Banks and other secure transaction providers are wary to provide online banking applications to customer without ensuring that these applications are secure and that a mechanism is in place to properly authenticate users. In some systems, encrypted sessions are used between the user and bank, and the user is required to enter a secret password in order to gain access.
In one conventional approach, as an online banking application interacts with the user, the online banking application sends usage data to an external authentication server which is able to perform an analysis of usage patterns to authenticate the identity of the user as the proper customer.
However, the above-described conventional approach suffers from deficiencies. In particular, in the conventional authentication approach, the online banking application must be modified to gather and send the usage pattern data to the authentication server. However, if the online banking application is already deployed prior to the addition of the authentication feature, adding in the usage detection and reporting features can be cumbersome and slow, particularly since all changes must be extensively tested to ensure that the security of the system remains intact. Furthermore, since the usage detection and reporting features are run by the online banking application itself, certain details (such as network-specific details) are not accessible to be reported to the authentication server.
In contrast to the above-described approaches, the present disclosure describes techniques for adding risk-based authentication to a pre-existing web-based application without the need to modify the application. Furthermore, these techniques also allow the authentication server to consider additional details in performing the authentication. In particular, the risk-based authentication system may be expeditiously integrated into the system without significant modifications to the system by configuring a device to sniff packets on the local network of the banking application website, analyze those packets to generate event information, and send the event information to the authentication server.
A method is described, using a network analyzer device connected to a network. The method includes sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and sending the extracted event information to an authentication server for risk-based authentication of the user. Corresponding system, apparatus, and computer program products are also described.
The foregoing and other objects, features and advantages will be apparent from the following description of particular embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating the principles of various embodiments of the invention.
Techniques are described herein for using a network analyzer device connected to a local network to sniff packets traversing the network, analyze those packets to generate event information, and send the event information to an authentication server.
A gateway/switch 36 is also communicatively coupled to the Internet 34. Gateway/switch 36 may be a gateway between Internet 34 and a local network 38 to allow devices on the local network 38 to communicate with devices on the Internet 34. Gateway/switch 36 may connect to local network 38 via network ports 37. Gateway/switch 36 may also contain a special network port 39, as will be described in further detail below. Web-based application servers 40 connect to local network 38. Gateway/switch 36 may also function to balance loads between the web-based application servers 40. Web-based application server 40 runs a web-based application 41, which is accessible by user machine 32 across the Internet. In typical operation, a user runs a web browser on user machine 32 to remotely access the web-based application 41. In one embodiment, web-based application 41 is a secure application for conducting secure transactions across potentially remote distances, such as, for example, an on-line banking application, such as is well-known in the art.
Also connected to gateway/switch 36, either directly, or via local network 38, is a network analyzer device (NAD) 44. It should be understood that, although NAD 44 is depicted as separate from gateway/switch 36, in some embodiments, the functions of NAD 44 may be integrated within gateway/switch 36. In some embodiments, NAD 44 connects to gateway/switch 36 via a network port 37. In other embodiments, NAD 44 connects to gateway/switch 36 via special network port 39 configured to mirror all traffic 46 passing through gateway/switch 36. NAD 44 is configured to at least receive incoming network traffic 48(a) from user machine 32 (aimed at web-based application server 40) as well as outgoing network traffic 48(b) from web-based application server 40 (aimed at user machine 32). As will be explained below in further detail, NAD 44 sniffs packets traversing the gateway/switch between the user machine and web-based application server 40, analyzes them to extract various information, and sends messages 50 containing the extracted information to a risk-based authentication server 42, which is configured to analyze the extracted information in order to authenticate the identity of a user accessing the web-based application 41 by performing risk-based authentication, such as, for example, by monitoring for risky transactions or other behavior indicative of session hijacking, fraud, or system misuse. Authentication server 42 may utilize any form of risk-based authentication, such as, for example, risk-based adaptive authentication, as is well-known in the art.
In one embodiment, web-based application 41 may be a pre-existing application in which risk-based authentication functionality is not already present. NAD 44 can then be inserted into the local network 38 and programmed to execute methods described herein to add the risk-based authentication feature without any need to significantly modify the web-based application 41 to support the risk-based authentication. In some instances, NAD 44 may already be present within local network 38 but not yet configured to perform as described herein (e.g., NAD 44 may have previously been present and configured to perform network security monitoring functions).
NAD 44 also includes a processor 66 and memory 68. Processor 66 may be, for example, a central processing unit, a microprocessor, a digital signal processor, a field-programmable gate array, a collection of circuits configured to perform various operations, or another similar device or set of devices configured to perform operations. Memory 68 may include, for example, system memory, cache memory, volatile memory, non-volatile memory, random access memory, read-only memory, non-volatile storage, magnetic storage, optical storage, some combination thereof, or another similar device or set of devices configured to store application programs and or application data.
Memory 68 includes a computer program product. The computer program product stores a computer program (CP) 70 within a tangible non-transitory computer-readable storage medium. CP 70, when executed by processor 66, is configured to cause the processor 66 to perform a method (see
Memory 68 also stores a set of sniffed packets 72, a set of extracted application-layer fields 73, a set of identified interaction events 74, a set of extracted lower-layer fields 75, and a set of ancillary data 76. Further detail with respect to memory contents 72-76 will be provided below, in connection with
Decoder module 102 is configured to parse sniffed packets 72 received via logical connection 112 and to search for patterns and/or extract certain kinds of data. In some embodiments, custom parser 103 may be implemented as part of decoder module 102. In some arrangements, multiple machines may be configured to perform packet sniffing of various local networks 38, each machine running a separate instance of decoder module 102.
Concentrator module 104 aggregates and organizes the data extracted by decoder module 102 and periodically sends it to the authentication interface module 106. In arrangements having multiple decoder modules 102, concentrator module 104 arranges the data extracted by each decoder module 102 into an aggregated and organized collection.
Authentication interface module 106 periodically receives data from the concentrator module 104, analyzes it, and sends communications 50 to authentication server 42 via connection 114. The period of receipt may be, for example, one minute. In some embodiments, authentication interface module 106 pulls the data from the concentrator module 104 by periodically polling for new data. In other embodiments concentrator module 104 pushes newly-received data (either periodically or as it is received) to authentication interface module 106. Transformation component 110 examines the data and identifies interaction events of certain pre-selected types between the user and the web-based application 41, storing the identified events as the set of identified interaction events 74. This may be done in consultation with a user/session state map 108. In some embodiments, transformation component 110 also identifies certain ancillary data 76 that relates to the identified events. Further detail of these identifications will be provided below, in connection with
In step 220, NAD 44 analyzes the sniffed packets 72 to extract event information relating to interaction events between the user machine 32 and the web-based application server 40, particularly the web-based application 41. Step 225 provides further detail of an example implementation of step 220.
In step 225, NAD 44 examines the sniffed packets 72 in order to detect specific interaction events that occur between the user machine 32 and the web-based application server 40 at the application layer. These specific interaction events at the application layer reflect specific actions performed by the user at the web-based application 41 from the perspective of the web-based application 41. For example, if the web-based application 41 is a secure application for conducting secure transactions across potentially remote distances, then the specific interactions might include (a) the user logging in to the web-based application 41; (b) the user changing a login password; and (c) the user changing his user e-mail address. As a more specific example, if the web-based application 41 is an on-line banking application, then the specific interactions might additionally include (d) the user directing the on-line banking application to make a monetary transfer between the user's account and another specified account; (e) the user adding an approved destination account for transfers; (f) the user modifying information associated with an approved destination account; and (g) the user changing his customer mailing address.
Step 225 may be broken down into sub-steps which may be performed by different modules.
Returning to the sub-steps within step 225 of
Once several sniffed packets 72 have been thus parsed, the set of extracted application-layer fields 73 may contain several different fields returned by the parser 103. In some embodiments, the fields coming from identical TCP sessions may be grouped together, so that related fields are listed in proximity.
In sub-step 229, authentication interface module 106 correlates the set of extracted application-layer fields 73 with specific interaction events. A transformation component 110 may be implemented within authentication module 106 for this purpose, designed to analyze the set of extracted application-layer fields 73 and extract underlying event information relating to specific actions performed by the user at the web-based application 41, storing the results as the set of identified interaction events 74. Transformation component 110 processes elements of the set of extracted application-layer fields 73 having a TCP session in common and grouped into a set of HTTP request-response pairs, which are of use in identifying specific interaction events. For example, if transformation component 110 detects a user HTTP POST request for a page called do_payment.jsp having data embedded therewithin (including, for example, a recipient, a date, and a dollar amount), followed by an HTTP response from the web-based application 41 containing the phrase “Payment has been processed,” then transformation component 110 is able to correlate those events with a monetary transfer event (d), storing an indication of that event and the relevant embedded data within a specific event of the set of identified specific events 74. In some embodiments, user/session state map 108 is used by the transformation component 106 to ascertain what events are possibly expected within the context of a particular user.
Optional step 230 may be performed in parallel with step 220. In optional step 230, NAD 44 analyzes the sniffed packets 72 to extract ancillary information relating to interaction events between the user machine 32 and the web-based application server 40, particularly the web-based application 41. The ancillary information is drawn from a networking layer below the application layer and relates to specific detected events. For example, the ancillary information may be drawn from lower-layer fields 302 in the network layer (layer 3), the transport layer (layer 4), or the session layer (layer 5) of a sniffed packet 300. Examples of ancillary information that may be drawn from lower-layer fields 302 might include (1) packet size; (2) clock skew between packets; (3) number of simultaneous sessions operated by the user; (4) browser type used by the user; (5) operating system type used by the user; and (6) time interval between service of a web-page by the web-based application server 40 and response by the user machine 32.
In one embodiment, custom parser 103 of decoder module 102 extracts the lower-layer fields 302 from the packet and stores them as the set of extracted lower-layer fields 75. Then, transformation component 110 associates the set of extracted lower-layer fields 75 with particular events of the set of extracted interaction events in order to create the set of ancillary data 76.
Periodically, after performing step 220 and optional step 230, authentication interface module 106 performs step 240 to send the extracted event information (and ancillary information) to the risk-based authentication server 42 for risk-based authentication of the user. Authentication interface module 106 places the data from the set of identified interaction events 74 (and the data from the set of ancillary data 76) into a format understood by the risk-based authentication server 42 using a structured information exchange protocol, for example, using the well-known SOAP protocol, and sends protocol packets to the risk-based authentication server 42 over logical connection 114 and on to network interface 60 to be sent over connection 62 to the risk-based authentication server.
Thus, techniques have been described for expeditiously adding a risk-based authentication feature to a secure web-based application 41 by performing packet sniffing on the local network 38 of the web-based application 41, analyzing the sniffed packets 72 to detect specific application-layer interaction events, and sending communications to the authentication server 42 in order to communicate those events for risk-based authentication purposes. Techniques have also been described for sending ancillary information from lower layers of the sniffed packets 72 for enhanced risk-based authentication.
While various embodiments of the invention have been particularly shown and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
It should be understood that although various embodiments have been described as being methods, software embodying these methods is also included. Thus, one embodiment includes a tangible non-transitory computer-readable medium (such as, for example, a hard disk, a floppy disk, an optical disk, computer memory, flash memory, etc.) programmed with instructions, which, when performed by a computer or a set of computers, cause one or more of the methods described in various embodiments to be performed. Another embodiment includes a computer which is programmed to perform one or more of the methods described in various embodiments.
Furthermore, it should be understood that all embodiments which have been described may be combined in all possible combinations with each other, except to the extent that such combinations have been explicitly excluded.
Finally, nothing in this Specification shall be construed as an admission of any sort. Even if a technique, method, apparatus, or other concept is specifically labeled as “prior art” or as “conventional,” Applicants make no admission that such technique, method, apparatus, or other concept is actually prior art under 35 U.S.C. §102, such determination being a legal determination that depends upon many factors, not all of which are known to Applicants at this time.
Number | Name | Date | Kind |
---|---|---|---|
8095649 | Malloy et al. | Jan 2012 | B2 |
8261326 | Ben-Natan | Sep 2012 | B2 |
20060155865 | Brandt et al. | Jul 2006 | A1 |
20070220604 | Long | Sep 2007 | A1 |
20080002595 | Rao | Jan 2008 | A1 |
20080281961 | Niemczyk et al. | Nov 2008 | A1 |
20100027430 | Moore et al. | Feb 2010 | A1 |
20100046391 | Moore et al. | Feb 2010 | A1 |
20100228650 | Shacham et al. | Sep 2010 | A1 |
20100287416 | Shacham et al. | Nov 2010 | A1 |
20130067073 | Niemczyk et al. | Mar 2013 | A1 |