Abstract: Disclosed herein are techniques for use in user authentication. In one embodiment, the technique comprises collecting information in connection with a plurality of authentication methods. The technique also comprises determining a score for each authentication method based on the collected information. The technique further comprises selecting an authentication method from the plurality of authentication methods based on the determined score.

Abstract: A computer-implemented technique provides security to an enterprise. The technique involves receiving, by processing circuitry, personal information belonging to users of the enterprise. The technique further involves providing, by the processing circuitry, lists of user identifiers based on user relationships defined by the personal information. The lists of user identifiers respectively identify clusters of users of the enterprise. The technique further involves electronically imposing, by the processing circuitry, security classes on the clusters of users of the enterprise based on the lists of user identifiers. Along these lines, such classification can be used for risk assessment (e.g., authentication), alert filtering (e.g., filtering false alarms), and permission/privilege monitoring and/or assignment, among others.

Abstract: Techniques of detecting telecom fraud involve applying a combination of real-time data analysis and risk models typically used in authentication applications to phone call metadata that is streamed to a database server on a continual basis to derive phone usage patterns as the database server receives the phone usage data. The database server then compares the derived phone usage patterns to patterns of fraudulent phone usage in order to detect SIM box or SIM cloning fraud in the streamed data. A comparison result that indicates the likelihood of such fraud in a vast set of phone calls may take the form of a risk score derived using risk models typically found in authentication applications.

Abstract: A computer-implemented technique provides rules for use in a malicious activity detection system. The technique involves performing evaluation operations on a plurality of malicious activity detection rules. The technique further involves ranking the plurality of malicious activity detection rules in an order based on results of the evaluation operations (e.g., sorting the rules systematically in an order based on measures such as precision, recall, correlation to other rules already in use, etc.). The technique further involves, based on the order of the plurality of malicious activity detection rules, providing a malicious activity detection rule report which recommends a set of malicious activity detection rules of the plurality of malicious activity detection rules for use in the malicious activity detection system.

Abstract: Disclosed herein are techniques for use in fraud detection. In one embodiment, the techniques comprise a method. The method comprises receiving an encrypted current location associated with a user. The method also comprises obtaining an encrypted historical location associated with the user and an encrypted location sensitivity metric that relates to a distance within which locations are considered to be the same. The method further comprises performing an authentication operation based on the encrypted current location, the encrypted historical location and the encrypted location sensitivity metric.

Abstract: A technique provides alert prioritization. The technique involves selecting attributes to use as alert scoring factors. The technique further involves updating, for an incoming alert having particular attribute values for the selected attributes, count data to represent encounter of the incoming alert from perspectives of the selected attributes. The technique further involves generating an overall significance score for the incoming alert based on the updated count data. The overall significance score is a measure of alert significance relative to other alerts. Scored alerts then can be sorted so that investigators focus on the alerts with the highest significance scores. Such a technique is well suited for adaptive authentication (AA) and Security Information and Event Management (SIEM) systems among other alert-based systems such as churn analysis systems, malfunction detection systems, and the like.

Abstract: There is disclosed some techniques for processing an authentication request. In one example, a method comprises the step of determining the velocity between authentication requests of a user associated with the requests. Additionally, the method determines the likelihood that a location associated with one of the requests is associated with the user location. Furthermore, the method generates an authentication result based on the likelihood that a location associated with one of the requests is associated with the user location.

Abstract: An information processing system implements a security system. The security system comprises a classifier configured to process information characterizing events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback relating to one or more attributes associated with an assessment of the risk scores by one or more users. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events.

Abstract: A technique provides malicious identity profiles. The technique involves storing unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users. The technique further involves generating a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database. Each malicious identity profile includes a profile biometric record for comparison with new biometric records during new authentication attempts. The technique further involves outputting the set of malicious identity profiles. Such a set of malicious identity profiles is well suited for use in future authentication operations, i.e., well suited for predicting intruder attacks and fraud attempts, and for sharing risky identities among authentication systems (e.g.

Abstract: A method is used in analyzing device similarity. Data describing a device is received and a similarity analysis is applied to the data. Based on the similarity analysis, a measure of similarity between the device and a previously known device is determined.

Abstract: There is disclosed a technique for detecting risky domains. The technique comprises collecting information in connection with a domain. The technique also comprises generating a profile comprising at least one metric associated with the domain based on the collected information. The technique further comprises determining the riskiness in connection with the domain based on the generated profile.

Abstract: A processing device comprises a processor coupled to a memory and is configured to determine a first set of features from domain name system (DNS) information, the first set of features being defined over a domain, and to determine a second set of features from the DNS information, the second set of features being defined over internet protocol (IP) addresses returned for the domain. The processing device is further configured to compute a fast-flux score based on the first and second sets of features, and to utilize the fast-flux score to characterize fast-flux activity relating to the domain. For example, the processing device can be configured to compare the fast-flux score to a threshold, and to generate an indicator of the presence or absence of fast-flux activity based on a result of the comparison. The processing device may be implemented in a computer network or network security system.

Abstract: An authentication technique involves obtaining, by processing circuitry, a set of suitability factors from a user device of a user. The authentication technique further involves performing, based on the set of suitability factors and by the processing circuitry, a selection operation which selects a set of suitable biometric methods to apply during authentication from available biometric methods which are available to the processing circuitry for use in authentication. The authentication technique further involves applying, after the set of suitable biometric methods is selected and by the processing circuitry, the set of suitable biometric methods during an authentication operation to determine whether the user is authentic. Accordingly, poorly suited biometric methods can be ruled out (i.e., made unavailable for use by authentication).

Abstract: A processing device comprises a processor coupled to a memory and is configured to obtain at least one rule set utilized to detect malicious activity in a computer network, to determine one or more trigger conditions for each of a plurality of rules of the at least one rule set, to identify alerts generated responsive to the determined trigger conditions, to compute correlations between respective pairs of the plurality of rules based on the identified alerts, and to aggregate groups of two or more of the plurality of rules into respective aggregated rules based at least in part on the computed correlations. The aggregated rules are illustratively applied in conjunction with remaining unaggregated ones of the plurality of rules of the one or more rule sets to detect malicious activity in the computer network. The processing device may be implemented in a computer network or network security system.

Abstract: A method is used in analyzing device similarity. Data describing a device is received and a model is applied to the data. Based on the modeling, a measure of similarity between the device and a previously known device is determined.

Abstract: Authentication systems are provided that select an authentication method to be applied to a given transaction from among a plurality of available authentication methods based on risk reasoning. An authentication request from an authentication requestor for a given transaction is processed by receiving the authentication request from the authentication requester and selecting an authentication method to be applied to the given transaction from among a plurality of available authentication methods based on an evaluation of one or more predefined risk reasons with respect to the available authentication methods. The predefined risk reasons associated with a given transaction comprise, for example, a set of risk reasons that contribute to a risk score that has been assigned to the given transaction. The evaluation may employ one or more of rule-based, heuristic and Bayesian techniques.

Abstract: Data driven device detection is provided, whereby a device is detected by obtaining a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculating a probability value that the given device is each potential device within the plurality of potential devices; identifying a candidate device associated with a maximum probability value among the calculated probability values; and labeling the given device as the candidate device if the associated maximum probability value satisfies a predefined threshold. The predefined threshold can be a function, for example, of whether the given user has previously used this device. The obtained feature values can be obtained for a selected set of features satisfying one or more predefined characteristic criteria. The device attributes can be obtained, for example, from a profile for each of the plurality of potential devices.

Abstract: There is disclosed some techniques for selecting a user authentication challenge. In one example, the method comprises the steps of receiving an authentication request to authenticate a user and selecting a user authentication challenge to issue to the user in response to receiving the authentication request. The selection of the user authentication challenge comprises selecting a user authentication challenge among a plurality of user authentication challenges based on the cost effectiveness of the respective user authentication challenges and characteristics of the authentication request.

Abstract: Techniques are provided for evaluating compromised credential information. A method for evaluating compromised credentials comprises the steps of: collecting data regarding previously compromised credentials that were used to commit an unauthorized activity; applying one or more statistical learning methods to the collected data to identify one or more patterns; and evaluating a risk of credentials that have been compromised by one or more attackers using the identified patterns. According to a further aspect of the invention, a risk score is generated for one or more users and devices. The risk scores are optionally ordered based on an order of risk. The data can be collected, for example, from one or more of anti-fraud servers and information sources.

Abstract: There is disclosed some techniques for processing an authentication request which includes a user identifier and current user data. In one example, the technique comprises receiving the authentication request at an adaptive authentication system which includes a database having a set of entries with each entry of the set of entries including an identifier and previous user data in connection with previous authentication requests. The adaptive authentication system constructed and arranged to perform an adaptive authentication operation on the authentication request as well as an unsupervised machine learning operation on the authentication request.