A piezo haptic keyboard and touchpad user identification system may comprise a processor receiving an authenticating user input identifying an authorized user of the information handling system, and a controller operably connected to a plurality of piezo electric elements situated beneath the keyboard. The controller may detect haptic hardware typing or touch behavior parameters describing characteristics of a plurality of deformations of the piezo electric elements during interaction between the authorized user and the keyboard, and the processor may use machine learning to identify a repeated pattern of values for a combination of the haptic hardware typing or touch behavior parameters reoccurring during interaction between the authorized user and keyboard. The processor may associate the repeated pattern of values for the combination of the haptic hardware typing or touch behavior parameters with the authorized user for later, passive authentication of a user based on typing dynamics.

A computer-implemented method to identify unauthorized use of a device based on a usage pattern. The method includes tracking usage of a device, wherein the usage includes activity by a user interacting with the device. The method includes identifying a usage pattern, wherein the usage pattern is based on usage data. The method further includes generating, based on the usage pattern, a heatmap. The method includes predicting future usage of the device by the user, wherein the predicting includes generating a Markov chain of the predicted future usage. The method also includes determining actual usage is different than the predicted usage. The method further includes calculating, in response to determining the actual usage is different than the predicted future usage, a difference score. The method includes determining the difference score is above a difference threshold, and activating, in response to the difference score being above the difference threshold, an alert.

A system, method, and computer-readable medium are disclosed for performing a lexicon construction operation. The lexicon construction operation includes: identifying a corpus, the corpus comprising a plurality of training events, each of the plurality of training events comprising a term; grouping terms from the plurality of training events into topic clusters; analyzing the plurality of topic clusters, the analyzing providing a plurality of classified clusters; and, deriving a plurality of learned lexicons from the plurality of classified clusters.

Embodiments are described for a pattern-based control system that learns and applies device usage patterns for identifying and disabling devices exhibiting abnormal usage patterns. The system can learn a user's normal usage pattern or can learn abnormal usage patterns, such as a typical usage pattern for a stolen device. This learning can include human or algorithmic identification of particular sets of usage conditions (e.g., locations, changes in settings, personal data access events, application events, IMU data, etc.) or training a machine learning model to identify usage condition combinations or sequences. Constraints (e.g., particular times or locations) can specify circumstances where abnormal pattern matching is enabled or disabled. Upon identifying an abnormal usage pattern, the system can disable the device, e.g., by permanently destroying a physical component, semi-permanently disabling a component, or through a software lock or data encryption.

Systems and methods for authenticating users are described herein. One or more inputs including of biometric data, physical trait data, and other data sources may be collected passively when an individual is present in a space. A confidence ratio associated with one or more of the collected inputs may be determined. One or more of the determined confidence ratios may be evaluated together to determine a final confidence ratio for a user, on which an authentication decision is based. An access level may be selected from a plurality of access levels with different access privileges based on the determined confidence ratio. Authentication may be continuous or ongoing.

This application discloses an identity authentication method, a method and an apparatus for training an identity authentication model, and a computer-readable medium in the artificial intelligence field to improve accuracy of identity authentication. The identity authentication method includes: obtaining first operation behavior data and second operation behavior data of a to-be-authenticated user; obtaining, by using a first authentication model by inputting the first operation behavior data, a first recognition result output by the first authentication model; obtaining, by using a second authentication model by inputting the second operation behavior data, a second recognition result output by the second authentication model, where the first authentication model and the second authentication model are an anomaly detection model and a classification model respectively; and inputting the first recognition result and the second recognition result into a decision fusion model to obtain an output identity authentication result.

Method for confirming the identity of a user in a browsing session of an online service, comprising the steps of: a) providing a web server in which an online service resides, in communication with a client device provided with a user interface; b) providing a database associated with the web server in which a plurality of data relating to one or more users registered to the online service are stored; c) providing a script residing in the client device; d) identifying via script each browsing session on the online service and associating it with a user registered to the online service when the latter performs authentication; e) collecting via script biometric data generated by said at least one user interface and associating them with the user when authenticated; f) generating via script machine learning templates as a result of processing the biometric data; g) storing the biometric data and the machine learning templates locally in the client device; h) generating a score associated with the user as a result of processing via script new biometric data collected on said at least one user interface as a function of the machine learning templates generated in step f); i) sending the score to the web server; l) verifying the identity of the authenticated user as a result of processing the score by means of a security algorithm residing in the web server.

System, device, and method of generating and utilizing one-time passwords. A method generates a particular One-Time Password (OTP) string that is based on pre-defined OTP string construction rules. The particular OTP string is not a purely-random string; rather, the particular non-purely-random OTP string provides to a behavioral monitoring unit a capability to extract user-specific behavioral typing patterns from a way in which a user types characters of the particular OTP via a keyboard of an electronic device. The method sends the particular OTP string to the user; monitors the way that the user types the OTP string; extracts from the user interactions, that were performed while the user entered the OTP string, a user-specific behavioral typing characteristic; and based on that user-specific characteristic, determines whether that user is authenticated or non-authenticated, and optionally activates fraud mitigation operations or transaction blocking operations if the user is non-authenticated.

Relevance information obtaining means of a fraud estimation system is configured to obtain relevance information about relevance between one service and another service. Comparison result obtaining means is configured to obtain a comparison result of a comparison between user information of a target user in the one service and user information of a fraudulent user or an authentic user in the another service. Estimation means is configured to estimate fraudulence of the target user based on the relevance information and the comparison result.

Methods, apparatus, and processor-readable storage media for evaluating cyber attacker behavior using machine learning to identify anomalies are provided herein. An example method includes obtaining, based on events associated with changes in one or more of a registry and a computer process, baseline models comprising a user context representing normal behavior for a first subset of features associated with the events with respect to a given user, an inverse context that represents normal behavior for at least one feature with respect to a particular value of one or more features in the first subset, and a global context representing a behavior of the features across the plurality of users; detecting a new event attributable to the given user; calculating a score for the new event using one or more of the baseline models; and determining that the new event is an anomaly in response to the score satisfying a threshold.