Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method, comprising: under the control of one or more computer systems configured with executable instructions, receiving requests to access one or more computing resources, the requests including a request from an application executing on a remote computing device associated by the request with a first source Internet Protocol address, the request including a cookie encoding information about a session including information usable to authenticate the request using a weak authentication process; determining, based at least in part on the information about the session, whether the first source Internet Protocol address is different from a second source Internet Protocol address previously associated with the session; as a result of determining that the first source Internet Protocol address is different from the second source Internet Protocol address, determining, based at least in part on a classification of the second source Internet Protocol address from a set of classifications that includes a fixed Internet Protocol address classification and a variable Internet Protocol Address classification, whether to require a strong authentication process for fulfillment of the request; as a result of determining to require the strong authentication process, performing the strong authentication process; and as a result of successful authentication by performance of the strong authentication process, performing one or more operations to fulfill the request and updating a database that maintains information about the classification of the second source Internet protocol address.
2. The computer-implemented method of claim 1 , wherein: the requests include a second request, after the request, from the application that associates the remote computing device with the first source Internet Protocol address and includes the cookie or a second cookie encoding second information about the session, the second information about the session usable to authenticate the request by the weak authentication process; as a result of the second request being associated with the first source Internet Protocol address, performing the weak authentication process without performing the strong authentication process; and as a result of successful authentication by performance of the weak authentication process, fulfilling the second request.
3. The computer-implemented method of claim 1 , wherein determining whether to require the strong authentication process comprises accessing, from the database, a database record corresponding to the second source Internet Protocol address.
4. The computer-implemented method of claim 3 , wherein updating the database comprises: calculating a score for the second source Internet Protocol address; using the calculated score to make a determination whether to reclassify the second source Internet Protocol address as fixed or dynamic; and updating the database record as a result of determining to reclassify the second source Internet Protocol address.
5. The computer-implemented method of claim 4 , wherein: the database record associates a categorization of fixed or dynamic with a plurality of Internet Protocol addresses that includes the first source Internet Protocol address; and reclassifying the second source Internet Protocol address comprises: dividing the plurality of Internet Protocol addresses into at least two subsets comprising a first subset and a second subset having an empty intersection with the first subset, the first subset having the second source Internet Protocol address; and reclassifying the first subset.
6. The computer-implemented method of claim 1 , wherein successful authentication by a set of strong authentication processes that include the strong authentication process is required by the one or more computer systems before the weak authentication process is usable to authenticate requests.
7. A system, comprising: one or more processors; and memory including instructions that, when executed by the one or more processors, cause the system to: receive a first request associated with an identifier and a first source; receive a second request associated with the identifier and a second source, the second source different from the first source; determine, based at least in part on a classification of the first source, whether a change from the first source to another source is unexpected; determine, based at least in part on whether the change is determined to be unexpected, whether to require performance of an authentication process as a result of the detected change; and cause performance of at least one operation to be contingent at least in part on successful fulfillment of the authentication process.
8. The system of claim 7 , wherein the instructions that cause the system to determine whether to require performance of the authentication process as a result of the detected change cause the system to determine whether to require performance of the authentication process as a result of the detected change further based at least in part on the second source.
9. The system of claim 7 , wherein the at least one operation is part of fulfillment of a third request received after the second request.
10. The system of claim 7 , wherein the instructions, when executed by the one or more processors, further cause the system to calculate a confidence score for the classification and determine the classification of the first source based at least in part on the calculated confidence score.
11. The system of claim 10 , wherein calculating the confidence score is based at least in part on at least one of a network topology, public registration information about sources including the first source and second source, or geographic information associated with the first source and second source.
12. The system of claim 10 , wherein calculating the confidence score is based at least in part on at least one of a number of requests made during a session or a number of observations recorded involving the first source.
13. The system of claim 7 , wherein the instructions that cause the system to determine the classification cause the system to, in response to receipt of the request, calculate a classification score and determine the classification based at least in part on the calculated classification score.
14. The system of claim 7 , wherein determining the classification of the first source is based at least in part on a classification of a plurality of sources that includes the first source.
15. The system of claim 7 , wherein: determining the classification of the first source is based at least in part on a confidence score for the classification; and the instructions, when executed by the one or more processors, further cause the system to, as a result of a lack of successful fulfillment of the authentication process, update the confidence score.
16. The system of claim 7 , wherein determining the classification of the first source is based at least in part on an account setting for an account associated with the identifier.
17. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to: detect a first change in first source network address information for requests submitted as part of a first session; detect a second change in second source network address information for requests submitted as part of a second session; and after detecting the first change, as a result of the first source network address information before the first change being classified differently than the second source network address information before the second change, cause an authentication requirement for the first session to be different than an authentication requirement for the second session after detecting the change in the second source network address information.
18. The non-transitory computer-readable storage medium of claim 17 , wherein the instructions that cause the authentication requirement for the first session to be different than the authentication requirement for the second session, when executed by the one or more processors, cause the system to require receipt of login credentials for fulfillment of at least one request submitted during the first session.
19. The non-transitory computer-readable storage medium of claim 17 , wherein the change in the first source network address information and the change in the second source network address information each include a change of source Internet Protocol address.
20. The non-transitory computer-readable storage medium of claim 17 , further comprising instructions that, when executed by the one or more processors, cause the system to, as a result in detecting the first change, access a database to determine whether to require additional authentication for a pending request of the first session.
21. The non-transitory computer-readable storage medium of claim 17 , wherein: the first change is a change from a first network address to a second network address; and the instructions further comprise instructions that, when executed by the one or more processors, cause the system to calculate a confidence score for a classification of the first network address as a fixed network address; and determine the classification based at least in part on the calculated confidence score.
22. The non-transitory computer-readable storage medium of claim 17 , wherein: the first change is a change from a first network address to a second network address; and the instructions that cause the computer system to cause the authentication requirement for the first session to be different than the authentication requirement for the second session comprise instructions that, when executed by the one or more processors, cause the computer system to determine a classification for the first network address based at least in part on a security preference of an entity associated with the first session.
23. The non-transitory computer-readable storage medium of claim 17 , wherein: the first change is a change from a first network address to a second network address; and the instructions further comprise instructions that, when executed by the one or more processors, further cause the computer system to reclassify the first network address from fixed to dynamic as a result of successful reauthentication in accordance with the authentication requirement for the first session.
24. The non-transitory computer-readable storage medium of claim 17 , wherein the authentication requirement for the first session includes successful fulfillment of a strong authentication requirement and the authentication requirement for the second session includes successful fulfillment of a weak authentication requirement.
Unknown
February 23, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.