Abstract: A method of protecting a computer system from fraudulent use includes collecting and aggregating sets of risk predictor values for user-initiated events into user-specific aggregations and organization-wide aggregations, and in response to a current event initiated by a user, generating a risk indicator as a combination of a user-specific indicator and an organization-wide indicator based on current event parameters and the user-specific and organization-wide aggregations. Based on the risk indicator indicating that the current event may be a fraudulent use, a protective control action is taken (such as denying or modifying a requested access) to protect the computer system.

Abstract: An improved technique involves including implicit feedback inferred from a fraud analyst's actions into a fraud detection model tuning process. Along these lines, as part of a tuning process, an authentication server sends electronic transactions carrying a certain amount of risk to a case management center in which fraud analysts investigate the electronic transactions to verify whether the transactions are fraudulent or non-fraudulent. In addition to receiving this explicit feedback from the case management center, however, the authentication server also receives implicit feedback indicative of attributes of the fraud analysts themselves. The authentication server then inputs these implicit feedback parameter values into a fraud detection model tuning engine that tunes the fraud detection model.

Abstract: Methods and apparatus are provided for risk-based authentication between two servers on behalf of a user. A method is provided for controlling access by a consumer to a service provider on behalf of a user. An authentication request is issued responsive to an initial access request from the consumer to access the service provider on behalf of the user. An access token is provided to the consumer upon approval from the user to grant access to the consumer. Upon receiving a subsequent access request from the consumer with the access token to access the service provider on behalf of the user; a risk analysis is performed to determine if the subsequent access request should be granted. The risk analysis can determine if the subsequent access complies with one or more rules of the user. The user is optionally prompted to specify whether to allow the subsequent access request and/or future similar transactions.

Abstract: An improved technique involves including implicit feedback inferred from a fraud analyst's actions into a fraud detection model tuning process. Along these lines, as part of a tuning process, an authentication server sends electronic transactions carrying a certain amount of risk to a case management center in which fraud analysts investigate the electronic transactions to verify whether the transactions are fraudulent or non-fraudulent. In addition to receiving this explicit feedback from the case management center, however, the authentication server also receives implicit feedback indicative of attributes of the fraud analysts themselves. The authentication server then inputs these implicit feedback parameter values into a fraud detection model tuning engine that tunes the fraud detection model.

Abstract: An improved risk analysis method addresses problems in the prior art methods of risk value calculation accuracy, inability to tailor the risk calculation to specific clients, and the inability to adjust the calculation method to account for rapid changes in fraud methodology. The improved method allows individual clients to use their knowledge of which risk parameters are most important to their particular business and automatically translates a statement of a new parameter sent by the client to the risk analysis calculation engine into the same type of statistical relationships used to evaluate risk using standard parameters.

Abstract: Methods and apparatus are provided for evaluating the classification performance of different risk engine models. A classification performance of an authentication method is evaluated by obtaining performance data for an authentication method; generating a receiver operating characteristic (ROC) curve for the obtained performance data; determining a partial area under the curve (pAUC) for a region of interest of the ROC curve; and providing a performance score for the authentication method based on the pAUC. The region of interest comprises, for example, a region of false positives. The pAUC is optionally standardized using a McClish Transformation. The performance score for the authentication method can be compared to a second performance score for a second authentication method. A confidence level can optionally be provided for the comparison based on a natural test statistic.

Abstract: A method of protecting a computer system from fraudulent use includes collecting and aggregating sets of risk predictor values for user-initiated events into user-specific aggregations and organization-wide aggregations, and in response to a current event initiated by a user, generating a risk indicator as a combination of a user-specific indicator and an organization-wide indicator based on current event parameters and the user-specific and organization-wide aggregations. Based on the risk indicator indicating that the current event may be a fraudulent use, a protective control action is taken (such as denying or modifying a requested access) to protect the computer system.

Abstract: A technique provides alert prioritization. The technique involves selecting attributes to use as alert scoring factors. The technique further involves updating, for an incoming alert having particular attribute values for the selected attributes, count data to represent encounter of the incoming alert from perspectives of the selected attributes. The technique further involves generating an overall significance score for the incoming alert based on the updated count data. The overall significance score is a measure of alert significance relative to other alerts. Scored alerts then can be sorted so that investigators focus on the alerts with the highest significance scores. Such a technique is well suited for adaptive authentication (AA) and Security Information and Event Management (SIEM) systems among other alert-based systems such as churn analysis systems, malfunction detection systems, and the like.

Abstract: There is disclosed some techniques for processing an authentication request. In one example, a method comprises the step of determining the velocity between authentication requests of a user associated with the requests. Additionally, the method determines the likelihood that a location associated with one of the requests is associated with the user location. Furthermore, the method generates an authentication result based on the likelihood that a location associated with one of the requests is associated with the user location.

Abstract: An information processing system implements a security system. The security system comprises a classifier configured to process information characterizing events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback relating to one or more attributes associated with an assessment of the risk scores by one or more users. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events.

Abstract: A technique provides malicious identity profiles. The technique involves storing unsuccessful authentication entries in a database, the unsuccessful authentication entries including (i) descriptions of failed attempts to authenticate users and (ii) biometric records captured from the users during the failed attempts to authenticate the users. The technique further involves generating a set of malicious identity profiles based on the descriptions and the biometric records of the unsuccessful authentication entries stored in the database. Each malicious identity profile includes a profile biometric record for comparison with new biometric records during new authentication attempts. The technique further involves outputting the set of malicious identity profiles. Such a set of malicious identity profiles is well suited for use in future authentication operations, i.e., well suited for predicting intruder attacks and fraud attempts, and for sharing risky identities among authentication systems (e.g.

Abstract: A method is used in analyzing device similarity. Data describing a device is received and a similarity analysis is applied to the data. Based on the similarity analysis, a measure of similarity between the device and a previously known device is determined.

Abstract: An authentication technique involves obtaining, by processing circuitry, a set of suitability factors from a user device of a user. The authentication technique further involves performing, based on the set of suitability factors and by the processing circuitry, a selection operation which selects a set of suitable biometric methods to apply during authentication from available biometric methods which are available to the processing circuitry for use in authentication. The authentication technique further involves applying, after the set of suitable biometric methods is selected and by the processing circuitry, the set of suitable biometric methods during an authentication operation to determine whether the user is authentic. Accordingly, poorly suited biometric methods can be ruled out (i.e., made unavailable for use by authentication).

Abstract: A method is used in analyzing device similarity. Data describing a device is received and a model is applied to the data. Based on the modeling, a measure of similarity between the device and a previously known device is determined.

Abstract: Authentication systems are provided that select an authentication method to be applied to a given transaction from among a plurality of available authentication methods based on risk reasoning. An authentication request from an authentication requestor for a given transaction is processed by receiving the authentication request from the authentication requester and selecting an authentication method to be applied to the given transaction from among a plurality of available authentication methods based on an evaluation of one or more predefined risk reasons with respect to the available authentication methods. The predefined risk reasons associated with a given transaction comprise, for example, a set of risk reasons that contribute to a risk score that has been assigned to the given transaction. The evaluation may employ one or more of rule-based, heuristic and Bayesian techniques.

Abstract: Data driven device detection is provided, whereby a device is detected by obtaining a plurality of feature values for a given device; obtaining a set of device attributes for a plurality of potential devices; calculating a probability value that the given device is each potential device within the plurality of potential devices; identifying a candidate device associated with a maximum probability value among the calculated probability values; and labeling the given device as the candidate device if the associated maximum probability value satisfies a predefined threshold. The predefined threshold can be a function, for example, of whether the given user has previously used this device. The obtained feature values can be obtained for a selected set of features satisfying one or more predefined characteristic criteria. The device attributes can be obtained, for example, from a profile for each of the plurality of potential devices.

Abstract: There is disclosed some techniques for selecting a user authentication challenge. In one example, the method comprises the steps of receiving an authentication request to authenticate a user and selecting a user authentication challenge to issue to the user in response to receiving the authentication request. The selection of the user authentication challenge comprises selecting a user authentication challenge among a plurality of user authentication challenges based on the cost effectiveness of the respective user authentication challenges and characteristics of the authentication request.

Abstract: Techniques are provided for evaluating compromised credential information. A method for evaluating compromised credentials comprises the steps of: collecting data regarding previously compromised credentials that were used to commit an unauthorized activity; applying one or more statistical learning methods to the collected data to identify one or more patterns; and evaluating a risk of credentials that have been compromised by one or more attackers using the identified patterns. According to a further aspect of the invention, a risk score is generated for one or more users and devices. The risk scores are optionally ordered based on an order of risk. The data can be collected, for example, from one or more of anti-fraud servers and information sources.

Abstract: There is disclosed some techniques for processing an authentication request which includes a user identifier and current user data. In one example, the technique comprises receiving the authentication request at an adaptive authentication system which includes a database having a set of entries with each entry of the set of entries including an identifier and previous user data in connection with previous authentication requests. The adaptive authentication system constructed and arranged to perform an adaptive authentication operation on the authentication request as well as an unsupervised machine learning operation on the authentication request.

Abstract: An improved technique trains a fraud detection system to use mouse movement data as part of a user profile. Along these lines, a training apparatus receives sets of mouse movement datasets generated by a legitimate user and/or a fraudulent user. The training apparatus assigns each mouse movement dataset to a cluster according to one of several combinations of representations, distance metrics, and cluster metrics. By correlating the clusters with the origins of the mouse movement datasets (legitimate or fraudulent user), the training apparatus constructs a robust framework for detecting fraud at least partially based on mouse movement data.