Abstract: User authentication techniques are provided for multiple authentication sources and for non-binary authentication decisions. An authentication request is received from an application server to authenticate a user for access to a protected resource. Pre-flow rules and the authentication request are evaluated to dynamically determine a plurality of authentication servers to invoke for the authentication request and an order for the invocation. A first authentication server is contacted to obtain a first authentication result for the user. In-flow rules and the first authentication result are evaluated to determine if additional authentication of the user should be performed. A second authentication server is contacted based on the determined invocation order and/or a result of the in-flow rules to obtain a second authentication result for the user. Decision rules and the first and second authentication results are evaluated to determine an authentication decision.

Abstract: Techniques of operating intrusion detection systems provide a recommendation of an intrusion detection rule to an administrator of an intrusion detection system based on the experience of another administrator that has used the rule in another intrusion detection system. For example, suppose that electronic circuitry receives a numerical rating from a first intrusion detection system that indicates whether an intrusion detection rule was effective in identifying malicious activity when used in the first intrusion detection system. Based on the received rating and attributes of the first intrusion detection system, the electronic circuitry generates a predicted numerical rating that indicates whether the intrusion detection rule is likely to be effective in identifying malicious communications when used in a second intrusion detection system.

Abstract: Techniques of detecting malicious events involve generating a relational graph of event data describing events that occur within a specified, limited time window. Along these lines, a malicious event detection computer receives event data describing interactions between entities such as users, devices, and network domains from various servers that occur within a specified time window. In response, the malicious event detection computer generates a relational graph that has graph structures (e.g., nodes and edges) representing these interactions. Analysis of patterns within the resulting relational graph indicates whether there is a malicious event occurring.

Abstract: A method includes receiving a first analytics set performed on a first network security appliance operated internal to a first organization, receiving a second analytics set performed on a second network security appliance operated internal to a second organization, processing the first analytics set and the second analytics set, and responsive to the processing, disseminating to the second network security appliance information indicating that the second analytics set has also been performed on at least the first network security appliance, without revealing an identity of the first organization. In one embodiment at least part of the first analytics set or the second analytics set is hashed.

Abstract: A method includes (a) selecting a first token column or a second token column of a token table as an active token column based upon the value of a current token flag, (b) selecting a row of the token table uniquely associated with a sensitive piece of data, the selected row having a first token field storing a first token value and a second token field storing a second token value, (c) selectively extracting an active token value from the first token field when the first token column is the active token column and from the second token field when the second token column is the active token column, (d) selecting a row of a data table having the extracted active token value within a token field, and (e) causing contents of the selected row of the data table to be displayed to a user over a user interface.

Abstract: Methods and apparatus are provided for multi-factor authentication of a user using beacon images. Access is provided to a protected resource by receiving a browser request for a beacon image, wherein the beacon image is embedded in an access request page (e.g., a login page) for the protected resource; collecting data in response to the browser request from a device associated with the browser; and providing the data for a risk assessment of the request. The beacon image comprises, for example, a substantially invisible image and can be loaded when the access request page is loaded in the browser or when a user submits credentials in the access request page.

Abstract: Methods, apparatus and articles of manufacture for modifying queries and rules for profile fetching and risk calculation are provided herein. A method includes comparing at least one aspect of a query submitted to access a data store to rule sets associated with the data store to determine a potential access path within the data store for responding to the query, comparing information pertaining to an entity identified via the query to risk information pertaining to entities to determine a level of risk associated with the entity identified via the query, generating a modified version of the query based on information derived from the potential access path within the data store for responding to the query, and calculating a risk score associated with the modified version of the query based on the aspect of the query and the level of risk associated with the entity identified via the query.

Abstract: A method includes receiving a first analytics set performed on a first network security appliance operated internal to a first organization, receiving a second analytics set performed on a second network security appliance operated internal to a second organization, processing the first analytics set and the second analytics set, and responsive to the processing, disseminating to the second network security appliance information indicating that the second analytics set has also been performed on at least the first network security appliance, without revealing an identity of the first organization. In one embodiment at least part of the first analytics set or the second analytics set is hashed.

Abstract: A technique authenticates a user. The technique involves receiving, by processing circuitry, a handwritten code. The technique further involves performing, by the processing circuitry, a set of assessment operations which includes (i) a handwriting evaluation to analyze a set of biometric handwriting aspects of the handwritten code and (ii) a code evaluation to analyze code accuracy of the handwritten code. The technique further involves providing, by the processing circuitry, an authentication result based on the set of assessment operations. Such a technique strengthens security by including a “who you are” factor (i.e., handwriting biometrics uniquely identify the genuine user).

Abstract: A method performed by a computing device is described. The method includes (a) receiving an authentication request from an application server seeking to authenticate a user for access to a service provided by the application server, (b) communicating with a first authentication server to obtain a first authentication of the user, (c) communicating with a second authentication server to obtain a second authentication of the user, the second authentication server being distinct from the first authentication server and the second authentication being of a type distinct from the first authentication, (d) rejecting the authentication request if and only if one or both of the first authentication and the second authentication is negative, and (e) upon rejecting the authentication request, sending a rejection message to the application server without informing the application server whether the first authentication or the second authentication was negative.

Abstract: A method includes (a) receiving, from an application server, a login message for a user, the login message including a user credential for a credential-based authentication (CBA), (b) forwarding the user credential to a CBA server for the CBA, (c) in response, receiving, an authentication decision message from the CBA server, (d) sending decision information from the authentication decision message received from the CBA server to a risk-based authentication (RBA) server, the RBA server being distinct from the CBA server, the decision information to be used by the RBA server in performing RBA authentication decisions, (e) if the authentication decision message is positive, then sending a challenge message to the application server to initiate RBA to be performed by the RBA server supplementary to the CBA, and (f) if the authentication decision message is negative, then sending a rejection message to the application server.

Abstract: Access of a client device to a protected resource is controlled by issuing an authentication information request for a dynamic sub-set of client-side storage values previously stored on the client device by one or more servers. Authentication information is received from the client device based on the dynamic sub-set of client-side storage values. The client device is authenticated based upon verification of the received authentication information. The received authentication information from the client device is optionally encrypted. The client-side storage values comprise any value stored by one or more servers on the client device. The client-side storage values are substantially specific to the client device. The client-side storage values are optionally stored as a matrix. The requested dynamic sub-set of the client-side storage values may comprise one or more cells from a plurality of records in the matrix.

Abstract: Techniques for using a network analyzer device connected to a network include (a) sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, (b) analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and (c) sending the extracted event information to an authentication server for risk-based authentication of the user.

Abstract: An improved PIN-based authentication technique for authenticating the user of a client machine to a server automatically generates a personal identification number (PIN) for the user based on user-specific authentication information, such as encrypted cookie information. The server provides user-specific authentication information to a client machine. When the user submits an authentication request, user-specific authentication information is collected and uploaded to the server. The user-specific authentication information is processed to form a PIN, and authentication of the user proceeds based on the PIN and any other authentication factors provided. Since the disclosed techniques compute PINs automatically based on information exchanged between a client machine and a server, the user is relieved of any burden associated with registering and remembering a PIN.