	US 11,877,152 B2
	Method, device, and system of differentiating between a cyber-attacker and a legitimate user
Avi Turgeman, New York, NY (US); Oren Kedem, Tel Aviv (IL); and Uri Rivner, Mazkeret Batya (IL)
Assigned to BIOCATCH LTD., Tel Aviv (IL)
Filed by BioCatch Ltd., Tel Aviv (IL)
Filed on Jul. 26, 2022, as Appl. No. 17/814,962.
Application 17/814,962 is a continuation of application No. 17/060,131, filed on Oct. 1, 2020, granted, now 11,425,563.
Application 17/060,131 is a continuation of application No. 15/885,819, filed on Feb. 1, 2018, granted, now 10,834,590, issued on Nov. 10, 2020.
Application 15/885,819 is a continuation in part of application No. 14/675,764, filed on Apr. 1, 2015, abandoned.
Application 14/675,764 is a continuation of application No. 14/566,723, filed on Dec. 11, 2014, granted, now 9,071,969, issued on Jun. 30, 2015.
Application 14/566,723 is a continuation in part of application No. 14/325,396, filed on Jul. 8, 2014, abandoned.
Application 14/325,396 is a continuation in part of application No. 14/325,395, filed on Jul. 8, 2014, granted, now 9,621,567, issued on Apr. 11, 2017.
Application 14/325,395 is a continuation in part of application No. 14/325,393, filed on Jul. 8, 2014, granted, now 9,531,733, issued on Dec. 27, 2016.
Application 14/325,393 is a continuation in part of application No. 14/325,397, filed on Jul. 8, 2014, granted, now 9,450,971, issued on Sep. 20, 2016.
Application 14/325,397 is a continuation in part of application No. 14/325,394, filed on Jul. 8, 2014, granted, now 9,547,766, issued on Jan. 17, 2017.
Application 14/325,394 is a continuation in part of application No. 14/325,398, filed on Jul. 8, 2014, granted, now 9,477,826, issued on Oct. 25, 2016.
Application 14/325,398 is a continuation in part of application No. 14/320,653, filed on Jul. 1, 2014, granted, now 9,275,337, issued on Mar. 1, 2016.
Application 14/320,653 is a continuation in part of application No. 14/320,656, filed on Jul. 1, 2014, granted, now 9,665,703, issued on May 30, 2017.
Application 14/566,723 is a continuation of application No. 13/922,271, filed on Jun. 20, 2013, granted, now 8,938,787, issued on Jan. 20, 2015.
Application 13/922,271 is a continuation in part of application No. 13/877,676, granted, now 9,069,942, issued on Jun. 30, 2015, previously published as PCT/IL2011/000907, filed on Nov. 29, 2011.
Claims priority of provisional application 61/973,855, filed on Apr. 2, 2014.
Claims priority of provisional application 61/843,915, filed on Jul. 9, 2013.
Claims priority of provisional application 61/417,479, filed on Nov. 29, 2010.
Prior Publication US 2022/0369106 A1, Nov. 17, 2022
Int. Cl. G06F 21/31 (2013.01); G06F 21/83 (2013.01); G06F 21/32 (2013.01); H04W 12/06 (2021.01); G06F 21/55 (2013.01); G06F 3/041 (2006.01); H04L 9/40 (2022.01); H04M 1/72403 (2021.01)

CPC H04W 12/06 (2013.01) [G06F 3/041 (2013.01); G06F 21/31 (2013.01); G06F 21/316 (2013.01); G06F 21/554 (2013.01); G06F 21/83 (2013.01); H04L 63/0861 (2013.01); H04M 1/72403 (2021.01); G06F 21/32 (2013.01)]

17 Claims

1. A system comprising:

one or more processors, that are configured to execute code;

wherein the one or more processors are operably associated with one or more memory units that are configured to store code;

wherein the one or more processors are configured to perform a process comprising:

(a) monitoring input-unit interactions of a user, who utilizes during a usage session one or more input units of an electronic device to fill-out data in a fillable form of a computerized service;

(b1) if said input-unit interactions indicate that said user utilized keyboard shortcuts for data entry or for navigation, then increasing an attack-relatedness score of said usage session;

(b2) detecting a particular average typing speed of said user in said usage session; and if said particular average typing speed matches one or more average typing speeds that are pre-defined as average typing speeds of attackers, then increasing said attack-relatedness score of said usage session;

(c) if said attack-relatedness score of said usage session is greater than a particular threshold value, then: determining that said input-unit interactions are part of an attack, and initiating one or more mitigation operations;

wherein the process further comprises:

defining a first field in said fillable form, as a field that users are familiar with and type data therein at a typing speed that is greater than a pre-defined value;

defining a second field in said fillable form, as a field that users are unfamiliar with and type data therein at a typing speed that is smaller than or equal to said pre-defined value;

detecting that a rate of manual data entry by said user into the first field, is generally similar to a rate of manual data entry by said user into the second field;

based on said detecting of the rate of manual data entry, determining that said user is an attacker posing as an authorized user and gaining unauthorized access to the computerized service.