Patents by Inventor Winfred Wong
Winfred Wong has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11902327Abstract: Techniques are described herein that are capable of evaluating a result of enforcement of access control policies instead of enforcing the access control policies. For instance, a result of enforcement of an access control policy with regard to sign-in processes is evaluated instead of enforcing the access control policy with regard to the sign-in processes. The evaluation includes monitoring access requests that are received during the sign-in processes. Each access request requests access to a resource. The evaluation further includes comparing attributes of each access request against the access control policy that specifies criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request. Metadata associated with the sign-in processes is generated instead of enforcing the access control policy with regard to the sign-in processes.Type: GrantFiled: January 6, 2020Date of Patent: February 13, 2024Assignee: Microsoft Technology Licensing, LLCInventors: Daniel Edward Lee Wood, Caleb Geoffrey Baker, Sarat Subramaniam, Etan Micah Basseri, Carlos Adrian Lopez Castro, Sandra Jiang, Dilesh Dhokia, Jessica Tian-Hueih Lin, Pui Yin Winfred Wong, Robyn Nicole Hicock
-
Patent number: 11575692Abstract: To detect identity spray attacks, a machine learning model classifies account access attempts as authorized or unauthorized, based on dozens of different pieces of information (machine learning model features). Boosted tree, neural net, and other machine learning model technologies may be employed. Model training data may include user agent reputation data, IP address reputation data, device or agent or location familiarity indications, protocol identifications, aggregate values, and other data. Account credential hash sets or hash lists may serve as model inputs. Hashes may be truncated to further protect user privacy. Classifying an access attempt as unauthorized may trigger application of multifactor authentication, password change requirements, account suspension, or other security enhancements. Statistical or heuristic detections may supplement the model.Type: GrantFiled: December 4, 2020Date of Patent: February 7, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Sergio Romero Zambrano, Andrew Numainville, Maria Puertas Calvo, Abbinayaa Subramanian, Pui Yin Winfred Wong, Dana S. Kaufman, Eliza Kuzmenko
-
Patent number: 11405425Abstract: Authenticating computing entities. A method includes at an identity provider, providing a first access token to an entity for use by the entity in obtaining resources from a resource provider. The method further includes, at the identity provider, receiving response information from the entity. The response information from the entity is provided to the entity from the resource provider as a result of the resource provider enforcing policy at the resource provider. At the identity provider, a second access token is provided to the entity. The second access token is provided based on the response information, such that the second access token can be used by the entity to obtain the resources from the resource provider.Type: GrantFiled: October 31, 2019Date of Patent: August 2, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Violet Anna Barhudarian, Jiangfeng Lu, Caleb Geoffrey Baker, Oren Jordan Melzer, Anirban Basu, Yordan Ivanov Rouskov, William Bruce Barr, III, Radhika Kashyap, Carlos Adrian Lopez Castro, Pui-Yin Winfred Wong
-
Publication number: 20220182397Abstract: To detect identity spray attacks, a machine learning model classifies account access attempts as authorized or unauthorized, based on dozens of different pieces of information (machine learning model features). Boosted tree, neural net, and other machine learning model technologies may be employed. Model training data may include user agent reputation data, IP address reputation data, device or agent or location familiarity indications, protocol identifications, aggregate values, and other data. Account credential hash sets or hash lists may serve as model inputs. Hashes may be truncated to further protect user privacy. Classifying an access attempt as unauthorized may trigger application of multifactor authentication, password change requirements, account suspension, or other security enhancements. Statistical or heuristic detections may supplement the model.Type: ApplicationFiled: December 4, 2020Publication date: June 9, 2022Inventors: Sergio ROMERO ZAMBRANO, Andrew NUMAINVILLE, Maria PUERTAS CALVO, Abbinayaa SUBRAMANIAN, Pui Yin Winfred WONG, Dana S. KAUFMAN, Eliza KUZMENKO
-
Patent number: 11283796Abstract: Methods, systems, and computer program products are provided for real-time compromise detection based on behavioral analytics. The detection runs in real-time, during user authentication, for example, with respect to a resource. The probability that the authentication is coming from a compromised account is assessed. The features of the current authentication are compared with the features from past authentications of the user. After comparison, a match score is generated. The match score is indicative of the similarity of the authentication to the user's history of authentication. This score is then discretized into risk levels based on the empirical probability of compromise based on known past compromised user authentications. The risk levels may be used to detect whether user authentication is occurring via compromised credentials.Type: GrantFiled: September 24, 2019Date of Patent: March 22, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Maria Puertas Calvo, Lakshmi Priya Gopal, Laurentiu B. Cristofor, Pui-Yin Winfred Wong, Dana S. Kaufman
-
Patent number: 11252146Abstract: Managing user sessions in a networked computing environment. A method includes, at an identity provider computer system, providing a first id token to a resource provider for an entity. The first id token has therein a first policy check interval having a value defining a period when the first id token should be revalidated. Due to expiration of the first policy check interval, a first refresh token is received from a resource provider computer system that received the first id token. As a result of receiving the first refresh token from the resource provider computer system, the identity provider computer system evaluates conditional access policy for the entity. If the identity provider computer system determines that the conditional access policy for the entity has been met, the identity provider computer system provides a new id token and a new refresh token to the resource provider computer system.Type: GrantFiled: November 19, 2019Date of Patent: February 15, 2022Assignee: MICROSOFT TECHNOLOGLY LICENSING, LLCInventors: Violet Anna Barhudarian, Yordan Ivanov Rouskov, Radhika Kashyap, Pui-Yin Winfred Wong, George Adrian Drumea
-
Patent number: 11171948Abstract: Session lifetime can be adapted based on session reputation. Session reputation can be computed based on sign-in risk and device risk, among other things. Session lifetime corresponds to a length of time a session is valid and can be determined automatically based on the session reputation. Subsequently, a token can be generated and returned in response to successful authentication that identifies a session and is valid for the determined lifetime.Type: GrantFiled: June 27, 2018Date of Patent: November 9, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Violet Anna Barhudarian, George Adrian Drumea, Pui-Yin Winfred Wong, Radhika Kashyap, Titus Constantin Miron, Caleb Baker
-
Publication number: 20210211470Abstract: Techniques are described herein that are capable of evaluating a result of enforcement of access control policies instead of enforcing the access control policies. For instance, a result of enforcement of an access control policy with regard to sign-in processes is evaluated instead of enforcing the access control policy with regard to the sign-in processes. The evaluation includes monitoring access requests that are received during the sign-in processes. Each access request requests access to a resource. The evaluation further includes comparing attributes of each access request against the access control policy that specifies criteria that are to be satisfied as a prerequisite to granting access to the resource to which access is requested by the respective access request. Metadata associated with the sign-in processes is generated instead of enforcing the access control policy with regard to the sign-in processes.Type: ApplicationFiled: January 6, 2020Publication date: July 8, 2021Inventors: Daniel Edward Lee Wood, Caleb Geoffrey Baker, Sarat Subramaniam, Etan Micah Basseri, Carlos Adrian Lopez Castro, Sandra Jiang, Dilesh Dhokia, Jessica Tian-Hueih Lin, Pui Yin Winfred Wong, Robyn Nicole Hicock
-
Publication number: 20210152547Abstract: Managing user sessions in a networked computing environment. A method includes, at an identity provider computer system, providing a first id token to a resource provider for an entity. The first id token has therein a first policy check interval having a value defining a period when the first id token should be revalidated. Due to expiration of the first policy check interval, a first refresh token is received from a resource provider computer system that received the first id token. As a result of receiving the first refresh token from the resource provider computer system, the identity provider computer system evaluates conditional access policy for the entity. If the identity provider computer system determines that the conditional access policy for the entity has been met, the identity provider computer system provides a new id token and a new refresh token to the resource provider computer system.Type: ApplicationFiled: November 19, 2019Publication date: May 20, 2021Inventors: Violet Anna BARHUDARIAN, Yordan Ivanov ROUSKOV, Radhika KASHYAP, Pui-Yin Winfred WONG, George Adrian DRUMEA
-
Publication number: 20210136113Abstract: Authenticating computing entities. A method includes at an identity provider, providing a first access token to an entity for use by the entity in obtaining resources from a resource provider. The method further includes, at the identity provider, receiving response information from the entity. The response information from the entity is provided to the entity from the resource provider as a result of the resource provider enforcing policy at the resource provider. At the identity provider, a second access token is provided to the entity. The second access token is provided based on the response information, such that the second access token can be used by the entity to obtain the resources from the resource provider.Type: ApplicationFiled: October 31, 2019Publication date: May 6, 2021Inventors: Violet Anna BARHUDARIAN, Jiangfeng LU, Caleb Geoffrey BAKER, Oren Jordan MELZER, Anirban BASU, Yordan Ivanov ROUSKOV, William Bruce BARR, III, Radhika KASHYAP, Carlos Adrian LOPEZ CASTRO, Pui-Yin Winfred WONG
-
Patent number: 10965667Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.Type: GrantFiled: December 9, 2019Date of Patent: March 30, 2021Assignee: Microsoft Technology Licensing, LLCInventors: David Steeves, Luke Abrams, Hersh Dangayach, Eric Fleischman, Prabu Raju, Krishna Vitaldevara, Niyantha Shekar, Payoj Baral, Meenakshi Ramaswamy, Winfred Wong, Yordan Rouskov, Ramesh Manne
-
Publication number: 20200412717Abstract: Methods, systems, and computer program products are provided for real-time compromise detection based on behavioral analytics. The detection runs in real-time, during user authentication, for example, with respect to a resource. The probability that the authentication is coming from a compromised account is assessed. The features of the current authentication are compared with the features from past authentications of the user. After comparison, a match score is generated. The match score is indicative of the similarity of the authentication to the user's history of authentication. This score is then discretized into risk levels based on the empirical probability of compromise based on known past compromised user authentications. The risk levels may be used to detect whether user authentication is occurring via compromised credentials.Type: ApplicationFiled: September 24, 2019Publication date: December 31, 2020Inventors: Maria Puertas Calvo, Lakshmi Priya Gopal, Laurentiu B. Cristofor, Pui-Yin Winfred Wong, Dana S. Kaufman
-
Patent number: 10873583Abstract: Methods, systems, and apparatuses in a computing device enable user access to a resource. The method includes receiving, from a user, a request for access to a resource; accessing an authentication flow for granting access to the resource; obtaining first claims for a user from a first claims provider in the authentication flow; determining a second claims provider in the authentication flow, the second claims provider having a trust relationship with the claims facilitator; directing the user to the second claims provider; receiving second claims for the user from the second claims provider; and enabling the user to access the resource in response to at least the received first and second claims.Type: GrantFiled: January 9, 2018Date of Patent: December 22, 2020Assignee: Microsoft Technology Licensing, LLCInventors: Alexander T. Weinert, Caleb G. Baker, Pui-Yin Winfred Wong, Carlos Adrian Lopez Castro, Yordan I. Rouskov, Laurentiu B. Cristofor, Michael V. McLaughlin
-
Publication number: 20200112556Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.Type: ApplicationFiled: December 9, 2019Publication date: April 9, 2020Applicant: Microsoft Technology Licensing, LLCInventors: David Steeves, Luke Abrams, Hersh Dangayach, Eric Fleischman, Prabu Raju, Krishna Vitaldevara, Niyantha Shekar, Payoj Baral, Meenakshi Ramaswamy, Winfred Wong, Yordan Rouskov, Ramesh Manne
-
Publication number: 20200007535Abstract: Session lifetime can be adapted based on session reputation. Session reputation can be computed based on sign-in risk and device risk, among other things. Session lifetime corresponds to a length of time a session is valid and can be determined automatically based on the session reputation. Subsequently, a token can be generated and returned in response to successful authentication that identifies a session and is valid for the determined lifetime.Type: ApplicationFiled: June 27, 2018Publication date: January 2, 2020Inventors: Violet Anna Barhudarian, George Adrian Drumea, Pui-Yin Winfred Wong, Radhika Kashyap, Titus Constantin Miron, Caleb Baker
-
Patent number: 10505926Abstract: In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface 180 may receive a user login attempt by a user and a current location of the user login attempt. A data storage 150 may store a user location profile of the user. A processor 120 may execute a comparison of the current location to the user location profile. The communication interface 180 may present the user with an enhanced identity challenge before allowing user access based on the comparison.Type: GrantFiled: July 20, 2018Date of Patent: December 10, 2019Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: David Steeves, Luke Abrams, Hersh Dangayach, Eric Fleischman, Prabu Raju, Krishna Vitaldevara, Niyantha Shekar, Payoj Baral, Meenakshi Ramaswamy, Winfred Wong, Yordan Rouskov, Ramesh Manne
-
Patent number: 10498694Abstract: Knowledge associated with an address of a first IP type may be mapped to an address of a second IP type. In response to receiving, at a first IP endpoint type, a request from a client associated with a first and second IP address type, a first address of the first IP type associated with the client is recorded. A unique identification of the request is generated. The unique identifier and instructions to make a second request to a second IP endpoint type are sent to the client. The second request, that includes the unique identifier and corresponds to the second IP address type associated with the client, is received at the second endpoint. Both the first address and the second address are determined as corresponding to the client by determining that the unique identifier was used in both requests. The first address is mapped to the second address.Type: GrantFiled: June 30, 2017Date of Patent: December 3, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Lee Reed Burton, Daniel E. Castro, William Jacob Goldenberg, Mark A. Nikiel, Pui-Yin Winfred Wong, Hardy Wijaya, Hongyu Sun, Jingjing Zhang
-
Patent number: 10320848Abstract: Embodiments are directed to having multiple lockout counters that apply to login requests from different origins. More specifically, one counter is associated with a user's familiar locations, another counter is associated with unfamiliar locations. In another embodiment, hashes of incorrect passwords are recorded so that lockout counters are not incremented multiple times when the same incorrect password is entered repeatedly.Type: GrantFiled: July 29, 2016Date of Patent: June 11, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Alexandre Kerametlian, Amit Dhariwal, Dana Kaufman, Winfred Wong
-
Publication number: 20190089710Abstract: Methods, systems, and apparatuses in a computing device enable user access to a resource. The method includes receiving, from a user, a request for access to a resource; accessing an authentication flow for granting access to the resource; obtaining first claims for a user from a first claims provider in the authentication flow; determining a second claims provider in the authentication flow, the second claims provider having a trust relationship with the claims facilitator; directing the user to the second claims provider; receiving second claims for the user from the second claims provider; and enabling the user to access the resource in response to at least the received first and second claims.Type: ApplicationFiled: January 9, 2018Publication date: March 21, 2019Inventors: Alexander T. Weinert, Caleb G. Baker, Pui-Yin Winfred Wong, Carlos Adrian Lopez Castro, Yordan I. Rouskov, Laurentiu B. Cristofor, Michael V. McLaughlin
-
Publication number: 20190007371Abstract: Knowledge associated with an address of a first IP type may be mapped to an address of a second IP type. In response to receiving, at a first IP endpoint type, a request from a client associated with a first and second IP address type, a first address of the first IP type associated with the client is recorded. A unique identification of the request is generated. The unique identifier and instructions to make a second request to a second IP endpoint type are sent to the client. The second request, that includes the unique identifier and corresponds to the second IP address type associated with the client, is received at the second endpoint. Both the first address and the second address are determined as corresponding to the client by determining that the unique identifier was used in both requests. The first address is mapped to the second address.Type: ApplicationFiled: June 30, 2017Publication date: January 3, 2019Inventors: Lee Reed BURTON, Daniel E. CASTRO, William Jacob GOLDENBERG, Mark A. NIKIEL, Pui-Yin Winfred WONG, Hardy WIJAYA, Hongyu SUN, Jingjing ZHANG