View All Documents & Correspondence
Systems And Methods For Enhancing Authentication Mechanism Of A Device
Abstract: Systems and methods for enhancing authentication mechanism of a device are provided. None of the traditional systems and methods provide for enhancing authentication mechanism(s) and detection of anomalies by using user’s provenance details. The embodiment of the proposed disclosure provide for overcoming the limitations of the traditional systems and methods by capturing authentication provenance details of one or more users from a plurality of sources; generating, based upon the authentication provenance details, a plurality of abstractions; generating at least one or more authentication policies and a set of default rules corresponding to the device; and enhancing, using one of the one or more authentication policies and the set of default rules, authentication mechanism of the device. <
Notices, Deadlines & Correspondence
Patent Information
Applicants
Tata Consultancy Services Limited
Inventors
1. REDDY, Rajidi Satish Chandra
2. GOPU, Srinivas Reddy
Specification
Claims:WE CLAIM:
1. A method for enhancing authentication mechanism of a device, the method comprising a processor implemented steps of:
capturing, by one or more hardware processors, authentication provenance details of one or more users from a plurality of sources (201);
generating, based upon the authentication provenance details, a plurality of abstractions comprising a set of input parameters for specifying one or more authentication policies to be generated, wherein each of the plurality of abstractions are generated by implementing one or more extraction techniques on the authentication provenance details (202);
performing, based upon the plurality of abstractions, at least one of (203):
generating the one or more authentication policies corresponding to the device, wherein the one or more authentication policies comprise dynamic abstraction specifications for authenticating the one or more users to access the device; and
generating a set of default rules corresponding to the device, wherein the set of default rules comprise the dynamic abstraction specifications for authenticating the one or more users to access the device; and
enhancing, using one of the one or more authentication policies and the set of default rules, authentication mechanism of the device (204).
2. The method as claimed in claim 1, wherein the step of enhancing comprises:
(i) evaluating, based upon the one or more authentication policies, one or more authentication requests from the one or more users;
(ii) evaluating, based upon the set of default rules, the one or more authentication requests from the one or more users upon determining an absence of the one or more authentication policies for the one or more authentication requests; and
(iii) validating or invalidating the one or more authentication requests based upon the evaluation and the authentication provenance details.
3. The method as claimed in claim 2, wherein the step of evaluating the one or more authentication requests comprises detecting one or more anomalies using one of the one or more authentication policies and the set of default rules.
4. The method as claimed in claim 1, wherein the step of generating the plurality of abstractions comprises creating, based upon the authentication provenance details, a set of references corresponding to the one or more extraction techniques for specifying the one or more authentication policies.
5. The method as claimed in claim 1, wherein the one or more extraction techniques facilitates a retrieval of data corresponding to the plurality of abstractions based upon the authentication provenance details for evaluating the one or more authentication policies to be generated.
6. The method as claimed in claim 1, wherein the step of enhancing is preceded by traversing one or more authentication provenance graphs for specifying the one or more authentication policies generated based upon the plurality of abstractions.
7. A system (100) for enhancing authentication mechanism of a device, the system (100) comprising:
a memory (102) storing instructions;
one or more communication interfaces (106); and
one or more hardware processors (104) coupled to the memory (102) via the one or more communication interfaces (106), wherein the one or more hardware processors (104) are configured by the instructions to:
capture authentication provenance details of one or more users from a plurality of sources;
generate, based upon the authentication provenance details, a plurality of abstractions comprising a set of input parameters for specifying one or more authentication policies to be generated, wherein each of the plurality of abstractions are generated by implementing one or more extraction techniques on the authentication provenance details;
perform, based upon the plurality of abstractions, at least one of:
generate the one or more authentication policies corresponding to the device, wherein the one or more authentication policies comprise dynamic abstraction specifications for authenticating the one or more users to access the device; and
generate a set of default rules corresponding to the device, wherein the set of default rules comprise the dynamic abstraction specifications for authenticating the one or more users to access the device; and
enhance, using one of the one or more authentication policies and the set of default rules, authentication mechanism of the device.
8. The system (100) as claimed in claim 7, wherein the step of enhancing comprises:
(i) evaluating, based upon the one or more authentication policies, one or more authentication requests from the one or more users;
(ii) evaluating, based upon the set of default rules, the one or more authentication requests from the one or more users upon determining an absence of the one or more authentication policies for the one or more authentication requests; and
(iii) validating or invalidating the one or more authentication requests based upon the evaluation and the authentication provenance details.
9. The system (100) as claimed in claim 8, wherein the one or more hardware processors (104) are configured to evaluate the one or more authentication requests by detecting one or more anomalies using one of the one or more authentication policies and the set of default rules.
10. The system (100) as claimed in claim 7, wherein the one or more hardware processors (104) are configured to generate the plurality of abstractions by creating, based upon the authentication provenance details, a set of references corresponding to the one or more extraction techniques for specifying the one or more authentication policies.
11. The system (100) as claimed in claim 7, wherein the one or more hardware processors (104) are configured to perform a retrieval of data corresponding to the plurality of abstractions based upon the authentication provenance details for evaluating the one or more authentication policies to be generated.
12. The system (100) as claimed in claim 7, wherein the one or more hardware processors (104) are configured to traverse one or more authentication provenance graphs for specifying the one or more authentication policies generated based upon the plurality of abstractions. , Description:FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION
(See Section 10 and Rule 13)
TITLE OF THE INVENTION:
SYSTEMS AND METHODS FOR ENHANCING AUTHENTICATION MECHANISM OF A DEVICE
APPLICANT:
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
PREAMBLE OF THE DESCRIPTION:
The following specification particularly describes the invention and the manner in which it is to be performed.
TECHNICAL FIELD
[001] The disclosure herein generally relates to system security, and, more particularly, to systems and methods for enhancing authentication mechanism of a device.
BACKGROUND
[002] Computing (or any other related) devices are subject to attack by intruders who seek to steal or corrupt valuable data or programs. Attackers have various techniques for defeating security measures and gaining access to computer system resources. System security is responsible for controlling access to system’s resources, which will include sensitive data. A device or a system must therefore include a certain amount of protection for such data, and must in turn control access to those parts of the system that administer this protection. System security is concerned with all aspects of these arrangements.
[003] A secured authentication mechanism comprises a critical aspect of a secured device. There are many processes for initial authentication of a user to verify the identity of the user or the user's eligibility to access particular resources in a standalone computer system or in a computer network. Different system administrators may have different security requirements according to the business needs of the systems they administer and they may require different types of authentication mechanisms. For example, some systems may only require presenting a simple userid and password. Other systems may be more sophisticated and require the user to employ authentication mechanisms such as a smart card, a token card, or a fingerprint scanner.
[004] The traditional systems and methods, however, simply provide for a static authentication mechanisms, based upon certain pre-defined rules only. Such authentication mechanisms simply perform an initial level of user identification / scanning, and thus do not provide for a robust authentication process.
SUMMARY
[005] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a method for enhancing authentication mechanism of a device is provided, the method comprising: capturing, by one or more hardware processors, authentication provenance details of one or more users from a plurality of sources; generating, based upon the authentication provenance details, a plurality of abstractions comprising a set of input parameters for specifying one or more authentication policies to be generated, wherein each of the plurality of abstractions are generated by implementing one or more extraction techniques on the authentication provenance details; performing, based upon the plurality of abstractions, at least one of: generating the one or more authentication policies corresponding to the device, wherein the one or more authentication policies comprise dynamic abstraction specifications for authenticating the one or more users to access the device; and generating a set of default rules corresponding to the device, wherein the set of default rules comprise the dynamic abstraction specifications for authenticating the one or more users to access the device; enhancing, using one of the one or more authentication policies and the set of default rules, authentication mechanism of the device; detecting one or more anomalies using one of the one or more authentication policies and the set of default rules; creating, based upon the authentication provenance details, a set of references corresponding to the one or more extraction techniques for specifying the one or more authentication policies; and traversing one or more authentication provenance graphs for specifying the one or more authentication policies generated based upon the plurality of abstractions.
[006] In another aspect, there is provided a system enhancing authentication mechanism of a device, the system comprising a memory storing instructions; one or more communication interfaces; and one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the instructions to: capture authentication provenance details of one or more users from a plurality of sources; generate, based upon the authentication provenance details, a plurality of abstractions comprising a set of input parameters for specifying one or more authentication policies to be generated, wherein each of the plurality of abstractions are generated by implementing one or more extraction techniques on the authentication provenance details; perform, based upon the plurality of abstractions, at least one of: generate the one or more authentication policies corresponding to the device, wherein the one or more authentication policies comprise dynamic abstraction specifications for authenticating the one or more users to access the device; and generate a set of default rules corresponding to the device, wherein the set of default rules comprise the dynamic abstraction specifications for authenticating the one or more users to access the device; enhance, using one of the one or more authentication policies and the set of default rules, authentication mechanism of the device; evaluate the one or more authentication requests by detecting one or more anomalies using one of the one or more authentication policies and the set of default rules; creating, based upon the authentication provenance details, a set of references corresponding to the one or more extraction techniques for specifying the one or more authentication policies; and traverse one or more authentication provenance graphs for specifying the one or more authentication policies generated based upon the plurality of abstractions.
[007] In yet another aspect, there is provided one or more non-transitory machine readable information storage mediums comprising one or more instructions which when executed by one or more hardware processors causes the one or more hardware processors to perform a method for enhancing authentication mechanism of a device, the method comprising: capturing authentication provenance details of one or more users from a plurality of sources; generating, based upon the authentication provenance details, a plurality of abstractions comprising a set of input parameters for specifying one or more authentication policies to be generated, wherein each of the plurality of abstractions are generated by implementing one or more extraction techniques on the authentication provenance details; performing, based upon the plurality of abstractions, at least one of: generating the one or more authentication policies corresponding to the device, wherein the one or more authentication policies comprise dynamic abstraction specifications for authenticating the one or more users to access the device; and generating a set of default rules corresponding to the device, wherein the set of default rules comprise the dynamic abstraction specifications for authenticating the one or more users to access the device; enhancing, using one of the one or more authentication policies and the set of default rules, authentication mechanism of the device; detecting one or more anomalies using one of the one or more authentication policies and the set of default rules; creating, based upon the authentication provenance details, a set of references corresponding to the one or more extraction techniques for specifying the one or more authentication policies; and traversing one or more authentication provenance graphs for specifying the one or more authentication policies generated based upon the plurality of abstractions.
[008] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
[009] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles.
[010] FIG. 1 illustrates an exemplary title system for enhancing authentication mechanism of a device, in accordance with some embodiments of the present disclosure.
[011] FIG. 2 is a flow diagram illustrating a method for the enhancing of authentication mechanism of the device, in accordance with some embodiments of the present disclosure.
[012] FIG. 3 depicts the architecture and process of capturing authentication provenance details of one or more users, in accordance with some embodiments of the present disclosure.
[013] FIG. 4 depicts the architecture of generating one or more authentication policies based upon the authentication provenance details, in accordance with some embodiments of the present disclosure.
[014] FIG. 5 illustrates an example of one or more authentication provenance graphs for specifying the one or more authentication policies generated based upon abstractions, in accordance with some embodiments of the present disclosure.
[015] FIG. 6 illustrates an example of the enhancing of authentication mechanism of the device, in accordance with some embodiments of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS
[016] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the spirit and scope of the disclosed embodiments. It is intended that the following detailed description be considered as exemplary only, with the true scope and spirit being indicated by the following claims.
[017] Embodiments of the present disclosure provide systems and methods for enhancing authentication mechanism of a device. An increasing number of applications or services in the real as well as the virtual world like the Internet require authorization in order to get service access. For granting service access to a user, first of all the identity of the user must be verified or proved to the provider offering the service. This procedure is generally understood as an authentication of a user to a service provider. Examples for such applications or services are a login to a web server for information access, login to a Personal Computer (PC) or workstation, login to a corporate network or an Intranet, automated payment transactions, and also access to buildings, cars, and automated teller machines (ATMs).
[018] Authentication mechanisms for such applications are static, based upon certain pre-defined rules only. Such authentication mechanisms simply perform an initial level of user identification / scanning, and thus do not provide for a robust authentication process. Further, credential sharing is a long standing, inexorable practice in organizations. It is generally carried out by various means that are out of control of a security system of devices(s).
[019] Credential sharing is convenient in some scenarios, for example, delegating job functions to sub ordinates, bypassing certain processes to perform a job function. In such scenarios, an employee may misuse the privileges which may lead security implications such as sensitive information leakage, privacy violation. Credential stealing is another problem which is carried out without of knowledge of the credential owner.
[020] The traditional systems and methods fail to provide for a robust authentication mechanisms that perform additional check(s) based on past login events to ensure the user is the legitimate user by identifying possible anomalies. The proposed disclosure overcomes the limitation of the traditional systems and methods. For example, the proposed disclosure provides for verifying user’s authentication by matching an incoming authentication request(s) with the user’s previous authentication events to ensure the user is the actual user. Further, the proposed disclosure provides for a dynamic generation of authentication / security policies in terms authentication provenance as opposed to static, pre-configured data.
[021] FIG. 1 illustrates an exemplary block diagram of a system 100 for enhancing authentication mechanism of a device in accordance with an embodiment of the present disclosure. In an embodiment, the system 100 includes one or more processors 104, communication interface device(s) or input/output (I/O) interface(s) 106, and one or more data storage devices or memory 102 operatively coupled to the one or more processors 104. The one or more processors 104 that are hardware processors can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the processor(s) is configured to fetch and execute computer-readable instructions stored in the memory 102. In an embodiment, the system 100 can be implemented in a variety of computing systems, such as laptop computers, notebooks, hand-held devices, workstations, mainframe computers, servers, a network cloud and the like.
[022] The I/O interface device(s) 106 can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like and can facilitate multiple communications within a wide variety of networks N/W and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. In an embodiment, the I/O interface device(s) can include one or more ports for connecting a number of devices to one another or to another server. The system 100, through the I/O interface 106 may be coupled to external data sources.
[023] The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
[024] FIG. 2, with reference to FIG. 1, illustrates an exemplary flow diagram of a method for the enhancing of authentication mechanism of the device. In an embodiment the system 100 comprises one or more data storage devices of the memory 102 operatively coupled to the one or more hardware processors 104 and is configured to store instructions for execution of steps of the method by the one or more processors 104. The steps of the method of the present disclosure will now be explained with reference to the components of the system 100 as depicted in FIG. 1 and the flow diagram. In the embodiments of the present disclosure, the hardware processors 104 when configured the instructions performs one or more methodologies described herein.
[025] The term ‘device’ as is used throughout the disclosure (and not specifically shown in the figures), may comprise of any device, for example, a computing device, a mobile device and so on, or a system comprising a unit of physical hardware or equipment that provides one or more computing or related functions, and comprises of an authentication or security mechanism for the purpose of verifying or authentication any user or any other device.
[026] Referring now to the drawings, and more particularly to FIG. 1 through 6, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[027] According to an embodiment of the present disclosure, at step 201, the one or more hardware processors 104 capture authentication provenance details of one or more users from a plurality of sources. In general, provenance information or provenance data is information or data that provides this indication or results of such determination. Provenance helps to understand what actually happened during the lifecycle of a process by examining how data is produced, what resources are involved and which tasks are invoked. Capturing provenance enables users to share, discover, and reuse the data, thus streamlining collaborative activities, reducing the possibility of repeating dead ends, and facilitating learning. By referring to FIG. 3, the architecture and process of capturing the authentication provenance details may be referred.
[028] Data provenance (in the context of authentication) provides a pedigree of historical information about an artifact and past activities. A security mechanism (not shown in the figure) can use the provenance data along with traditional models, resulting in far more expressive authentication policy specification and granular authentication control. In a provenance aware security device or system, user actions on a data item are captured as data provenance, and causal dependencies between the entities are created based on the chain of events in the form of an acyclic graph. Abstractions, created over the dependencies, can be used as a foundation to enhance authentication and access control.
[029] In an embodiment, the authentication provenance details may thus comprise, inter-alia, historical login / logout details, hardware / software, operating system components involved for the authentication purposes and so on. The authentication provenance details may be captured by the one or more hardware processors 104 via one or more provenance application programming interfaces (APIs), whenever an application calls for the one or more provenance APIs. Further, the authentication provenance details may be captured from the plurality of sources, for example, historical login / logout attempts of the one or more users in a computing device, a mobile, or any other device, application or a system that involves authentication mechanism(s). It may be noted that the prosed disclosure follows a Provenance Data Model, that is, a PROV-DM model, which is a World Wide Web Consortium W3C specification, wherein the authentication provenance details are translated into the PROV-DM model.
[030] According to an embodiment of the present disclosure, at step 202, the one or more hardware processors 104 are configured to generate, based upon the authentication provenance details, a plurality of abstractions comprising a set of input parameters for specifying one or more authentication policies to be generated. In an embodiment, each of the plurality of abstractions, when executed, comprise (but not limited to) specific data of the one or more users and / or of the device (that is, the device comprising the authentication mechanism to authenticate the one or more users).
[031] Considering an example scenario, the plurality of abstractions that may be generated may comprise previous login location, previous login system, is_user_system, loginwith_addtional information_count and so on. Further, the proposed disclosure facilitates a dynamic generation of abstractions using the one or more abstraction techniques, that is, whenever there is a need to make the device flexible with more options.
[032] In an embodiment, each of the plurality of abstractions may be generated by implementing one or more extraction techniques on the authentication provenance details. The one or more extraction techniques may comprise of a query or a set of queries that may be executed on the authentication provenance details. The query or the set of queries may be executed by the one or more hardware processors 104 in such a way that it traverses through the one or more provenance graphs of the one or more users, and returns location (other details) during evaluation, thereby generating an abstraction.
[033] Considering an example scenario, an abstraction “previous_login_location” may be generated from the below extraction technique written using Simple Protocol and RDF (Resource Description Framework) Query Language (SPARQL):
Eval:urn:oasis:names:tc:xacml:3.0:function:Provlocmatch
1 PREFIX provpwd:
2 PREFIX owl:
3 PREFIX rdf:
4 PREFIX xsd:
5 PREFIX rdfs:
6 PREFIX prov:
7
8 ASK
9 WHERE
10 { ?x prov:Activitytype "Login" ;
11 prov:used ?Application .
12 ?Application prov:entitytype "Leave Application" ;
13 prov:location "HYDERABAD"
14 }
[034] In an embodiment, generating the plurality of abstractions comprises creating a set of references corresponding to the one or more extraction techniques for specifying the one or more authentication policies. As mentioned above, the abstractions comprise (but not limited to) specific data of the one or more users and / or of the device (that is, the device comprising the authentication mechanism to authenticate the one or more users). Similarly, the proposed disclosure provides for isolating the one or more extraction techniques, that is, the query or the set of queries may be isolated and only one or more relevant references corresponding to the query or the set of queries may be created for specifying the one or more authentication policies to be generated.
[035] Considering an example scenario, previous_login_location may only be used for specifying the one or more authentication policies. Each of the plurality of abstractions may be used in authentication policy specifications to make the device more flexible, dynamic as opposed to rigid, static predefined rules.
[036] In an embodiment, the one or more extraction techniques facilitates a retrieval of data corresponding to each of the plurality of abstractions for evaluating the one or more authentication policies to be generated. The set of data may also be in the form of a Boolean result, for example, “Yes” or “No” or “True” or “False”. Considering an example scenario, from the above extraction technique (as considered in step 202 above), for the abstraction “Provlocmatch” the data may be retrieved as “True” or “False”, as a user may be allowed a login, in case previous login location matches with his current login location. Further, if an abstraction is generated as “Select_location”, the data may be retrieved as a location name, for example, Hyderabad.
[037] In an example implementation, for a below authentication request with the abstraction “Provlocmatch”, by executing the same extraction technique, the data may be retrieved as “True” or “False”.
Leave Application
Login
[038] According to an embodiment of the present disclosure, at step 203, the one or more hardware processors 104 are configured to either generate the one or more authentication policies corresponding to the device or generate a set of default rules corresponding to the device based upon the extracted abstractions. Hence, one of the above steps, that is, generating the one or more authentication policies or generating the set of default rules corresponding to the device is performed. The step of generating the one or more authentication policies or generating the set of default rules corresponding to the device for enhancing the authentication mechanism of the device may now be considered in detail.
[039] In an embodiment, at step 203, initially, the one or more hardware processors 104 are configured to generate the one or more authentication policies corresponding to the device, wherein the one or more authentication policies comprise dynamic abstraction specifications for authenticating the one or more users to access the device. In general, authentication refers to the process in which a user is validated as being able to complete a logon and/or access any device(s). Authentication policies are a set of rules with conditions, obligations, and advices that a security mechanism evaluates for an authentication request. For example, the authentication policy can require the user to provide a one-time password value or authenticate with a user name and password whether or not an authenticated session exists.
[040] As compared to the traditional systems and methods, the proposed disclosure facilitates generating the one or more authentication policies based upon the authentication provenance details, that is, the authentication provenance details of the one or more users. The one or more authentication policies (or security policies) that are generated are thus specified in terms authentication provenance as opposed to static, pre-configured data. By implementing the plurality of abstractions (generated from the authentication provenance details), the proposed disclosure provides for an enhanced security mechanism that detects credential sharing / stealing anomalies, and informs to an application (discussed later in step 204). By referring to FIG. 4, the architecture of generating the one or more authentication policies based upon the authentication provenance details may be referred.
[041] Considering an example scenario, based upon the abstraction is generated as previous_login_location, the one or more authentication policies that may be generated based upon the abstraction may comprise “Do not allow login if system IP doesn't match with the previous login IP". A security mechanism (implemented for authenticating the one or more users) would identify this anomaly, if user's current IP is different from the previous IP, and thus, deny login or may validate login by requiring additional information, thereby enhancing said security mechanism.
[042] Further, generating the one or more authentication policies that are specified in terms of the authentication provenance as opposed to static, pre-configured data facilitates a dynamic generation of authentication policies (or security policies) based upon the current security requirements of the device. Considering an example scenario, suppose an organization faces a high number of policy violations at a location X. A user C, transferred to a new location Y of the same organization, is scanned for authentication purposes. Considering that the user C is transferred from the location X facing a high number of security violations, from authentication provenance of the user, an abstraction may be extracted as “previous_login_location”, and authentication policy may be dynamically generated as “Allow login with additional information if more than two invalid access requests at the location X”.
[043] In an example implementation, the one or more authentication policies with a response may be generated as below from the abstraction “provlocmatch”, wherein the execution of abstraction “provlocmatch” results in either true or false.
Authentication policy:
A policy for Login permit login if location matches with the previous login locationLeaveLeave ApplicationPermit rule for LoginLoginDeny rule for Login
Response:
======================== XACML Response ===================
Permitpermit-policy-leave-login
Login
Leave
[044] In an embodiment, at step 203, the one or more hardware processors 104 are further configured to generate the set of default rules corresponding to the device, wherein the set of default rules comprise the dynamic abstraction specifications for authenticating the one or more users to access the device. The proposed disclosure thus provides for generating the set of default rules for authentication the one or more users upon determining an absence of the one or more authentication policies corresponding to an authentication request received. Further, each default rule or the set of default rules generated also comprise the dynamic abstraction specifications as in the case of the one or more authentication policies, and thereby providing for the similar technical improvements (as discussed supra).
[045] In an embodiment, the one or more hardware processors 104 traverse one or more authentication provenance graphs for specifying the one or more authentication policies generated using the plurality of abstractions. By referring to FIG. 5 an example of the one or more authentication provenance graphs may be referred. By referring to FIG. 5 again, it may be noted that the below SPARQL query selects application, location, hostname of some previous login of a user. Here, hostname is at the node IN12345 which linked to the Login node. The SPARQL query cannot directly go to the node and find the hostname.
[046] The SPARQL query thus traverses through a plurality of linked nodes starting from Login node. Considering Alice_Login as an example, it uses (represented by the edge use) "Alice_Leave" node which is derived from node IN12345. Hostname is associated with node IN12345. So, the SPARQL query has to traverse through each of the plurality of linked nodes to get the hostname, based on supplied relations in the WHERE clause. It may be noted that the SPARQL query is run against a serialized form of provenance not against the graphical representation, that is, .ttl in the FROM clause are the files that contains serialized provenance.
SPARQL query-
SELECT ?Application ?location ?hostname
FROM
FROM NAMED
FROM NAMED
WHERE { ?d rdfs:label "Login" .
GRAPH ?d { ?x prov:Activitytype "Login" ;
prov:used ?Application . }
GRAPH ?Application {?y prov:entitytype "Webapplication" ;
prov:location ?location ;
prov:wasderivedfrom ?s .
?s prov:Hostname ?hostname .}
}
[047] According to an embodiment of the present disclosure, at step 204, the one or more hardware processors 104 are configured to enhance the authentication mechanism for the device using one of the one or more authentication policies and the set of default rules (that is, either one of them which get generated). The proposed disclosure provides for verifying each authentication request of the one or more users additional number of times by further considering authentication past events of the one or more users to arrive at an authentication decision.
[048] The proposed methodology also identifies possible anomalies by analyzing user, entity (system / device, application), and activity (login, browsing), and context provenance to make an authentication decision. In one context, it may allow authentication, and for the same context, it may reject or invalidate or seek for additional information (discussed below). The process of enhancing the authentication mechanism for the device may now be considered in detail.
[049] In an embodiment, initially, the one or more hardware processors 104 are configured to evaluate, based upon the generated one or more authentication policies, one or more authentication requests from the one or more users. Upon determining an absence of the one or more authentication policies for the one or more authentication requests, the one or more hardware processors 104 are configured to evaluate the one or more authentication requests from the one or more users based upon the set of default rules. Finally, the one or more hardware processors 104 are configured to validate or invalidate the one or more authentication requests based upon the evaluation and the authentication provenance details.
[050] Considering an example scenario, referring to the authentication policy generated in step 203 above, it may be noted that the execution of abstraction “provlocmatch” results in either true or false. If it is 'true' policy evaluation results as "Permit", that is, allow login in response. If “provlocmatch” is evaluated to be 'false', then decision would be "Deny". By referring to FIG. 6, the process of enhancing may be explained in detail with an example.
[051] By referring to FIG. 6, it may be noted that suppose the one or more authentication requests from the one or more users is received, and the generated one or more authentication policies from an abstraction “Provlocmatch” is “Allow login if location matches previous location” or “Deny login in case of location mismatch”. In such a scenario, the one or more hardware processors 104 evaluate the one or more authentication requests from the one or more users with the policy Allow login if location matches previous location” or “Deny login in case of location mismatch” and validate login in case current login location matches with the previous login location.
[052] However, upon determining the absence of the one or more authentication policies, the one or more hardware processors 104 are configured to evaluate the one or more authentication requests based upon the set of default rules. By referring to FIG. 6 yet again, it may be noted that a default rule “Deny login” may be implemented in case the abstraction “Provlocmatch” is generated, but there are corresponding authentication policies generated.
[053] In an embodiment, the step of evaluating the one or more authentication requests comprises detecting one or more anomalies. Detection of the one or more anomalies further enhances authentication or security mechanism of the device. The one or more anomalies comprise password anomalies or any other credential sharing anomalies that may occur intentionally or unintentionally. The traditional systems and methods may fail to provide detection of the one or more anomalies by implementing the authentication provenance details.
[054] The detection of the one or more anomalies may be performed by seeking additional information details from the one or more users for authenticating. Considering an example scenario, if an authentication policy is specified as "Do not allow login if device IP doesn't match with the previous login IP", and if user's current IP is different from the previous IP, the security mechanism identifies this mismatch as an anomaly.
[055] In an embodiment, an application of the security system communicates with the one or more users via the one or more APIs for providing additional information. Considering an example scenario, the application may send a One-time password (OTP) to a user's phone number or it may ask secret and private questions. Here, the intent is to stop the user to share his password to other users. If the authentication or security mechanism detects that the user may have shared password, it will inform the application to ask the user for additional information so that user may hesitate to share the additional info to other user. This way an intentional password sharing may be minimized, and thus the one or more anomalies may be detected.
[056] Considering another example scenario, if an attacker manages to steal the user's credentials (for example, User_id, password etc.) and attempts to login, the security mechanism may suspect an anomaly by evaluating the one or more authentication policies and informs the application to communicate with the user (in this case attacker) for additional information. In this case attacker would not have the additional information and login would be prevented.
[057] Further, in case of any legitimate user logging in, such a legitimate user provides additional information and the corresponding provenance (for example, location_name, device_id) is captured by the security mechanism, thereby indicating that the legitimate user has been authenticated with additional information. The corresponding provenance may be used to evaluate the legitimate user's future authentication requests to detect the one or more anomalies that may arise in the future.
[058] According to an embodiment of the present disclosure, advantages of the proposed disclosure may be considered in detail. As discussed supra, the proposed disclosure facilitates identification of the one or more anomalies, including, the password anomalies, and thus minimizes credential sharing / stealing (unintentional or intentional) by using the authentication provenance details. Also, as discussed supra, the proposed disclosure provides for generating the one or more authentication policies dynamically, that is, based upon the plurality of abstraction, and thereby dynamically adjusts to the security requirements of any device. Finally, in the absence of any authentication policy, the proposed disclosure verifies authentication request(s) by using the set of default rules.
[059] In an embodiment, the memory 102 can be configured to store any data that is associated with the enhancing of authentication mechanism of the device. In an embodiment, the information pertaining to the authentication provenance details, the plurality of abstractions, the one or more authentication policies or the set of default rules etc. is stored in the memory 102. Further, all information (inputs, outputs and so on) pertaining to the enhancing of authentication mechanism of the device may also be stored in the database, as history data, for reference purpose.
[060] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[061] The embodiments of present disclosure herein addresses unresolved problem of enhancing authentication mechanism(s) of device (s) or system(s) comprising authentication / security mechanism(s) by using the authentication provenance details. The embodiment, thus provides generating authentication policies from the abstractions or using default rules for enhancing authentication mechanism(s). Moreover, the embodiments herein further provides for identifying and resolving intentional or unintentional password or credential anomalies of user(s) by implementing the authentication provenance details.
[062] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs.
[063] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[064] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[065] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[066] It is intended that the disclosure and examples be considered as exemplary only, with a true scope and spirit of disclosed embodiments being indicated by the following claims.
Documents
Orders
| Section | Controller | Decision Date |
|---|---|---|
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 201821041653-IntimationOfGrant08-09-2023.pdf | 2023-09-08 |
| 1 | 201821041653-STATEMENT OF UNDERTAKING (FORM 3) [02-11-2018(online)].pdf | 2018-11-02 |
| 2 | 201821041653-PatentCertificate08-09-2023.pdf | 2023-09-08 |
| 2 | 201821041653-FORM 18 [02-11-2018(online)].pdf | 2018-11-02 |
| 3 | 201821041653-Written submissions and relevant documents [17-01-2023(online)].pdf | 2023-01-17 |
| 3 | 201821041653-FORM 1 [02-11-2018(online)].pdf | 2018-11-02 |
| 4 | 201821041653-Annexure [20-12-2022(online)].pdf | 2022-12-20 |
| 5 | 201821041653-DRAWINGS [02-11-2018(online)].pdf | 2018-11-02 |
| 5 | 201821041653-Correspondence to notify the Controller [20-12-2022(online)].pdf | 2022-12-20 |
| 6 | 201821041653-FORM-26 [20-12-2022(online)].pdf | 2022-12-20 |
| 6 | 201821041653-DECLARATION OF INVENTORSHIP (FORM 5) [02-11-2018(online)].pdf | 2018-11-02 |
| 7 | 201821041653-US(14)-HearingNotice-(HearingDate-06-01-2023).pdf | 2022-12-05 |
| 7 | 201821041653-COMPLETE SPECIFICATION [02-11-2018(online)].pdf | 2018-11-02 |
| 8 | 201821041653-Proof of Right (MANDATORY) [11-12-2018(online)].pdf | 2018-12-11 |
| 8 | 201821041653-FER.pdf | 2021-10-18 |
| 9 | Abstract1.jpg | 2018-12-28 |
| 9 | 201821041653-CLAIMS [14-09-2021(online)].pdf | 2021-09-14 |
| 10 | 201821041653-COMPLETE SPECIFICATION [14-09-2021(online)].pdf | 2021-09-14 |
| 10 | 201821041653-FORM-26 [05-02-2019(online)].pdf | 2019-02-05 |
| 11 | 201821041653-DRAWING [14-09-2021(online)].pdf | 2021-09-14 |
| 11 | 201821041653-ORIGINAL UR 6(1A) FORM 1-141218.pdf | 2019-06-11 |
| 12 | 201821041653-FER_SER_REPLY [14-09-2021(online)].pdf | 2021-09-14 |
| 12 | 201821041653-ORIGINAL UR 6(1A) FORM 26-080219.pdf | 2019-11-29 |
| 13 | 201821041653-FER_SER_REPLY [14-09-2021(online)].pdf | 2021-09-14 |
| 13 | 201821041653-ORIGINAL UR 6(1A) FORM 26-080219.pdf | 2019-11-29 |
| 14 | 201821041653-DRAWING [14-09-2021(online)].pdf | 2021-09-14 |
| 14 | 201821041653-ORIGINAL UR 6(1A) FORM 1-141218.pdf | 2019-06-11 |
| 15 | 201821041653-COMPLETE SPECIFICATION [14-09-2021(online)].pdf | 2021-09-14 |
| 15 | 201821041653-FORM-26 [05-02-2019(online)].pdf | 2019-02-05 |
| 16 | 201821041653-CLAIMS [14-09-2021(online)].pdf | 2021-09-14 |
| 16 | Abstract1.jpg | 2018-12-28 |
| 17 | 201821041653-Proof of Right (MANDATORY) [11-12-2018(online)].pdf | 2018-12-11 |
| 17 | 201821041653-FER.pdf | 2021-10-18 |
| 18 | 201821041653-COMPLETE SPECIFICATION [02-11-2018(online)].pdf | 2018-11-02 |
| 18 | 201821041653-US(14)-HearingNotice-(HearingDate-06-01-2023).pdf | 2022-12-05 |
| 19 | 201821041653-FORM-26 [20-12-2022(online)].pdf | 2022-12-20 |
| 19 | 201821041653-DECLARATION OF INVENTORSHIP (FORM 5) [02-11-2018(online)].pdf | 2018-11-02 |
| 20 | 201821041653-DRAWINGS [02-11-2018(online)].pdf | 2018-11-02 |
| 20 | 201821041653-Correspondence to notify the Controller [20-12-2022(online)].pdf | 2022-12-20 |
| 21 | 201821041653-Annexure [20-12-2022(online)].pdf | 2022-12-20 |
| 22 | 201821041653-Written submissions and relevant documents [17-01-2023(online)].pdf | 2023-01-17 |
| 22 | 201821041653-FORM 1 [02-11-2018(online)].pdf | 2018-11-02 |
| 23 | 201821041653-PatentCertificate08-09-2023.pdf | 2023-09-08 |
| 23 | 201821041653-FORM 18 [02-11-2018(online)].pdf | 2018-11-02 |
| 24 | 201821041653-STATEMENT OF UNDERTAKING (FORM 3) [02-11-2018(online)].pdf | 2018-11-02 |
| 24 | 201821041653-IntimationOfGrant08-09-2023.pdf | 2023-09-08 |
Search Strategy
| 1 | 2021-03-2316-29-25E_25-03-2021.pdf |