Abstract: A method of protecting a computer system from fraudulent use includes collecting and aggregating sets of risk predictor values for user-initiated events into user-specific aggregations and organization-wide aggregations, and in response to a current event initiated by a user, generating a risk indicator as a combination of a user-specific indicator and an organization-wide indicator based on current event parameters and the user-specific and organization-wide aggregations. Based on the risk indicator indicating that the current event may be a fraudulent use, a protective control action is taken (such as denying or modifying a requested access) to protect the computer system.

Abstract: A device, system and method for debugging a homomorphically encrypted (HE) program. The HE program comprising real ciphertext data and encrypted operations in the HE space (production mode) may be mapped to an equivalent plaintext program comprising equivalent pseudo-ciphertext data and pseudo-encrypted operations in the unencrypted space (simulation mode). The plaintext program may be executed in a first full pass in simulation model and a sampling of the HE program may be executed in a second partial pass in production mode, the results of which are compared. The HE program and/or mapping may be validated if the results of simulation and production mode match and debugged if the results do not match. An integrated development environment (IDE) may switch among the HE space (production mode), the unencrypted space (simulation mode), and a combination of both HE and unencrypted spaces simultaneously (simultaneous production-simulation mode).

Abstract: An improved technique involves generating, from historical transaction data, a relational graph that represents connections between users who initiate transactions and transaction devices used to carry out the transactions. By supplementing traditional relational database models with a tool such as a graph database, a risk analysis server is able to express users and transaction devices as nodes in a graph and the connections between them as edges in the graph. The risk analysis server may then match the topology of the graph in a neighborhood of the user initiating the transaction to a known topology that is linked to an indication of risk. In some arrangements, this topology is an input into a risk model used to compute a risk score for adaptive authentication.

Abstract: Techniques are provided for determining anomaly scores for transactions based on adaptive clustering of the location of a given user over multiple transactions.

Abstract: A method of protecting a computer system from fraudulent use includes collecting and aggregating sets of risk predictor values for user-initiated events into user-specific aggregations and organization-wide aggregations, and in response to a current event initiated by a user, generating a risk indicator as a combination of a user-specific indicator and an organization-wide indicator based on current event parameters and the user-specific and organization-wide aggregations. Based on the risk indicator indicating that the current event may be a fraudulent use, a protective control action is taken (such as denying or modifying a requested access) to protect the computer system.

Abstract: There is disclosed a technique for use in managing policy. The technique comprises storing information relating to at least one previous authentication request. It should be understood that the information can be used in an authentication operation performed in connection with an authentication request. The technique also comprises receiving a policy request to alter a policy relating to an authentication operation that can be performed in connection with an authentication request. The technique further comprises generating an alteration to the policy based on the stored information and the received policy request.

Abstract: Techniques involve a user taking a picture of a current one-time use passcode (OTP) and using the picture to authenticate. Such techniques alleviate the burden and frustration of the user having to manually type in the current OTP. Additionally, the user will not trigger a lockout via accidental typing errors. Furthermore, the current OTP can be augmented to include more than a string of six or eight alphanumeric characters for stronger security (e.g., by using non-alphanumeric characters, by capturing multi-digit seven-segment LCD display patterns, by using a QR code, by using a randomly selected image, etc.). One technique involves taking a picture of an OTP provided by a user. The particular technique further involves extracting the OTP from the picture and performing an authentication operation based on the OTP extracted from the picture to determine whether the user is authentic.

Abstract: There is disclosed some techniques for processing an authentication request. In one example, a method comprises the step of determining the velocity between authentication requests of a user associated with the requests. Additionally, the method determines the likelihood that a location associated with one of the requests is associated with the user location. Furthermore, the method generates an authentication result based on the likelihood that a location associated with one of the requests is associated with the user location.

Abstract: An improved technique involves identifying other transactions for investigation from entries in a database that involve a particular actor involved in a known fraudulent transaction. From a transaction log listing transactions, a server generates a database of transaction entries which identify transactions from the transaction log, each transaction entry (i) describing an activity and (ii) identifying a set of actors involved in that activity. Based on a known fraudulent transaction involving a particular actor, the server finds a set of transaction entries from the database which involve the particular actor. From the found set of transaction entries, the server identifies other transactions for investigation.

Abstract: A virtual machine computing platform uses a security virtual machine (SVM) in operational communications with a risk engine which has access to a database including stored patterns corresponding to patterns of filtered operational data that are expected to be generated during operation of the monitored virtual machine when malware is executing. The stored patterns may have been generated during preceding design and training phases. The SVM is operated to (1) receive raw operational data from a virtual machine monitor, the raw operational data obtained from file system operations and network operations of the monitored virtual machine; (2) apply rule-based filtering to the raw operational data to generate filtered operational data; and (3) in conjunction with the risk engine, perform a mathematical (e.g., Bayesian) analysis based on the filtered operational data and the stored patterns in the database to calculate a likelihood that the malware is executing in the monitored virtual machine.