Abstract: In one approach, a method includes: receiving a reference login event input from a user, the reference login event input being associated with a first session of the user logging into an account; receiving a new login event input from the user, the new login event input being associated with a second session of the user logging into the account; accessing a machine learning model, wherein the machine learning model is trained using data selected based on a similarity of behavior between different users; and authenticating, with the machine learning model, the user for the account, based at least in part on the reference login event input and the new login event input. In examples, the reference and new login event inputs comprise one or more items of biometric data generated by interaction of the user in a web environment and/or a mobile environment for logging into the account.

Abstract: In one approach, a method includes: receiving a login event input from a user, the login event input being associated with a session of the user logging into an account; accessing a machine learning model; and authenticating, with the machine learning model, the user for the account, based at least in part on the login event input. In examples, the login event input comprises one or more items of biometric data associated with the user, an item of the one or more items of biometric data associated being generated by interaction of the user with an input device for logging into the account, and the interaction communicating a login credential of the user. In examples, an item of the one or more items of biometric data associated with the user is keyboard event-related biometric data, or mouse event-related biometric data.

Abstract: In one approach, a method includes: receiving a reference login event input from a user, the reference login event input being associated with a first session of the user logging into an account; receiving a new login event input from the user, the new login event input being associated with a second session of the user logging into the account; accessing a machine learning model, wherein the machine learning model is trained using data selected based on a similarity of behavior between different users; and authenticating, with the machine learning model, the user for the account, based at least in part on the reference login event input and the new login event input. In examples, the reference and new login event inputs comprise one or more items of biometric data generated by interaction of the user in a web environment and/or a mobile environment for logging into the account.

Abstract: Anti-impersonation techniques using device-context information and user behavior information from a session. The session can include a time period where a user of the client computer is performing an activity on the client computer (e.g., the session includes the user logging into an account online). The behavior information can include information on ways the user uses user input devices during the session. The device-context information can include HTTP session information. The techniques can include generating feature vector(s) for the received information, and comparing the feature vector(s) against model(s) of related historical information. The comparisons can provide level(s) of deviation of the feature vector(s) from the model(s). Also, the techniques can include determining whether the session is anomalous or normal according to the level(s) of deviation, and performing a security action in response to determining the session is anomalous.

Abstract: The disclosed techniques utilize round-trip times (RTTs) from back-and-forth communications with distant servers to detect impersonations in a computer network, such as impersonations using IP spoofing. Also, the techniques can use machine learning to enhance analysis in spoofing detection. The techniques can include sending a computer program to a client device. The client device can have an IP address, and the computer program can be executed by the client device after it is received by the client device. The computer program can measure RTTs for messages the computer program sends to multiple pre-selected location servers at different remote or distant locations and for corresponding reply messages that are returned to the computer program. The IP address of the client device and the measured RTTs can then be received and used to determine whether the measured RTTs are anomalous or not; and thus, determine a possible impersonator or a legitimate user.

Abstract: A method for verifying authenticity of a physical document includes receiving an image of a physical document to be authenticated including the physical document and a background. A pre-processed image is produced that includes the physical document separated from the background. The producing includes separating the physical document from the background by semantic segmentation utilizing an artificial neural network trained using an augmented dataset generated by applying geometric transformations over different backgrounds. Features of the pre-processed image are extracted to determine a document type. In response to determining the document type of the physical document, the method includes verifying, utilizing a machine learning classifier, whether the physical document is authentic based on the extracted features relative to expected features for the corresponding document type. An indication of whether the physical document is authentic based on the verifying is generated.

Abstract: In one approach, a method includes: receiving a login event input from a user, the login event input being associated with a session of the user logging into an account; accessing a machine learning model; and authenticating, with the machine learning model, the user for the account, based at least in part on the login event input. In examples, the login event input comprises one or more items of biometric data associated with the user, an item of the one or more items of biometric data associated being generated by interaction of the user with an input device for logging into the account, and the interaction communicating a login credential of the user. In examples, an item of the one or more items of biometric data associated with the user is keyboard event-related biometric data, or mouse event-related biometric data.

Abstract: The disclosed techniques include systems and methods for implementing liveliness detection in an authentication process using pupil or iris tracking. The disclosed techniques can utilize a combination of facial recognition and pupil or iris tracking for liveliness detection in an authentication process to provide an extra layer of security against impersonation attacks.

Abstract: The disclosed techniques utilize round-trip times (RTTs) from back-and-forth communications with distant servers to detect impersonations in a computer network, such as impersonations using IP spoofing. Also, the techniques can use machine learning to enhance analysis in spoofing detection. The techniques can include sending a computer program to a client device. The client device can have an IP address, and the computer program can be executed by the client device after it is received by the client device. The computer program can measure RTTs for messages the computer program sends to multiple pre-selected location servers at different remote or distant locations and for corresponding reply messages that are returned to the computer program. The IP address of the client device and the measured RTTs can then be received and used to determine whether the measured RTTs are anomalous or not; and thus, determine a possible impersonator or a legitimate user.

Abstract: The disclosed techniques include systems and methods for implementing liveliness detection in an authentication process using pupil or iris tracking. The disclosed techniques can utilize a combination of facial recognition and pupil or iris tracking for liveliness detection in an authentication process to provide an extra layer of security against impersonation attacks.

Abstract: Anti-impersonation techniques using device-context information and user behavior information from a session. The session can include a time period where a user of the client computer is performing an activity on the client computer (e.g., the session includes the user logging into an account online). The behavior information can include information on ways the user uses user input devices during the session. The device-context information can include HTTP session information. The techniques can include generating feature vector(s) for the received information, and comparing the feature vector(s) against model(s) of related historical information. The comparisons can provide level(s) of deviation of the feature vector(s) from the model(s). Also, the techniques can include determining whether the session is anomalous or normal according to the level(s) of deviation, and performing a security action in response to determining the session is anomalous.

Abstract: A method and apparatus for determining an identity of an unknown Internet-of-Things (IoT) device in a communication network is disclosed. The method includes the steps of receiving network traffic generated by the unknown IoT device, extracting device network behavior from the generated network traffic, and determining the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior. Each machine learning based classifier of the set is trained by a dataset including a plurality of features representing network behavior of a respective known IoT device from the list and the known IoT device's identity. The plurality of features is associated with the corresponding device network behavior of the generated network traffic.

Abstract: A communication method 100 for an industrial control system (ICS) is disclosed. The method 100 includes receiving network packets that are sent to an address in the ICS. The network packets carry critical payloads 1000 and non-critical payloads 1100. The method 100 further includes selectively capturing a critical network packet 1000. The critical network packet 1000 is identified based on a predefined list of critical payloads capable of controlling a physical state of the ICS. The method 100 further includes generating a signature Sigk {p} 1300 from the critical network packet 1000 using a signing algorithm and transmitting a combined network packet 1200 that includes the critical network packet 1000 and the signature to the address. The method 100 further includes receiving the combined network packet 1200 at the address, and verifying the integrity of the critical network packet 1000 by authenticating the signature 1300 using a verification algorithm.