user event is inconsistent with
`
`the user’s ownership of the device, the user behavior score is decreased based on
`
`the quality measure and the weight (operation 450). In one embodiment, the
`
`system determines whether the user behavior score is below a predetermined
`
`threshold value (operation 460). If so, the system requests the user to authenticate
`
`himself explicitly to the application or service (operation 470). This may be
`
`achieved using a variety of authentication methods. The choice of which
`
`authentication method to use may depend on the user behavior score. For
`
`example, the user may be asked to enter a password and to present a security
`
`token if the user behavior score is too low. Alternatively, the user may be asked
`
`to enter a password if the user behavior score is below the threshold value but not
`
`low enough for presenting the security token.
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Applicationdoc
`
`Inventor(s): Jakobsson et al.
`
`l6
`
`10
`
`15
`
`20
`
`25
`
`Page 16 of 50
`
`LAIOI6
`
`IA1016
`
`Page 16 of 50
`
`

`

`[0058] In embodiments of the present invention, the user behavior score is
`
`adjusted periodically. In the mobile phone example illustrated above, positive
`
`data means that the calling records show that the user is likely to make or receive
`
`a phone call at the time of calling for the duration of the call to/from the other
`
`person. Some events regarded as positive data increase the user behavior score
`
`slowly, for example, “good” call activities (e.g., calling home or a family
`
`member), “good” location, “good” trace of device movement (e. g., moving from
`
`home location to office location), an accelerometer movement (which indicates
`
`that the user device is not forgotten), etc. On the other hand, some events
`
`10
`
`regarded as positive data increase the user behavior score quickly. These events
`
`include: successful password authentications; combinations of attributes
`
`performed by a legitimate user (e. g., calls to the same number from the same
`
`location); successful pairings with devices that are unlikely to be stolen at the
`
`same time (e.g., car, work computer); WiFi authentications (which requires
`
`15
`
`password); etc.
`
`[0059] Negative data means that the calling records show that the user is
`
`unlikely to make/receive the phone call at the time of calling for the duration of
`
`the call to/from the other person. Some events regarded as negative data ruin the
`
`score slowly, for example, the passing of time. Other events regarded as negative
`
`data ruin the score quickly. These events include: “bad” call activities (e.g.,
`
`calling 1-900 numbers or making international calls); activities at unusual times
`
`(e.g., out late at night or making phone calls late at night); failed logins; etc. Also,
`
`attempts to access high-value information will decrease a user’s user behavior
`
`score significantly. High-value information includes calling records and other
`
`data that could allow the user to generate fake good activity and could be used to
`
`20
`
`25
`
`boost the score.
`
`Attorney Docket No. PARC-20090232—US-NP
`AW PARC—20090232—US—NP Atmlicationdoc
`
`Inventor(s): Jakobsson et al.
`
`17
`
`Page 17 of50
`
`LAIOI6
`
`IA1016
`
`Page 17 of 50
`
`

`

`[0060] In accordance with one embodiment, posi