Abstract: A method of protecting a computer system from fraudulent use includes collecting and aggregating sets of risk predictor values for user-initiated events into user-specific aggregations and organization-wide aggregations, and in response to a current event initiated by a user, generating a risk indicator as a combination of a user-specific indicator and an organization-wide indicator based on current event parameters and the user-specific and organization-wide aggregations. Based on the risk indicator indicating that the current event may be a fraudulent use, a protective control action is taken (such as denying or modifying a requested access) to protect the computer system.

Abstract: An improved technique involves including implicit feedback inferred from a fraud analyst's actions into a fraud detection model tuning process. Along these lines, as part of a tuning process, an authentication server sends electronic transactions carrying a certain amount of risk to a case management center in which fraud analysts investigate the electronic transactions to verify whether the transactions are fraudulent or non-fraudulent. In addition to receiving this explicit feedback from the case management center, however, the authentication server also receives implicit feedback indicative of attributes of the fraud analysts themselves. The authentication server then inputs these implicit feedback parameter values into a fraud detection model tuning engine that tunes the fraud detection model.

Abstract: A method involves performing a mathematical estimation operation identifying a risk score threshold. The operation identifies the risk score threshold as a point on a curve rather than a value of a particular risk score. Such a curve approximates the distribution of risk score values output over a time interval and represents a function embodied by a plot of risk score percentile vs. risk score value. The risk engine, rather than selecting a particular risk score, selects a curve from a family of curves that is known to accurately represent such risk score distributions. For example, the risk engine may choose the curve that provides the best fit to the previous week's risk scores over the family of curves. The risk engine identifies the risk score threshold by finding a risk score value such that the function evaluated at that risk score value produces a specified risk score percentile.

Abstract: Methods and apparatus are provided for validating event scenarios using reference readings obtained from a plurality of sensors associated with one or more predefined event scenarios. If a reading from a first sensor satisfies a reference reading of the first sensor for at least one identified scenario in a scenario library, at least one additional sensor is identified from the identified scenario and a reading is obtained from the additional sensors. The identified scenario is validated when the readings of the additional sensors satisfy the reference reading for the additional sensors from the identified scenario. A confidence level is optionally determined based on the readings of the sensors in the identified scenario. The readings of the sensors are optionally monitored over time to update the confidence level of the identified scenario.

Abstract: Methods and apparatus are provided for risk-based authentication between two servers on behalf of a user. A method is provided for controlling access by a consumer to a service provider on behalf of a user. An authentication request is issued responsive to an initial access request from the consumer to access the service provider on behalf of the user. An access token is provided to the consumer upon approval from the user to grant access to the consumer. Upon receiving a subsequent access request from the consumer with the access token to access the service provider on behalf of the user; a risk analysis is performed to determine if the subsequent access request should be granted. The risk analysis can determine if the subsequent access complies with one or more rules of the user. The user is optionally prompted to specify whether to allow the subsequent access request and/or future similar transactions.

Abstract: Techniques of authenticating a new user involve classifying a new user as a member of a group based on the new user's current activity. Along these lines, when a new user enrolls in an authentication system, the authentication system places the new user in a group of new users that have not made any requests and are assumed to be high risks of making fraudulent requests. Once the new user makes a request to access a resource, the authentication system classifies the new user as a member of another group according to authentication factors describing activities surrounding the request.

Abstract: An improved technique involves including implicit feedback inferred from a fraud analyst's actions into a fraud detection model tuning process. Along these lines, as part of a tuning process, an authentication server sends electronic transactions carrying a certain amount of risk to a case management center in which fraud analysts investigate the electronic transactions to verify whether the transactions are fraudulent or non-fraudulent. In addition to receiving this explicit feedback from the case management center, however, the authentication server also receives implicit feedback indicative of attributes of the fraud analysts themselves. The authentication server then inputs these implicit feedback parameter values into a fraud detection model tuning engine that tunes the fraud detection model.

Abstract: An improved risk analysis method addresses problems in the prior art methods of risk value calculation accuracy, inability to tailor the risk calculation to specific clients, and the inability to adjust the calculation method to account for rapid changes in fraud methodology. The improved method allows individual clients to use their knowledge of which risk parameters are most important to their particular business and automatically translates a statement of a new parameter sent by the client to the risk analysis calculation engine into the same type of statistical relationships used to evaluate risk using standard parameters.

Abstract: Methods and apparatus are provided for evaluating the classification performance of different risk engine models. A classification performance of an authentication method is evaluated by obtaining performance data for an authentication method; generating a receiver operating characteristic (ROC) curve for the obtained performance data; determining a partial area under the curve (pAUC) for a region of interest of the ROC curve; and providing a performance score for the authentication method based on the pAUC. The region of interest comprises, for example, a region of false positives. The pAUC is optionally standardized using a McClish Transformation. The performance score for the authentication method can be compared to a second performance score for a second authentication method. A confidence level can optionally be provided for the comparison based on a natural test statistic.

Abstract: A method of protecting a computer system from fraudulent use includes collecting and aggregating sets of risk predictor values for user-initiated events into user-specific aggregations and organization-wide aggregations, and in response to a current event initiated by a user, generating a risk indicator as a combination of a user-specific indicator and an organization-wide indicator based on current event parameters and the user-specific and organization-wide aggregations. Based on the risk indicator indicating that the current event may be a fraudulent use, a protective control action is taken (such as denying or modifying a requested access) to protect the computer system.

Abstract: Methods and apparatus are provided for detecting suspicious network activity by new devices. An exemplary method comprises: obtaining network event data for a given entity that comprises a user or a user device; determining a number of distinct other entities associated with the given entity during a predefined short time window, wherein the distinct other entities comprise user devices used by the user if the given entity comprises a user and comprise users of the user device if the given entity comprises a user device; determining a number of distinct other entities associated with the given entity during a predefined longer time window; and assigning a risk score to the given entity based on (i) the number during the predefined short time window relative to the number during the predefined longer time window, and/or (ii) the number during the predefined short time window relative to a predefined number.

Abstract: Techniques of operating intrusion detection systems provide a recommendation of an intrusion detection rule to an administrator of an intrusion detection system based on the experience of another administrator that has used the rule in another intrusion detection system. For example, suppose that electronic circuitry receives a numerical rating from a first intrusion detection system that indicates whether an intrusion detection rule was effective in identifying malicious activity when used in the first intrusion detection system. Based on the received rating and attributes of the first intrusion detection system, the electronic circuitry generates a predicted numerical rating that indicates whether the intrusion detection rule is likely to be effective in identifying malicious communications when used in a second intrusion detection system.

Abstract: A system for optimized configuration of an adaptive authentication service is disclosed that automatically generates one or more risk score thresholds. The system generates a risk score threshold or thresholds for an upcoming time period such that the business damages estimated to occur during the upcoming time period are minimized. The business damages estimated to occur during the upcoming time period may include business damages resulting from false negative authentication determinations, which incorrectly indicate that a fraudulent authentication request is legitimate, and false positive authentication determinations, which incorrectly indicate that a legitimate authentication request is fraudulent, and may be offset by the beneficial value of the enhancement to an organization's reputation resulting from true positive authentication determinations, which correctly indicate that an authentication request is fraudulent.

Abstract: Methods and apparatus are provided for identifying suspicious domains using common user clustering. An exemplary method comprises obtaining network event data comprising a plurality of network connections; identifying users and domains associated with the network connections in the network event data; creating a connection between each user/domain pair that communicate with one another in the identified users and the identified domains to generate a graph; connecting domains in the graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in the graph of interconnected domains, wherein the bi-connected components comprise node pairs having at least two paths in the graph of interconnected domains between them; and processing the bi-connected components to identify a plurality of suspicious domains that are likely to participate in a computer security attack.

Abstract: Technology for establishing trustworthiness of devices in the Internet of Things (IoT), and for controlling communications between devices based on the trustworthiness scores of individual devices. A hub computer collects behavioral characteristics from multiple devices, and calculates trustworthiness scores for individual devices by comparing recently collected behavioral characteristics to expected behavioral characteristics. The expected behavioral characteristics may include i) historically collected behavioral characteristics for the device, and/or ii) expected behavioral characteristics for devices in a device group to which the device belongs. The trustworthiness scores are obtained from the hub by individual devices to control communication with other devices. A composite trustworthiness score for a device may also be calculated at the hub computer based on the trustworthiness scores of other devices with which the device has previously communicated.

Abstract: Techniques of information sharing involve processing queries from exchanges with multiple, non-colluding servers. Along these lines, each server stores a share of the query data such that readable query data may be reproduced only through combining the shares stored on a minimum number of the servers. In addition, a client wishing to submit a query encrypts any query input as well as a query function that provides an answer to the query. The client then sends a portion of the garbled query function to each of the servers. Each of the servers then evaluates their respective portion of the garbled query function using Yao's protocol in a serial manner so that one of the servers produces a garbled output. The client then determines the answer to the query by decoding the garbled output.

Abstract: Techniques of performing impersonation detection involve using encrypted access request data. Along these lines, an impersonation detection server stores historical access request data only in encrypted form and has no way to decrypt such data. When a new access request is received by a client, the client sends the username associated with the request to the server, which in turns sends the client the encrypted historical access request data. In addition, the server sends the client instructions to perform impersonation detection. The client then carries out the instructions based on the encrypted historical access request data and data contained in the new access request.

Abstract: An improved technique of processing an electronic transaction is disclosed. In the improved technique, a validation operation is performed on a set of standard user input and a set of peripheral device data received by a server connected to a client computer, the validation operation verifying a link between the set of standard user input and the set of peripheral device data. Based on results of the validation operation, an authorization code is assigned to the electronic transaction.

Abstract: Techniques of performing queries involve adapting a query to whether query data is encrypted. Along these lines, a data sensitivity policy defines which types of data is encrypted prior to storage in a data analytics database and which other types of data remain unencrypted. When a client formulates a query, the client encrypts a query input and then conceals the encrypted query input and query function to form concealed query logic. When the concealed query logic is received by a data analytics server, the data analytics server determines whether the query data to be input into the concealed query logic is encrypted or unencrypted. If the query data is unencrypted, then the concealed query logic is unconcealed and the query input unencrypted so that the data analytics server may evaluate the query function without concealment to produce a query result.

Abstract: A system that permits authentication based on a partial password, in which a risk score is assigned to an authentication request, and a minimum partial password size is generated based on the risk score. User-entered password characters are compared to one or more partial passwords having lengths equal to or greater than the minimum partial password size. If a match is found, the user is authenticated. A password similarity threshold for the request may also be generated based on the risk score, indicating a minimum level of similarity required between the user-entered password characters and the characters in a partial password, in order for there to be a match. When the user-entered password characters match a partial password, and the requesting user is authenticated, the system may stop inputting user-entered password characters, and/or transmitting the user-entered password characters to a server computer.