Invented by Alisdair Faulkner, Colin Goldie, David Jones, ThreatMetrix Pty Ltd

The market for methods to identify computer users in real-time using multiple processing parameters, servers, and other factors is rapidly growing. As technology advances and cyber threats become more sophisticated, businesses and organizations are increasingly seeking robust solutions to authenticate users and protect sensitive information. This article will explore the market trends, challenges, and potential applications of these identification methods. Real-time user identification is crucial for various industries, including banking, e-commerce, healthcare, and government agencies. Traditional methods like passwords and PINs are no longer sufficient to ensure secure access to systems and data. Hackers can easily exploit weak passwords or steal them through phishing attacks. Therefore, businesses are turning to more advanced techniques that leverage multiple processing parameters, servers, and other factors to establish a user’s identity. One of the key market trends in this field is the adoption of biometric authentication. Biometrics, such as fingerprint, facial recognition, voice recognition, and iris scanning, provide a highly secure and convenient way to identify users. These methods rely on unique physical or behavioral characteristics that are difficult to replicate, making them more reliable than traditional authentication methods. The market for biometric identification is projected to grow significantly in the coming years, driven by the increasing demand for secure and seamless user experiences. Another trend is the integration of machine learning and artificial intelligence (AI) algorithms in user identification systems. These technologies analyze vast amounts of data to detect patterns and anomalies, enabling real-time identification of users based on their behavior, device information, and network parameters. Machine learning algorithms can adapt and improve over time, enhancing the accuracy and efficiency of user identification systems. The market for AI-powered identification methods is expected to witness substantial growth as organizations seek to stay ahead of evolving cyber threats. However, the market for real-time user identification methods also faces several challenges. Privacy concerns are one of the major obstacles to widespread adoption. Collecting and storing sensitive biometric data raises privacy concerns, as users may be hesitant to share such personal information. To address this challenge, companies need to implement robust security measures to protect user data and comply with privacy regulations. Interoperability is another challenge in this market. Different systems and platforms may have varying requirements and standards for user identification. Ensuring compatibility and seamless integration across different devices and networks is crucial for the widespread adoption of these methods. Industry standards and collaborations among technology providers can help overcome interoperability challenges and promote the growth of the market. The potential applications of real-time user identification methods are vast. In the banking sector, these methods can enhance the security of online transactions and prevent unauthorized access to accounts. E-commerce platforms can use these techniques to verify the identity of customers and prevent fraudulent activities. Healthcare providers can ensure secure access to patient records and protect sensitive medical information. Government agencies can leverage these methods to strengthen national security and protect classified information. In conclusion, the market for methods to identify computer users in real-time using multiple processing parameters, servers, and other factors is expanding rapidly. Biometric authentication, machine learning, and AI algorithms are driving innovation in this field. However, challenges related to privacy and interoperability need to be addressed for widespread adoption. The potential applications of these identification methods across various industries make them a critical component of cybersecurity strategies in the digital age.

The ThreatMetrix Pty Ltd invention works as follows

A method for identifying compromised client devices from a masquerading machine is provided.” The method captures a plurality attributes from a device connected to a service. In one embodiment, the attributes are each represented by a parameter. The plurality identifies the network device uniquely from other devices. The network device is kept free of any software program associated with capturing the plurality attributes. In a certain embodiment, the method doesn’t rely on installing executable codes in the network device in order to capture the attributes. The method can detect if a network device has been compromised based on the information associated with these attributes.

Background for Method for identifying in real-time a computer user using multiple processing parameters, servers and other factors

The present invention is a general technique for monitoring networks and hosts. The invention provides a system and method for identifying in real-time a computer user for security violations using multiple processing parameters and logic.

Telecommunication technologies have existed for many years. Another significant development occurred in the telecommunications industry during the 1990s. Computers, coupled with telephone lines or networks, became the main means of communication between people. Computers or workstations that are coupled together can transmit a variety of data from one geographic location to another. Multimedia is a term used to describe information in voice, video and data. The Internet traffic or information transmitted via the Internet has increased dramatically in recent years. In recent years, the Internet has grown dramatically. Information is transmitted via networks, wide-area network, telephone systems, the Internet, and other means. “This results in the rapid transfer of information, such as computer data or voice or other multi-media information.

Although telecommunications has seen major success, there are also some drawbacks with the widespread communication networks. One example of a negative effect is when an actor (initiator), connects to another actor, (acceptor), in a way that the acceptor does not approve. Inability of the acceptor of assessing the risk associated with allowing a connection from any initiater is a problem in terms of efficient resource management and asset protection.

As the size and speed of networks increases, so do malicious activities using telecommunications technologies: stalking and cyber-stalking; harassment, hacking and spam; computer virus outbreaks and Denial of Service attacks. Extortion and fraudulent behavior (e.g. fraudulent commerce, credit-card payments and money laundering. Fraudulent websites, scams and 419 spam. The malicious entity’s (Offender’s) goal is to cause damage with the least risk of detection. The offenders use anonymizing elements in the realm of malicious internet activity to achieve this.

Various methods to detect compromised hosts have been proposed. IP Address is a popular method to identify and share reputations about networked devices. These and other methods are limited in certain ways that are described within the specification, and especially below.

From what has been said above, we can see that an improved technique to improve security on a wide-area network is highly desired.

The present invention is a general technique for monitoring networks and hosts. The invention provides a system and method for identifying in real-time a computer user’s security violation using multiple processing parameters and logic. The invention was applied in a computer networking environment as an example. The invention is applicable to a wide range of situations. The invention, for example, can be used in a firewall, intrusion detection/prevention systems, servers, content filter devices, anti-virus processes, anti-SPAM devices, web proxy content filters, spyware, web security processes, electronic mail filters, web or ecommerce applications, VoIP gateways or servers, or any combination thereof.

According to one embodiment of the invention, there is a method for identifying compromised client devices from a masked device. The method captures a plurality attributes from a device connected to a web-service. In one embodiment, the plurality parameters are used to uniquely identify the network device among a number of other devices. The network device is kept free of any software program associated with the capture of the plurality attributes. In a certain embodiment, the method doesn’t rely on installing executable codes in the network device in order to capture the attributes. The method can detect if a network device has been compromised based on the information associated with these attributes.

In a particular embodiment, the method uses fuzzy logic for processing the attributes. In one embodiment, the method determines whether a device is a spoof and its classification. In certain embodiments, a malicious device’s identifier is also determined. In some embodiments, testing is also performed with a network device that has been known to work.

In some embodiments, the attributes relate to ID information or network information or location information or device information or browser information or site information or time information. In one embodiment, ID information includes Flash Cookie, First Party Browser Cookie and Third Party Browser Cookie. In one embodiment, network information includes IP Addresses, ISPs, MTUs, Connection Types, Connection Speeds, Bogon Hijack addresses, Static/Dynamic addresses, Proxy address, TCP Sequence numbers, and other TCP header codes. In one embodiment, location information includes country, city and latitude/longitude. In one embodiment, device information comprises OS, Screen DPI and Resolution, Start Time Local Time Clock-Offset Clock-Drift Clock-Drift Clock-Drift Clock-Offset Clock Drift Clock Drift Clock Drift Clock Drift Clock Drift Clock Drift Clock Drift Clock Drift Clocked-Offset Clock Drift Clock Drift Clock Drift Clock Drift Clock Drift Clock Drift Clock-Offset Clock D In one embodiment, browser information includes Language, Browser Version, Browser String, Javascript major/minor versions, Flash major/minor versions, Browser Plug-ins or Extensions, and Supported MIME Types. In one embodiment, site information may include domain, domain owner (including the domain name), session id (including the merchant id), URL, referrer and advertisement ID. In one embodiment, time information can include seconds, hours, days, weeks, and months.

The invention, according to an alternative embodiment provides a method of identifying a device on a network. The method comprises capturing a plurality attributes from the device, where each attribute represents a parameter. The method also includes keeping the network device free of any executable programs that are associated with the capture of the plurality attributes. The method forms a device identification for the network device using information related to a plurality parameters. This identifier is unique and identifies the network from other network devices.

In a specific embodiment at least some attributes are associated with one or more of ID information or network information or location information or device information or browser information or site information or time information that is associated with the device. In one example, ID information may include Flash Cookie, First Party Browser Cookie and Third Party Browser Cookie. In another example, network information may include IP Addresses, ISPs, MTUs, Connection Types, Connection Speeds, Bogon Hijack addresses, Static/Dynamic addresses, Proxy address, TCP Sequence numbers, and other TCP header codes. Another example includes country, city and latitude/longitude.

In one embodiment, the attributes can be linked to other information about the network device. The site information could include, for example, one or more domains, domain owners, session ids, merchant ids, URLs, referrers, advertising IDs, and campaign ids. In another embodiment, time information may include seconds, hourly, daily, weekly, or monthly. The device information can include, for example, OS, Screen Res and Screen DPI. It could also include Start Time, Local Time Clock-Drift or Time Zone. The browser information can include, for example, Language, Browser Version, Browser String, Javascript major or minor versions and Flash major or minor versions.

In one embodiment, the device identification is based on a set of associated measured attributes. In one embodiment, the attributes measured are not identifiable by a person. In one embodiment, the formation is the device identifier substantially independent from a quality of the measured attribute, where the quality can be related to persistence or uniqueness of the attributes measured, accuracy of coverage, speed of measurement, or integrity. In one embodiment, a device identifier can be formed using information relating to a subset among the plurality parameters.

In one embodiment, the formation of the device identifier through repeated measurements is substantially independent of variations in quality, number, accuracy, and device attributes due to changes in device characteristics. In one embodiment, the required time to measure all the device attributes can be done prior to or during an online transaction.

In a particular embodiment, the method includes determining, based upon information associated with attributes, one or more of:

In some embodiments, a device identifier may be shared globally across a network without sharing any private information. In some embodiments, a device identifier can be used to aggregate and correlate information about a device’s reputation. This includes both positive and negative behavior or activity. In one embodiment, the device’s identifier and its attributes or reputation are used to trigger an action based on a matching with a predefined rule. In one embodiment, the creation of the identifier relies on a matching algorithm. In one embodiment, the logic for matching is implemented on a server or servers. In one embodiment, the matching algorithm is implemented on local or distant servers. In certain embodiments, adding additional servers can support more transactions per second. In one embodiment, the matching logic can be executed in parallel or series. In certain embodiments the matching logic can be added or removed without compromising device identifiers previously generated. In one embodiment, the execution of matching logic can be avoided if redundant. In some embodiments changes to the matching logic don’t require any changes to software or hardware code. In one embodiment, the self-learning matching logic optimizes performance and accuracy with time. In some embodiments the matching logic can be based on a rule’s priority, equality or weighting. In one embodiment, matching rules are based on the combination of device attributes. In some embodiments, matching rules are grouped according to priority, matching logic or attributes.

In another embodiment, updating attributes for the device is also included in the method. If an existing attribute is compared to a returning attribute of a device and a match occurs, then the current attribute is updated with the most recent attribute. In one embodiment, attributes and match identifiers are provided by web-services. In one embodiment, the device identifiers supplied by two different web services for the network device is substantially identical.

According to a further embodiment of the invention, a system is provided for uniquely identifying a device connected to a web service. The system comprises a measurement server that measures, collates, and classes a plurality attributes associated with a network device connecting to a web service. In one embodiment, the plurality attributes uniquely identify the device among a plurality other devices. The system comprises a fingerprint server that receives the plurality attributes from the measurement servers and generates a unique network device identifier. The system includes a web service and an application server that receives a request for verification. The request is linked to the network device. In one embodiment, the fingerprint server sends the request to the application server. The fingerprint server then receives the unique identification. In one embodiment, the fingerprint servers includes a rules engine that uses a group-based strategy. In another embodiment the fingerprint server consists of a rule engine, a distributed fingerprint repository and a reputation algorithm.

The following detailed description and drawings will help you to better understand the additional features and benefits of this invention.

The present invention is a general technique for monitoring networks and hosts. The invention is a system and method for identifying in real-time a computer user’s security violation using multiple processing parameters and logic. The invention was applied in a web server as an example. The invention is applicable to a wide range of situations. The invention, for example, can be used in a firewall, intrusion detection/prevention systems, servers, content filter devices, anti-virus processes, anti-SPAM devices, web proxy content filters, spyware, web security processes, electronic mail filters, web or ecommerce applications, VoIP gateways or servers, or any combination thereof.

Click here to view the patent on Google Patents.