WO2020086101A1

WO2020086101A1 - Biometric and behavior analytics platform

Info

Publication number: WO2020086101A1
Application number: PCT/US2018/057886
Authority: WO
Inventors: Ajit Gaddam; Heng Tang; Himanshu JAISWAL
Original assignee: Visa International Service Association
Current assignee: Visa International Service Association
Priority date: 2018-10-27
Filing date: 2018-10-27
Publication date: 2020-04-30
Anticipated expiration: 2021-04-27

Abstract

A computerized method for safeguarding access to a secured access environment by first receiving an access request to the secured access environment from a user via a user device. A profile structure is generated in response to the user access request based on the user device and the request. A rule engine receives the generated profile structure and verifies it for authenticity. A web server activates one or more applications to analyze the system signature. The one or more applications executes one or more access identifying models by inputting information included in the device signature and the biometric signature as parameters. The one or more applications further generate a final score of the system signature and determine whether the final score satisfy a threshold. The method further provides access to the user to the secured access environment when the threshold is satisfied.

Description

BIOMETRIC AND BEHAVIOR ANALYTICS PLATFORM

Field of the invention

[0001] Embodiments of the invention generally relate to machine learning

platforms and data structures that are designed to e-commerce and other systems to guard or defend against unauthorized intrusions or accesses.

Background

[0002] Machine learning (“ML”) based platforms are being used to protect

ecommerce and other systems that require adaptive defenses. In some prior approaches, biometric data, behavior data, and other data or features may be used as input. However, existing approaches or platforms have many well-known weaknesses and limitations. In one example, some systems use a rule-based engine approach. This example includes approaches with specific rules that are directed to known domain attacks. In another example, this approach may include assigning a score to one specific rule and may also include linear or manual calculations of multiple scores of rules in response to threat recognition or tolerance. This approach may be efficient in identifying these known attacks, but this approach suffers a major setback in that it is a static approach and could not identify threats beyond those known ones.

[0003] Another existing approach incorporates machine learning or artificial intelligence features. Such approach, for example, employs machine learning or deep learning (“DL”) techniques or other access identifying models. This involves first building a model to solve a specific threat or problem and then uses that model to apply artificial intelligence algorithms to train machine learning or deep learning. This may still involve linear or manual calculations of multiple of scores resulted from running the algorithms.

[0004] Some approaches even combine the two approaches above. However, these may enable solving a specific problem with adaptive and dynamic capabilities via machine learning or deep learning updating training models based on results of other models. However, once again, these approaches suffer a major setback of not scaling well when models are needed or new data is needed to be joined to identify the threats.

[0005] Moreover, even adding or including the approaches together, there is no cohesive way to apply these to most effectively take advantages of the different approaches.

[0006] Therefore, systems and methods improve over the existing practices are desirable.

Summary of the invention

[0007] Embodiments of the invention may define and construct a data structure while building an ecosystem of various models such that advantages of these models may be realized. In one embodiment, the data structure includes an entity profile that defines an aggregate of device information that belongs to the entity as well as biometric information. Aspects of the invention may facilitate efficient and intelligent correlation across multiple data sources.

[0008] Moreover, embodiments of the invention differ from prior approaches in the sense that prior art may define a particular approach for a specific attack or for addressing a specific issue. As such, even with a hybrid approach, it is prone to miss catching look-alike attacks. Aspects of the invention improve computer technologies in preventing or avoiding mistakes in identifying security breaches by defining new data structure and profile structure to be less attack-centric or approach-centric.

Brief description of the drawings

[0009] Persons of ordinary skill in the art may appreciate that elements in the figures are illustrated for simplicity and clarity so not all connections and options have been shown to avoid obscuring the inventive aspects. For example, common but well-understood elements that are useful or necessary in a commercially feasible embodiment may often not be depicted in order to facilitate a less obstructed view of these various embodiments of the present disclosure. It will be further appreciated that certain actions and/or steps may be described or depicted in a particular order of occurrence while those skilled in the art will understand that such specificity with respect to sequence is not actually required. It will also be understood that the terms and expressions used herein may be defined with respect to their corresponding respective areas of inquiry and study except where specific meanings have otherwise been set forth herein.

[0010] FIG. 1 is a diagram illustrating a profile structure according to one

embodiment of the invention.

[0011] FIG. 2 is a diagram illustrating a data structure for a profile structure

according to one embodiment of the invention illustrated in FIG. 1. [0012] FIG. 3 is a diagram illustrating a process according to one embodiment of the invention.

[0013] FIG. 4 is a diagram illustrating an exemplary keystroke analysis according to one embodiment of the invention.

[0014] FIG. 5 is a diagram illustrating a plurality of keystroke zones according to one embodiment of the invention.

[0015] FIG. 6 is a diagram illustrating a system according to one embodiment of the invention.

[0016] FIG. 7 is a diagram illustrating a portable computing device according to one embodiment of the invention.

[0017] FIG. 8 is a diagram illustrating a remote computing device according to one embodiment of the invention.

[0018] FIG. 9 is a flowchart illustrating a computerized method according to one embodiment of the invention.

Detailed Description

[0019] The present invention may now be described more fully with reference to the accompanying drawings, which form a part hereof, and which show, by way of illustration, specific exemplary embodiments by which the invention may be practiced. These illustrations and exemplary embodiments may be presented with the understanding that the present disclosure is an exemplification of the principles of one or more inventions and may not be intended to limit any one of the inventions to the embodiments illustrated. The invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Among other things, the present invention may be embodied as methods, systems, computer readable media, apparatuses, or devices. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. The following detailed description may, therefore, not to be taken in a limiting sense.

[0020] Referring now to FIG. 1 and FIG. 2, embodiments of the invention define a new data structure 202 having one or more data fields that store data associated with a profile structure 102. In one embodiment, the profile structure 102 defines first an entity 104. For example, the entity 104 may define a device field 106 and a biometrics field 108. Correspondingly, referring to FIG. 2, the exemplary data structure 202 may store data for the entity 104 and may include a first data field 204 for storing data for the device field 106 and a second data field 206 for the biometric field 108. The device field 106 may include an identification (ID) for a device associated with the device field 106. In one example, the device may be a device illustrated in FIGS. 7 and 8. In another embodiment, the device may be a USB device or a somewhat untraditional device where it lacks a direct display screen, but may have a processor, input/output bus, memory units, network devices, and input/output devices. Flowever, due to the connectivity capability of the device, unauthorized individuals may access sensitive information stored at a server or another computer through the device. As such, the data structure 202 and the profile structure 102 may also accommodate such kind of device.

[0021] Still referring to FIGS. 1 and 2, the device field 106 may further include data for hardware information 110 and browser information 112. In one example, the hardware information 110 may include information about one or more hardware components in the device. For example, the components may be one or more processors, one or more graphical display processor, one or more permanent or temporary memory storage units, one or more network connectivity units; one or more input or output units, docking stations, speakers,

microphones, locations of speakers/microphones, and other devices. Moreover, information of the hardware information 110 may include information such as brand, model number, capacity, sizes, speed, etc. In another embodiment, the browser information 112 may include Internet Protocol address, domain name system name, user-agent name, FITTP-Referer, screen resolutions, number of screens or displays, number of external displays, and other information that may be sent by the browser, such as host, accept, accept-language, accept-encoding, DNT, connection, and upgrade-insecure-requests. It is to be understood that other hardware information and other browser information may be included in the hardware information 110 and the browser information 112. In another

embodiment, browser information 112 may further include session cookies, persistent cookies, tracking or non-tracking flags, or other data that may track a browser’s footprint as a user may browse or surf the Internet. In an alternative embodiment, the browser information 112 may identify whether the browser may be controlled by voice, audio, motion gestures, iris movements, or breath patterns. In such embodiment, the browser may not have a visual rendering to the user but may still be a browser in the sense that it enables to user to search and travel among nodes of information and retrieve information in response to the commands or instructions of the user.

[0022] In one embodiment, such browser information 112 may be treated as a browser profile or a browser signature within a device signature of the device 106. It is to be understood that the above listing of types of information may be included in the browser information 112 is a non-exhaustive list and other data may be included in the browser information 112 without departing from the scope or spirit of embodiments of the invention.

[0023] In another example, as used in the present disclosure, the browser may also manifested in a form of an app or an application for mobile devices where the app provides access to information provided over computer networks.

[0024] Similarly, the first data field 204 may include a hardware field 208 and a browser field 210 for storing information discussed above.

[0025] Still referring to FIGS. 1 and 2, the biometrics field 108 may further include information such as keystroke 114, mouse 116 and facial recognition 118. In one example, the keystroke information 114 may include keyboard language, number of keys, timing of key strokes, etc. Mouse information 116 may include mouse brand, number of keys, location of keys on the mouse, presence of a scroll wheel, connectivity type, accuracy setting, etc. In another example, thefacial recognition information 118 may further include facial data points, whether photographs or videos are used, and whether it is real-time.

[0026] Similarly, the second data field 206 may include a keystroke field 212, a mouse field 214, and a facial recognition field 216 storing the keystroke information 114, the mouse information 116, and the facial recognition

information 118, respectively.

[0027] By building the data structure or profile structure discussed above,

aspects of the invention make no assumption about the different security measures or approaches, whether these differences may be in term of feature and data collection. Moreover, there is no assumption made about any specific goal of particular measure, e.g., approach A may be used for DDoS or DNS attack. Embodiments of the invention may be suitable for any kind of security breach attacks, including 0-day unknown attack vector.

[0028] Aspects of the invention may further be explained using the following

expression:

[0029]

Expression 1

[0030] In one example, the Expression 1 may mean a select number of elements, “Number of Element,” from a set“Set”.

[0031] In another embodiment, a set may be“S,” which may represent a set of all available ML/DL models or static rules that may be implemented. In another example, another set may be“O,” which may represent a set of all operations that may be applied to each of the models/rules. In one example, operations may include mathematical operations, such as addition, multiplication by weight, max of , etc. In another example, operations may further include operational types, such as exclusion of a parameter, apply constraint, verify against threshold, etc.

[0032] In another example, the set“S” may be expressed as:

[0033] S = {RNN, GANs, SVM, Bot signature, Blacklist, Whitelist}

[0034] In another example, the set“O” may be expressed as:

[0035] O = { Mathematics : result > threshold, average(results), max(results);

[0036] Operational: exclude _ from training data, apply

[0037] }

[0038] As a further illustration, referring now to FIG. 3, a process illustrates an example of the expression above according to one embodiment of the invention. In particular, FIG. 3 illustrates an expression:

[0039] , Expression 2.

[0040] Still referring to FIG. 3, embodiments of the invention may feed data such as production data 302, generative adversarial data 304, and extra data feed,

306 to a system embodying aspects of the invention. The data is fed or transmitted to processors that process the Express 2. In this particular example, a system of aspects of the invention may aim to achieve a maximum

performance 308, by attempting to lower a false positive rate (FPR) and a false negative rate (FNR) while attempting to increase a true positive rate (TPR) and a true negative rate (TNR). It is to be understood that another system incorporating embodiments of the invention may aim to achieve another degree of

performance, depending on needs. [0041] In one embodiment, the Expression 2 may be recursively processed at 310. In one example, embodiments of the invention may be process in parallel such that iterative deepening on search space for realistic constraints may be calculated. For example, parallel processing may involve searching of a next level based on optimal solution on a previous level. In another example, parallel processing may also involve a simulated annealing to avoid local optimal solution. Moreover, embodiments of the invention may automatically determine and discovery a correlation of different models, such as MLs and DLs. This approach may eliminate a need for manual inference by a user or an

administrator. In another example, embodiments of the invention may recursively iterate and update based on evaluation on models in real-time or substantially real-time.

[0042] In one example, a recursive iteration at 310 according to one embodiment of the invention includes:

[0043] Initially, a system of an embodiment of the invention, such as a system in FIG. 8, may start with random“n,” where n is an integer greater than 0 in parallel. The system may cache results in case for re-computation in random access memory or other temporary memory storage unit. The system may conduct an iteratively deepening search. As an example, the system may conduct an iterative deepening depth-first search (e.g.,“IDS” or“IDDFS”) which may include a state space/graph search strategy in which a depth-limited version of depth-first search that is run repeatedly with increasing depth limits until the goal is found or the search space is exhausted. In another embodiment, the system may conduct a breadth-first search, but uses much less memory and, at each iteration, the system may visit the nodes in a search tree in the same order as depth-first search, but the cumulative order in which nodes are first visited is effectively breadth-first.

[0044] In a further embodiment, the system may choose the best performer in round n-1 to start round n, as part of a Greedy algorithm. The system may apply simulate annealing to jump out of current loop to search for new combinations.

[0045] Using the example below:

[0046] S = {RNN, GANs, SVM, Bot signature, Blacklist, Whitelist}

[0047] O = {

[0048] Mathematics : result > threshold, average(results), max(results)

[0049] Operational: exclude _ from training data, apply

[0050] }, the system, when performing recursive iteration and when n=1 :

[0051] If RNN from S and result > threshold from O with threshold = 90.0, then a possible outcome from the Expression 2 may be RNN > 90.0. When n=2,

[0052] If RNN and SVM from S and result > threshold and average(results) from O, then the possible outcome from the Expression 2 may be average(RNN + SVM) > 90.0.

[0053] Moreover, embodiments of the invention define a new analysis approach to device provided information and biometric information. As seen by FIG. 1 and FIG. 2 where a new paradigm of profile structure and data structure is defined to intelligently consume data from devices and biometrics, aspects of the invention generate a new way to identify an attack via keystrokes. In one aspect, a system of embodiments of the invention identifies keystrokes as a biometric signature or profile. In another embodiment, the biometric signature along with a device signature may be part of a system signature.

[0054] For example, referring now to FIG. 4, a diagram illustrates redefining the definition of a duration of keypairs or keystroke dynamics. In this example, time “t” may be used to indicate a timestamp while an event happens. In FIG. 4, key 1 402 is shown as a potential interrupting key while key 2 404 and key 3 406 may be a“keypair” according to one embodiment of the invention. In this example, when a sudden interruption occurs with pressing of the key 1 401 between the keypair of the key 2 404 and the key 3 406, prior approach to analyze such interruption was to calculate the typing interval for digraph [Key 2 Key 3] based on t(down)^key3- t(down)^key1. This approach may take the pause between Key 1 402 and Key 2 404 into account. To the contrary, aspects of the invention measure and calculate t(up)^key3 - t(down)^key2.

[0055] Embodiments of the invention introduce a different approach and concept of“flight time” which takes the flight time from one key to another as another feature other than a whole duration. In another example, a flight time for a keypair is the total time spend for a user to release a key and move to a next key: hence, e.g., flight time for a keypair key 2 and key 1 may be expressed as t(down)^key3 - t(up)^key2.

[0056] In another example, the same understanding may apply to a keypair with length > 2. See also Appendix A for exemplary code expressions implementing this feature. [0057] Furthermore, to reduce the training time of a system embodying aspects of the invention dramatically, embodiments of the invention further introduce and define a concept of zone-based keys. In one example, instead of building models based on actual key matching, aspects of the invention group keys into zones and build models based on defined zones. This reduced our feature dimension for keystroke from 15000+ to 4800+.

[0058] Referring now to FIG. 5, a typical“QWERTY” keyboard layout illustrates a set of key zones according to one embodiment of the invention. In this example, the keys may be divided into zones such as 502, 504, 506, 508, 510, 512, 514, 516, and 518. In one embodiment, different zones may be differentiated or defined based on different colors. It is to be understood that the user may not need to purchase a new keyboard with colors according to the key zones as defined by embodiments of the invention. As discussed above, aspects of the invention intelligently build a system signature that includes the profile structure of the keyboard the user may be using and apply the key zones based on the hardware information, see also FIGS. 1 and 2. In one embodiment, keys with same color are mapped to same zone. In another embodiment, if no sufficient data for certain key, a new zone or an existing zone may be generated based behavior of the user and compare the data from the new zone with an existing zone accordingly. Aspects of the invention dramatically increase the training sample needed for generating profile, which may further aid identification of a potential attack or security breach. [0059] In an alternative embodiment, when the system detects a keyboard that do not have enough keys, the system may build or generate a profile based on zone to make best guesses. Once sufficient amount of keystrokes patterns and activities may be received from the user or users, embodiments of the invention update the profile model with actual keypair information. In a further embodiment, the system may further use flight time and duration to build up the profile.

[0060] Moreover, it is to be understood that the keystrokes received from a

device may not need to be a physical keyboard. In one example, the keyboard may be a virtual one, such as those provided via a software on a touch-sensitive display or a keyboard that may be visually projected onto a surface other than the display. The user may then touch the display or the surface to register keystrokes. In this example, the flight time and duration of the key movement may be replaced by a pressure detected on the display, the accuracy of the touch on the surface or the display, etc.

[0061] In a further embodiment, aspects of the invention define, build, construct, or generate a system signature or profile that may include a device signature, e.g., browser information 112 and hardware information 110, and a biometric signature. In one prior approach, a solution to detect the changes in a system signature including the browser signature is by comparing a hash value of several system attributes, including the data/attributes defined in FIG. 2. This may cause a lot of false negative when user perform some minor update or upgrades to the system or browser (e.g. install a new plugin/update browser/update certain hardware), especially given the frequency of updates provided as apps or security patches to operating systems.

[0062] Embodiments of the invention provide a different solution to reduce false negatives, i.e. , reduce mistakes between computing devices when identifying attacks or true security breaches, by calculating a percentage of change and automatically updating the system signature or profile when minor changes occur (within certain range).

[0063] In one example, aspects of the invention calculate the Jaccard Similarity Coefficient (e.g., the Jaccard index, also known as Intersection over Union) on all signature features.

[0064] , Expression 3

[0065] However, instead of a direct matching on each features, embodiments of the invention identify a frequency as the feature score, hence, Express 3 may be modified to Expression 4:

[0066]

Expression 4.

[0067] In one example, if each feature contribute up to 1 in a similarity score, the max verification score of Expression 4 may be n/n=1.

[0068] In this example, embodiments of the invention introduce a concept of

frequency based feature and define the similarity score to be frequency of certain value appear in the past. [0069] Using login screen resolution as an example, suppose 5 out of 10 times a user logs in to a system or a terminal with a screen resolution of 1920 dpi x 1080 dpi, with the rest with logins at a screen resolution of 1440 dpi x 960 dpi. As such, according to one example of the invention, each occurrence may contribute to a score of 0.5. In other words, embodiments of the invention do not treat the occurrence as a binary result of 0 or 1 , but more reflecting the true possibility this resulting from the authorized user.

[0070] By defining the occurrence as a frequency-based feature, embodiments of the invention further enable refinement or tweaks in modifying the Jaccard Similarity Coefficient such as having one more plugin in a plugin list for browser signature or profile. As such, embodiments of the invention may further define more to support similarity calculation in an array.

[0071] Using another example as an illustration and not as a limitation, suppose there is an array of [1920 1440] of screen resolution associated with user logins. Embodiments of the invention define a similarity score for the array by calculating uniform distribution among all possible values. Among all entry in the array, frequency value for each entry may be assigned as number of entry/number of total entry. For example, 1920 dpi may have a frequency score of 0.5 and 1440 dpi may have a frequency score of 0.5 if they also come together. As such, the user may only get a full similarity score when they have available resolution for [1920 1440] See also Appendix A for exemplary code expressions for

implementing this feature. [0072] In an alternative embodiment, when applying this approach to changing array like a plugin list, aspects of the invention captures the change in plugin list. If the original plugin still exists, the majority score remains.

[0073] In another embodiment, features may be pre-selected or some features may be preferred over others. For example, Expression 4 may apply to screen resolutions illustrated above while other features, such as IP addresses, may not. This may further aid the elimination of false negative rate while maintain high accuracy.

[0074] In a further alternative embodiment, aspects of the invention may expand the application of the data structure or profile structure to more distinguishing features using Expression 5 below:

Expression 5.

[0076] For example, in addition to the frequency score illustrated above, some distinguishing features may also have a weighted score as well. This weighted score, along with the frequency scores, may be considered in the final score, as expressed in Expression 5.

[0077] In summary and in an exemplary operation, embodiments of the invention may be illustrated in accordance with a system 600 depicted in FIG. 6 and a flowchart in FIG. 9.

[0078] A user 602 may be a user accessing the system 600. As discussed at the beginning of this disclosure, embodiments of the invention aim to detect, identify, guard, or defend against unauthorized intrusions or accesses. As such, initially, the system 600 may not know whether the user 602 is an authorized user. In this example, the user 602 wishes to gain access to a secured access environment 620. In one example, the secured access environment may be a protected computing storage, a secured transaction channel or session to conduct a business transaction, or a growing list of records or blocks that are linked using cryptography, e.g., blockchain. The user 602 may access to such secured access environment via a user device or an end point agent/terminal 604. In one example, the end point agent/terminal 604 may include a desktop, a laptop, or a mobile computing device. In another embodiment, the end point agent/terminal 604 may be a smart speaker or a robot capable of interacting with the user 602.

[0079] In a further example and in accordance with the data structure and profile structure discussed above, suppose the user 602 uses a desktop as the end point agent/terminal 604, the system 600 may build a profile structure for the desktop having data such as IP location, browser fingerprint features or signature (as hardware information 110 and browser information 112), keystroke

information, mouse movement data, camera, and bot signature (as keystroke information 114, mouse information 116, facial recognition information 118). In another example, if the user 602 uses a laptop, a profile structure for such end point agent/terminal 604 may include: battery usage information, IP location, hardware information, available Wi-Fi, trusted device, browser fingerprint features or signature (as hardware information 110 and browser information 112), keystroke information, mouse movement data, camera, and bot signature (as keystroke information 114, mouse information 116, facial recognition information 118). In a further example, suppose the user 602 uses a mobile device as the end point agent/terminal 604, a profile structure may include:

gesture data, GPS signals, pace, gyroscope information, accelerometer, battery usage information, IP location, hardware information, available Wi-Fi, trusted device, social network usage frequency information, browser fingerprint features or signature (as hardware information 110 and browser information 112), keystroke information, mouse movement data, camera, facial recognition data points, voice patterns, fingerprint information, screen usage information, and bot signature (as keystroke information 114, mouse information 116, facial recognition information 118). As such, the profile structure defined may expand and flexibly accommodate data points at various granular level depending on the kinds of devices used.

[0080] In another embodiment, the defined profile structure may be encrypted or compressed for efficient transmission over the computer networks.

[0081] The generated or defined profile structure is received at a rule engine 606.

In one example, the rule engine 606 may perform payload signature verification (e.g., verification of the system signature), verify whether the payload has been tempered with (e.g., identify data loss), static rules verification, decryption and/or decompression, or blacklist/whitelist verification.

[0082] The verified profile structure may further be transmitted to a web

application server 608 for further processing. As illustrated, machine learning, deep learning, artificial intelligence, and other processing engines may be substantiated in the form of applications 610. As such, the web application server 608 may call, energize, or activate these applications 610 via API calls or other triggers over a computer network to identify whether such access by the user 602 should be permitted. For example, the applications 610 may calculate, as illustrated above, a final score that include a frequency score, and other score based on the system signature. In one embodiment, such calculation includes the keystroke“keypair” analysis described above, keystroke dynamics, mouse movement analysis, touchpad analysis using tools such as Python, Scikit learn, and/or Tensorf low; facial recognition using tools such as Python, FaceNET;

location access patterns; trusted environment/trusted device presence using tools such as Python, Scikit learn, and/or Tensorf low; and hardware information using tools such as Python, Scikit learn, and/or Tensorf low.

[0083] Once the applications determine that the final score of the analysis of the profile structure satisfies a threshold, the secured access environment 620 may provide the user 602 with the access to the data stored in one or more distributed data storage units 612. In one embodiment, the system 600 may store a copy of the verified profile structure from the rule engine 606 for raw data storage at the data storage unites 612. The raw data may be used for future analysis and comparison. Moreover, the system 600 may be scalable to batch processing at a batch processing engine 618. The batch processing engine 618 may output the processing to a scalable and distributed file system 614 for storage of the batch processed data. [0084] FIG. 7 may be a high level illustration of a portable computing device 801 communicating with a remote computing device 841 but the application may be stored and accessed in a variety of ways. In addition, the application may be obtained in a variety of ways such as from an app store, from a web site, from a store Wi-Fi system, etc. There may be various versions of the application to take advantage of the benefits of different computing devices, different languages and different API platforms.

[0085] In one embodiment, a portable computing device 801 may be a mobile device 112 that operates using a portable power source 855 such as a battery. The portable computing device 801 may also have a display 802 which may or may not be a touch sensitive display. More specifically, the display 802 may have a capacitance sensor, for example, that may be used to provide input data to the portable computing device 801. In other embodiments, an input pad 804 such as arrows, scroll wheels, keyboards, etc., may be used to provide inputs to the portable computing device 801. In addition, the portable computing device 801 may have a microphone 806 which may accept and store verbal data, a camera 808 to accept images and a speaker 810 to communicate sounds.

[0086] The portable computing device 801 may be able to communicate with a computing device 841 or a plurality of computing devices 841 that make up a cloud of computing devices 811. The portable computing device 801 may be able to communicate in a variety of ways. In some embodiments, the communication may be wired such as through an Ethernet cable, a USB cable or RJ6 cable. In other embodiments, the communication may be wireless such as through Wi-Fi (802.11 standard), Bluetooth, cellular communication or near field communication devices. The communication may be direct to the computing device 841 or may be through a communication network 102 such as cellular service, through the Internet, through a private network, through Bluetooth, etc. FIG. 7 may be a simplified illustration of the physical elements that make up a portable computing device 801 and FIG. 8 may be a simplified illustration of the physical elements that make up a server type computing device 841.

[0087] FIG. 7 may be a sample portable computing device 801 that is physically configured according to be part of the system. The portable computing device 801 may have a processor 850 that is physically configured according to computer executable instructions. It may have a portable power supply 855 such as a battery which may be rechargeable. It may also have a sound and video module 860 which assists in displaying video and sound and may turn off when not in use to conserve power and battery life. The portable computing device 801 may also have volatile memory 865 and non-volatile memory 870. It may have GPS capabilities 880 that may be a separate circuit or may be part of the processor 850. There also may be an input/output bus 875 that shuttles data to and from the various user input devices such as the microphone 806, the camera 808 and other inputs, such as the input pad 804, the display 802, and the speakers 810, etc. It also may control of communicating with the networks, either through wireless or wired devices. Of course, this is just one embodiment of the portable computing device 801 and the number and types of portable computing devices 801 is limited only by the imagination. [0088] As a result of the system, better information may be provided to a user at a point of sale. The information may be user specific and may be required to be over a threshold of relevance. As a result, users may make better informed decisions. The system is more than just speeding a process but uses a

computing system to achieve a better outcome.

[0089] The physical elements that make up the remote computing device 841 may be further illustrated in FIG. 8. At a high level, the computing device 841 may include a digital storage such as a magnetic disk, an optical disk, flash storage, non-volatile storage, etc. Structured data may be stored in the digital storage such as in a database. The server 841 may have a processor 1000 that is physically configured according to computer executable instructions. It may also have a sound and video module 1005 which assists in displaying video and sound and may turn off when not in use to conserve power and battery life. The server 841 may also have volatile memory 1010 and non-volatile memory 1015.

[0090] The database 1025 may be stored in the memory 1010 or 1015 or may be separate. The database 1025 may also be part of a cloud of computing device 841 and may be stored in a distributed manner across a plurality of computing devices 841. There also may be an input/output bus 1020 that shuttles data to and from the various user input devices such as the microphone 806, the camera 808, the inputs such as the input pad 804, the display 802, and the speakers 810, etc. The input/output bus 1020 also may control of communicating with the networks, either through wireless or wired devices. In some embodiments, the application may be on the local computing device 801 and in other embodiments, the application may be remote 841. Of course, this is just one embodiment of the server 841 and the number and types of portable computing devices 841 is limited only by the imagination.

[0091] The user devices, computers and servers described herein may be

general purpose computers that may have, among other elements, a

microprocessor (such as from the Intel Corporation, AMD, ARM, Qualcomm, or MediaTek); volatile and non-volatile memory; one or more mass storage devices (i.e. , a hard drive); various user input devices, such as a mouse, a keyboard, or a microphone; and a video display system. The user devices, computers and servers described herein may be running on any one of many operating systems including, but not limited to WINDOWS, UNIX, LINUX, MAC OS, iOS, Android, or Windows (XP, VISTA, etc.). It is contemplated, however, that any suitable operating system may be used for the present invention. The servers may be a cluster of web servers, which may each be LINUX based and supported by a load balancer that decides which of the cluster of web servers should process a request based upon the current request-load of the available server(s).

[0092] The user devices, computers and servers described herein may

communicate via networks, including the Internet, WAN, LAN, Wi-Fi, other computer networks (now known or invented in the future), and/or any

combination of the foregoing. It should be understood by those of ordinary skill in the art having the present specification, drawings, and claims before them that networks may connect the various components over any combination of wired and wireless conduits, including copper, fiber optic, microwaves, and other forms of radio frequency, electrical and/or optical communication techniques. It should also be understood that any network may be connected to any other network in a different manner. The interconnections between computers and servers in system are examples. Any device described herein may communicate with any other device via one or more networks.

[0093] The example embodiments may include additional devices and networks beyond those shown. Further, the functionality described as being performed by one device may be distributed and performed by two or more devices. Multiple devices may also be combined into a single device, which may perform the functionality of the combined devices.

[0094] The various participants and elements described herein may operate one or more computer apparatuses to facilitate the functions described herein. Any of the elements in the above-described Figures, including any servers, user devices, or databases, may use any suitable number of subsystems to facilitate the functions described herein.

[0095] Any of the software components or functions described in this application, may be implemented as software code or computer readable instructions that may be executed by at least one processor using any suitable computer language such as, for example, Java, C++, or Perl using, for example,

conventional or object-oriented techniques.

[0096] The software code may be stored as a series of instructions or commands on a non-transitory computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard- drive or a floppy disk, or an optical medium such as a CD-ROM. Any such computer readable medium may reside on or within a single computational apparatus and may be present on or within different computational apparatuses within a system or network.

[0097] Referring now to FIG. 9, a flowchart illustrates a computerized method of one embodiment of the invention. At 902, an access request to a secured access environment is received from a user via a user device. In one example, the secured access environment may include cloud file storages or secured payment processing. For example, suppose the access request may be a desire to purchase an item via the user device. This access request may be initiated at a point of payment or a point of checkout. Once verified, the user may then have access to the payment processing platform where the user may access stored payment devices or accounts, discounts or offers, etc. As such, the secured access environment may not be confined to data retrieve in a file.

[0098] At 904, a profile structure may be generated in response to the user

access request. In one embodiment, the profile structure may be based on the user device and the request. In another embodiment, the profile structure defines a device signature and a biometric signature, as illustrated in FIGS. 1 and 2.

[0099] At 906, the generated profile structure may be transmitted to a rule

engine, such as the rule engine 606 in FIG. 6. At 908, the rule engine may verify the system signature for authenticity. For example, the rule engine may perform payload signature verification (e.g., verification of the system signature), verify whether the payload has been tempered with (e.g., identify data loss), static rules verification, decryption and/or decompression, or blacklist/whitelist verification. In another embodiment, the verified profile structure may be transmitted to a web server where the web server may call, activate, or execute one or more applications to analyze the system signature at 910. As illustrated above, the one or more applications may execute one or more access identifying models, such as various combinations of ML, DL, or other Al models. These models consume or input information included in the device signature and the biometric signature as parameters as part of the execution. In this example, the one or more applications may execute Expression 2 and may perform the recursive iterations as discussed above.

[0100] At 912, a final score is generated by the one or more applications based on the execution in 910. For example, as discussed above, a modified Jaccard Similarity Coefficient may be used to calculate a frequency score for certain browser information 112 provided by the browser signature. Such score is used in the determination of the final score. In another example, the one or more applications further determine whether the final score satisfies a threshold. At 914, the user is provided access to the secured access environment. In one example of a secured transaction, at 914, the user may be view or access financial or payment data stored with a payment processing platform. This viewing of or access to may be in the form of viewing previously greyed out or hidden information on a graphical user interface (GUI). In another embodiment, the access may include revealing a pane or GUI window of the browser with information associated therewith. [0101] It may be understood that the present invention as described above may be implemented in the form of control logic using computer software in a modular or integrated manner. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art may know and appreciate other ways and/or methods to implement the present invention using hardware, software, or a combination of hardware and software.

[0102] The above description is illustrative and is not restrictive. Many variations of the invention will become apparent to those skilled in the art upon review of the disclosure. The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the pending claims along with their full scope or equivalents.

[0103] One or more features from any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention. A recitation of "a", "an" or "the" is intended to mean "one or more" unless specifically indicated to the contrary. Recitation of "and/or" is intended to represent the most inclusive sense of the term unless specifically indicated to the contrary.

[0104] One or more of the elements of the present system may be claimed as means for accomplishing a particular function. Where such means-plus-function elements are used to describe certain elements of a claimed system it will be understood by those of ordinary skill in the art having the present specification, figures and claims before them, that the corresponding structure is a general purpose computer, processor, or microprocessor (as the case may be) programmed to perform the particularly recited function using functionality found in any general purpose computer without special programming and/or by implementing one or more algorithms to achieve the recited functionality. As would be understood by those of ordinary skill in the art that algorithm may be expressed within this disclosure as a mathematical formula, a flow chart, a narrative, and/or in any other manner that provides sufficient structure for those of ordinary skill in the art to implement the recited process and its equivalents.

[0105] While the present disclosure may be embodied in many different forms, the drawings and discussion are presented with the understanding that the present disclosure is an exemplification of the principles of one or more inventions and is not intended to limit any one of the inventions to the

embodiments illustrated.

[0106] The present disclosure provides a solution to the long-felt need described above. In particular, the systems and methods described herein may be configured for improving safeguard or defense against unauthorized intrusions or accesses. Further advantages and modifications of the above described system and method will readily occur to those skilled in the art. The disclosure, in its broader aspects, is therefore not limited to the specific details, representative system and methods, and illustrative examples shown and described above. Various modifications and variations can be made to the above specification without departing from the scope or spirit of the present disclosure, and it is intended that the present disclosure covers all such modifications and variations provided they come within the scope of the following claims and their equivalents.

Appendix A

{

"entity":{

"id":IDENTIFIER,

"device":{

"browser":{

"phantomjs_detected":false,

"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36", "language":"en-US",

"color_depth":24,

"pixel_ratio": 1.7999999523162842,

"hardware_concurrency":8,

"resolution":[

1440,

900

],

"available_resolution":[

1440,

803

],

"timezone_offset":420,

"session_storage": 1 , "local_storage":1 ,

"indexed_db":1 ,

"open_database":1 ,

"cpu_class":"unknown",

"navigator_platform":"Maclntel",

"do_not_track": "unknown",

"regular_plugins":[

"Shockwave Flash:: Shockwave Flash 30.0 rO::application/x-shockwave- flash~swf,application/futuresplash~spl",

"Chrome PDF Viewer: :::application/pdf~pdf",

"Native Client: : : :application/x-nacl~, application/x-pnacl~",

"Chrome PDF Viewer: ortable Document Format: :application/x-google- chrome-pdf~pdf"

] .

"Canvas":"b7ef8cbe15db66e4b6a1 e6c87c346c56d5029edcd407769e81f4ff6849f8ad06"

'webgl":"4a57f8a28f5037876dd 7f8c69d93ab54582cd837148c190252d5588563a8b8b’

"webgl_vendor":"ATI Technologies lnc.~AMD Radeon R9 M370X OpenGL Engine",

"adblock":false, "has_lied_languages":false,

"has_lied_resolution":false,

"has_lied_os":false,

"has_lied_browser":false,

"touch_support":[

0,

false,

false

],

"js_fonts":[

"Andale Mono",

Arial",

] .

"mouse_overflow":false,

"tab_used":true,

"enter_used":false,

"selenium_detected":false,

"exceptions":!

} . . . 11 more browser information

}.

"hardware":! "keyboardjd":"",

"mac_address":"",

. . . 11 more hardware information

},

}.

"bio":{

"keystroke":!

"keystroke_overflow":false,

"keystroke_info":{

"key_based":{

"unigraph":{

"key1 ":{

"total_time":[

160

],

"flight_time":[

170,

188

],

"down_up_time":[

160

] . }.

"key2":{

"total_time":[

160

],

"flight_time":[

170,

188

],

"down_up_time":[

160

] .

}.

"digraph":{

"key1 -> key2":{ "total_time":[ 160

],

"flight_time":[ 170,

188

].

"down_up_time":[

160

].

}.

"key2 -> key3":{ "total_time":[ 160

].

"flight_time":[

170,

188

].

"down_up_time":[

160

].

}.

}. // more keystroke information

}.

"region_based":{

"unigraph":{

"region1 ":{

"total_time":[

160

],

"flight_time":[

170,

188

],

"down_up_time":[

160

] .

"region2":{

"total_time":[

160

] .

"flight_time":[

170, 188

].

"down_up_time":[

160

].

}.

"digraph":{

"regionl -> region2":{ "total_time":[

160

].

"flight_time":[

170,

188

].

"down_up_time":[

160

].

}. "region2 -> region3":{ "total_time":[

160

],

"flight_time":[

170,

188

],

"down_up_time":[

160

] .

}.

// more mouse movement information

}

}.

"mouse":{

"mouse_overflow":false,

"mouse_movement":[ "x":832,

"y":397,

"t": 1531952718799, "b":-1 ,

"f":-1 ,

"m":-3,

"n": 1 ,

"p":895,

"q":333

},

{

"x":854,

"y":471 ,

"t": 1531952718815, "b":-1 ,

"f":-1 ,

"m":20,

"n":75,

"p":920,

"q":415

}, ] .

}.

"facial_data": FACIAL DATA, ...// other bio data applicable

}

Claims

CLAIMS What is claimed is:

1. A computerized method for safeguarding access to a secured access environment comprising:

receiving an access request to the secured access environment from a user via a user device;

generating a profile structure in response to the user access request based on the user device and the request, said profile structure defining a system signature, said system signature including a device signature and a biometric signature;

transmitting the generated profile structure to a rule engine;

verifying by the rule engine the system signature for authenticity;

activating one or more applications to analyze the system signature, said one or more applications executing one or more access identifying models, said one or more access identifying models inputting information included in the device signature and the biometric signature as parameters;

generating, by the one or more applications, a final score of the system signature, wherein the one or more applications determine whether the final score satisfy a threshold; and

providing access to the user to the secured access environment when the threshold is satisfied.

2. The computerized method of claim 1 , wherein the device signature includes information associated with hardware of the user device and browser information of the user device.

3. The computerized method of claim 1 , wherein the biometric signature includes information associated with a keyboard, a mouse, or a facial recognition device.

4. The computerized method of claim 3, wherein the information associated with the keyboard includes a definition of a pair of keys on the keyboard.

5. The computerized method of claim 3, wherein the information associated with the keyboard includes one or more key zones.

6. The computerized method of claim 4, wherein the definition of the pair of keys further comprises travel time and duration of the pair of keys between presses of the pair of the keys.

7. The computerized method of claim 1 , further comprising batch processing one or more profile structures by a batch processing engine.

8. The computerized method of claim 1 , further comprising recursively iterating a programming expression to calculate the final score of the system signature.

9. A computerized system for safeguarding access to a secured access environment comprising:

an end point terminal for receiving an access request to the secured access environment from a user via a user device;

wherein the end point terminal generates a profile structure in response to the user access request based on the user device and the request, said profile structure defining a system signature, said system signature including a device signature and a biometric signature;

wherein the end point terminal transmits the generated profile structure to a rule engine;

wherein the rule engine verifies the system signature for authenticity before transmitting the profile structure with the verified system signature to a web server, wherein the web server comprises one or more processors executing computer- executable instructions;

wherein the web server activates one or more applications to analyze the system signature, said one or more applications executing one or more access identifying models, said one or more access identifying models inputting information included in the device signature and the biometric signature as parameters;

wherein the one or more applications generate a final score of the system signature, wherein the one or more applications determine whether the final score satisfy a threshold; and

wherein the one or more applications provide access to the user to the secured access environment when the threshold is satisfied.

10. The computerized system of claim 9, wherein the device signature includes information associated with hardware of the user device and browser information of the user device.

11. The computerized system of claim 9, wherein the biometric signature includes information associated with a keyboard, a mouse, or a facial recognition device.

12. The computerized system of claim 11 , wherein the information associated with the keyboard includes a definition of a pair of keys on the keyboard.

13. The computerized system of claim 11 , wherein the information associated with the keyboard includes one or more key zones.

14. The computerized system of claim 12, wherein the definition of the pair of keys further comprises travel time and duration of the pair of keys between presses of the pair of the keys.

15. The computerized system of claim 9, wherein the one or more applications executes a modified Jaccard Similarity Coefficient to calculate the final score of the system signature.

16. A non-transitory computer readable medium stored thereon computer-executable instructions embodied in computer software product, wherein the computer-executable instructions comprising:

generating a profile structure in response to the user access request based on the user device and the request, said profile structure defining a system signature, said system signature including a device signature and a biometric signature, wherein the device signature includes information associated with hardware of the user device and browser information of the user device, wherein the biometric signature includes information associated with a keyboard, a mouse, or a facial recognition device;

transmitting the generated profile structure to a rule engine;

verifying the system signature for authenticity;

generating a final score of the system signature, wherein the one or more applications determine whether the final score satisfy a threshold; and

17. The non-transitory computer readable medium of claim 16, wherein the information associated with the keyboard includes a definition of a pair of keys on the keyboard.

18. The non-transitory computer readable medium of claim 16, wherein the information associated with the keyboard includes one or more key zones.

19. The non-transitory computer readable medium of claim 17, wherein the definition of the pair of keys further comprises travel time and duration of the pair of keys between presses of the pair of the keys.

20. The non-transitory computer readable medium of claim 16, wherein activating comprises activating the one or more applications to execute a modified Jaccard Similarity Coefficient to calculate the final score of the system signature.