1. Field
This invention relates to online identity software that is part of a computer system's identity management process, which upon execution creates usable electronic evidence and a method of criminal profiling and identifying a person(s) who is attempting to gain or has gained access to a computer system or portions of a system, who may not be designated as an authorized user, and who may be posing as an authorized user of that system—through the utilization of cognitive/behavioral biometric fingerprint analysis.
2. Prior Art
Authentication is the process of verifying a user's identity. In the context of a computer system logon, authentication has traditionally been a two step process. First the user will enter a username, user ID, or other unique sequence of characters that identify the user. To complete the process, the user must enter a pre-selected or pre-assigned password or other unique sequence of characters that is secret and only known to the user and the computer system (i.e. a known shared secret). If these two pieces of logon information successfully correspond, the user is authenticated since theoretically the user is the only individual who could know both pieces of information. In the real world, recognizing an individual is something humans do automatically every day—by recognizing a person's face, their voice, or the way they talk. For generations, people have conducted transactions in face to face situations where these factors can be taken into consideration, and people know and grow to trust each other. The most basic level of trust involves knowing an individual's true identity.
Today we are witnessing the convergence of two fundamental shifts; the move to digital (i.e. non-personal) interactions and transactions, and the emergence of connected mobile computing devices (e.g. smart phones), which means a person can conduct financial and other confidential transactions on the managed computer system they have in their hands at all times. This convergence mandates new trusted methods of person verification, identification, and authentication. Every day millions of significant monetary transactions take place between complete strangers. These monetary transactions take place outside of human sight in cyberspace, often through mobile computing devices where it is impossible to see the full transaction taking place. Banks and other financial services providers are facing unprecedented security risks to their businesses. And as the bank's customers, we are now dependent on their security mechanisms to protect us as transactions are conducted.
Authorization, meanwhile, is a mechanism by which a computer system determines what level of access an authenticated user should be granted to secure resources within the system. For example, a system might be designed to provide certain users with unrestricted access to all directories and files within the system, while other users are permitted to access only certain directories and files. Similarly, a database management system might provide certain users with the ability to read, write, edit, delete, or upload files, while other users are limited to read-only access.
Because password based authentication systems can be attacked with brute force, passwords (which most people write down) may be stolen or falsely obtained through social networking, or purposely or unintentionally divulged by the user thereby rendering the computer system susceptible to unauthorized access, some systems use additional or alternate methods of authentication and/or authorization to address identity based security threats. For example, a system may require the presence of a physical token, such as a card with a magnetic strip that can be swiped by the user and read by the system. Other systems may rely on the use of biometrics, or characteristics (physical, cognitive, or behavioral) that can be used to distinguish one individual from another through the use of digital equipment. Examples of biometrics that may be used to authenticate a user's identity include 2D face, 3D face, hand geometry, fingerprint, palm, full hand, signature, finger vein, iris, retina, ear, DNA, typing rhythm, gait.
The use of biometrics signals an important shift in the authentication field in that rather than simply verifying an object possessed by the user (i.e. a proxy for the user), such as a known shared secret password (“what the user knows”), or a physical token (“what the user has”), the system is able to analyze and verify the inherent traits and characteristics of the user himself (“what the user is”). As opposed to a password only system, certain biometric authentication metrics create the added ability to identify the actual person using the computer system at any given time. By utilizing a method of continuous authentication, a specific person can be identified and recognized throughout a complete logon session, confirming that the system is still being utilized by the individual who initially logged onto the computer. Such a method also makes it possible to recognize that an intruder has hijacked an already authenticated session after an authorized identity has already been corroborated. To address these types of identity related security threats, a system's normal identity management process should have the capability to identify/recognize other individuals who have obtained at least a threshold level of access to a computer system who are not designated as authorized users, including intruders posing as authorized users.
Both authentication and authorization are useful for controlling access to computer systems and areas within those systems where sensitive information is stored. The Computer Fraud and Abuse Act and other similar legislation designed to address cyber security, computer fraud, cyber crime, and cyber terrorism make it a crime for a person to knowingly access a computer system without authorization, or to exceed his stated access level. A computer system should also be flexible enough to authenticate a user, as well as set his authorization level, independently of each other. This feature adds authentication strength to the system by protecting the system from both authorized users and who might pose a threat to the system, as well as intruders posing as authorized users. It also facilitates contextual authentication, by allowing the system to require more proof of the user's identity as the risk level of a transaction escalates.
Computer security is one place where the real world and the digital world intersect. However, since they each require a different type of security mechanism, one mechanism will not protect both worlds. In the real world you can check identification and verify that a user is really the person he claims to be using a number of identification methods, and you can be fairly confident that person will not change into someone else later after being admitted to the secure area; at least not physically. In cyberspace however, just because the right person logs into a site or service, that doesn't guarantee that you are still dealing with the same person later in the logon session when an actual transaction takes place. When sensitive information is involved, there is a strong case to be made for continuous verification of a user's identity,
The online behavior of an authorized user can open the door to an intruder during an active logon session through spoofing or other tricks. It is also important to realize that an IT system may be very secure in and of itself, but a user may not protect his username and password as he should, or those could be stolen or hacked, which means an intruder can acquire legitimate credentials to gain access to the system posing as an authorized user. Even in systems where a user is logged off automatically after a short period of time, such as when he leaves his workspace for a few minutes, the system can be hi-jacked before he returns. Many cybersecurity experts believe that the best ways to defend a computer system are to constantly authenticate the user, and to watch for abnormal behavior, including any abnormal behavior by an authorized user who might have bad intentions or might otherwise pose a security risk to the system by his behavior or mental state. In today's world, computer security mechanisms—designed for user convenience—often favor a person trying to attack a system.
Compounding all these issues, is the fact that in today's society what is considered private and public information is not really synchronized with the security requirements needed for our technology. For instance, look at the amount of personal information disclosed by people on social networks every day.
The concerns previously mentioned and other identity related security threats can at least be partially addressed in identity management systems that authenticate the user through cognitive biometrics (i.e. the specific response of that user's brain to certain stimuli). Cognition, a term which refers to both the mind and the brain, can be defined as the “application of the process of thought to knowing” (i.e. thinking) to create new knowledge. Behavior, and therefore behavioral biometrics, can be considered as a complex interaction between cognition, affect, and conation, and as such, can serve as an additional authentication factor reflecting “who the user is” and “what the user typically does”. Cognition involves conscious activity and forms the basis of our intellectual capacities. A user's cognitive function, or the brain mechanisms involved with thinking, reasoning, learning, and remembering (“what the user is”), can be determined through his responses to certain prompts that measure, among other things, his attention, awareness, comprehension, computational linguistics, concentration, decision making, executive function, forensic authorship, judgment, logical thinking, long-term memory, math skills, perception, planning, problem-solving, short-term memory, structural semantics, symbolic thinking, visual-spatial recognition, verbal fluency, phonemic fluency, and working memory. Questions and mental exercises that measure an individual's cognitive function have been used for years in the fields of psychology, psychiatry, education, and human resource management for a variety of purposes, but have yet to be used as a basis for recognizing, profiling, and identifying an intruder as disclosed herein.
In the short term, a user's pattern of responses to certain types of questions provide a basis for authenticating the user through cognitive biometrics. However, if the responses are accumulated over time, they can be used further to form the basis of a recognizable cognitive/behavioral biometric fingerprint unique to that user. The ability to recognize a user for authentication purposes by analyzing his cognitive/behavioral biometric fingerprint, can be redirected to identify an intruder who is trying to gain, or has already gained unauthorized access to a computer system.
One measure of the authentication strength of a computer system is how difficult it is for an imposter to masquerade as an authorized user of the system. Authentication may be undermined by at least two kinds of attacks. Attacks in which the attacker is by some means able to corroborate a falsely claimed digital identity and thus log in as an authorized user of the system, and session hijacking attacks in which the attacker attempts to take control of an already authenticated session after a legitimate user's claimed digital identity has already been corroborated. Session hijacking attacks bypass the system's normal identity management system and can succeed no matter how strong the authentication method is. For that reason alone, authentication strength should take into account the risks that authorized users present—such as being cognitively impaired while accessing the system. Greater security is required in this new mobile world—“the internet of devices”—the “cloud” world. This means that protecting the network and computer system, the data in the system, the computing devices used to access those systems, and the user himself is mandatory—at all times, as a user moves from device to device. That means using a combination of improved access control techniques for systems and devices, stronger data encryption, information that is encrypted at rest and in transit, independent authentication and authorization requirements, multi-factor authentication that includes cognitive/behavioral biometrics—“what the user is”, context authentication, continuous authentication, and creating a new type of “trusted credential” tied directly to the user, and that goes with the user as he moves from device to device. A trusted credential could keep data more secure, devices more secure, and the user himself more secure. The user is the “constant” factor in addressing the security issues outlined previously.
Multi-factor authentication is gaining traction at this point in time, because of the need to enhance network, PC, and internet security. One of the driving forces behind this is regulatory compliance. For example, the largest division of the FBI, the Criminal Justice Information System (CJIS) has an Advanced Authentication compliance requirement which is making law enforcement and local governments take action. Effective Sep. 30, 2013 Advanced Authentication is a requirement for all law enforcement personnel accessing NCIC criminal justice information outside of a secure location. Other regulatory compliance standards such as those for the FFIEC and HIPAA, are driving the market towards two-factor authentication. Two-factor authentication is only a start, multi-factor authentication is really needed.
Multi-factor authentication creates layered security, which creates multiple checkpoints. The weakness of one checkpoint is offset by the strength of another checkpoint in the process. These authentication checkpoints, that create multiple opportunities to recognize and potentially stop an intruder, also create multiple profiling opportunities if an intruder does gain access to the system. Layered security also requires evidence which has separate range of attack vectors, requiring would be intruders to have a more complex attack plan to be successful. Increasing the strength of authentication can be done by adding factors from the same or different kinds of authentication categories that don't have the same vulnerabilities. Multi-factor authentication methods include “what the user knows”, “what the user has”, “what the user is”, “what the user typically does” (behavioral habits that are independent of physical biometric attributes), and “context” (location, time, party, prior relationship, etc.”). Requiring two or more factors from the same or different categories creates two-factor authentication, and requiring any combination of two or more factors from different categories creates multi-factor authentication.
Some multi-factor authentication methods involve going beyond or even removing a hard to remember password and/or other proxy for the user, and instead focus on making the user himself his actual password. As we continue to move toward biometric authentication systems where the user's behavior, cognitive function, and/or cognitive/behavioral biometric fingerprint (also referred to as “cognitive fingerprint”) are used for authentication in higher risk transactions, for example, and a computer system's identity management system or the specific computing device he is trying to use fails to authenticate him, the question will arise as to whether the system has a glitch in it, he is an intruder who is posing as the authorized user, or whether he is who he claims to be but has some type of impairment that affects his cognitive function and/or cognitive/behavioral biometrics, such as extreme fatigue, an illness or infirmity, an uncharacteristic emotional state, or the fact that he has used alcohol or other drugs or medications. These things bring the authentication term “false rejection” into question, and mandate creating a somewhat more appropriate authentication category such as “user not recognizable—or user is impaired”.
The afore mentioned types of issues do not typically arise when only proxies for a user are involved in the authentication process. Password based authentication systems would normally authenticate any person, including a potential intruder, presenting a username and password, or “something else the user has” like an identification token, if applicable, unless the administrator of the computer system has been advised these credentials have been compromised or they are no longer valid for some other reason. An intruder may reveal himself as such by presenting credentials that have been reported stolen, and the system's administrator knowing this, will need to determine how far into the authorization process the intruder should be allowed to go. This could mean throwing him off the system immediately. However, learning his identity may be a better alternative, especially if he is another registered user (or former user) of the same IT system; in other words an “insider”.
Recognizing an authorized user can be problematic if the user has some type of temporary impairment, and therefore a cognitive biometric authentication system needs to be able to identify the user's deepest thinking patterns that make him unique—a “core” self that is revealed regardless of the user's current mental state, level of cognitive function, or some other type of temporary impairment. For example, if a user is sleep deprived he may have working memory issues. His keyboarding skills may be affected, and he may take longer to accomplish a task. However, the ultimate work product may reach his normal skill level—therefore demonstrating his “core” self. For instance, if his cognitive processing time and cognitive rhythms do not match his normal metrics, but the decisions he ultimately reaches and the preferences he normally demonstrates make his response accurate.
Cognitive function refers to a person's ability to process information (i.e. to think), and is reflective of his general level of cognitive skills, as well as his ability to exercise those skills at a given point in time. The user's cognitive/behavioral fingerprint reveals the unique way each person processes the information he encounters in the real world. This processing method can be observed through his unique patterns of interaction with the technological devices he uses each day. These interactions can be measured and analyzed in real time (i.e. dynamic), or after the fact through the digital evidence left behind. A user's cognitive fingerprint is inexorably tied to his cognitive function. Accordingly, a user's highest level of cognitive function is limited by the level of cognitive skills he possesses, and to a great degree, his working/short term memory.
A successful identity management system should also include the ability to recognize a person in multiple and distinct ways. One way to identify a specific individual is to know what that person's capabilities and limitations are—a system that has the ability to recognize him by what he is, as well as what he is not. While an intruder may only provide the chance to capture metrics a couple of times, the computer system may have captured the authorized user's metrics hundreds of times. Therefore it is quite possible to distinguish an intruder from the authorized user, not by knowing who the intruder is, but by thoroughly knowing who the authorized user is—and isn't. For example, when it appears an authorized user's skill level is clearly different than the skill level of the person (or other would be intruder) attempting to gain access to the computer system using his credentials. This can be particularly noticeable when verbal reasoning skills are demonstrated or when fine motor skills are involved. Metaphorical questions are particularly demonstrative in this regard, because an individual's knowledge of the language is critical, and a metaphor can be reflective of local jargon only, for example. In addition, a person is only capable of performing motor skills up to a certain skill level, and that exact level would be hard for an intruder to know or duplicate.
A computer system that can recognize this type of situation can potentially identify an intruder by recording evidence at the time a crime is being committed. This evidence can be used to establish a profile for the intruder that when combined with an unknown shared profiling secret(s), and the user's unique cognitive fingerprint, could eventually lead to the identification of a specific individual as the intruder. This process would make an “insider” such as a co-worker for example, readily identifiable.
For years now, psychologists have been working in collaboration with law enforcement agencies to integrate psychological science into criminal profiling. The most popular method of criminal profiling, offender profiling, attempts to identify criminals based upon an analysis of their behavior while they engage in a crime. If decision making and behavior is common across crimes, it could possibly be the same criminal. Behavior is revealed by the choices offenders make while committing a crime, including modus operandi, location of the crime, and weapon of choice. This information is then combined with other pieces of physical evidence such as a biometric fingerprint, if available. If no biometric fingerprint or actual DNA is available, the behavior can be compared with the characteristics of known personality types and mental abnormalities to develop a practical working description of an offender. Knowing a criminal's patterns of decision making and other character traits can be important, even if they do not apply to a specific criminal act, for instance knowing a suspect's risk taking habits in general.
Cyber crime significantly changes the rules of criminal investigation. First, there may well be multiple crime scenes involved, for instance, the hacker's computing device and where it is located at the time of the crime, and the user's computing device and where it is located at that time; or even where a digital signal may have been intercepted. These locations may be hard to identify, and may include both real world and virtual locations. Unlike traditional crime scenes however, evidence often exists in the cyber world only in a computer or other computing device, a system or network, or on the internet. That is because the weapon of choice is also a computer/computing device, a network, or the internet. Digital forensics is the uncovering and examination of evidence located on all things electronic with digital storage, including computers, cell phones, and networks. Evidence is hard to obtain and easily contaminated, and/or destroyed. While log and audit trails could lead security analysts to a perpetrator, most often the trail ends at a computer, a server, or a network—not the actual person involved. It may never be possible to confront the intruder in person for interrogation. Rarely will a biometric fingerprint or DNA be available and usable as evidence of a cybercrime. With luck, there will be some digital evidence to use, and if the evidence can be attributed to a specific person through the recognition of his cognitive fingerprint and the utilization of continuous authentication, then some real tangible evidence exists.
Modern crime often leaves an electronic trail. Finding and preserving that evidence requires careful methods as well as technical skill. Information on a computer system can be changed without a trace, the scale of the data that must be analyzed is vast, and the variety of data types is enormous. A digital investigator must be able to make sense of any data that may be found on any device anywhere on the planet—a very difficult proposition. The invention disclosed herein, creates the ability to obtain evidence and put together a profile of the intruder from a real world and/or a virtual crime scene, as well as the opportunity to learn important things about the intruder while he is committing the crime, using a four level process. If enough interaction occurs, it may even allow the intruder's unique cognitive fingerprint to be captured.
The invention levels the playing field somewhat between a real world crime and a crime taking place in cyberspace. In fact, there could be more total evidence collected in a computer crime situation than in a real world crime because of the number of devices, systems, and networks involved, all of which have their own means of identification built into them. A criminal attempting to minimize forensic evidence must understand the devices that will be involved in a crime ahead of time, and anticipate the trail of evidence that will be left while using those devices. If the user's cognitive/behavioral fingerprint is to serve as evidence, it must have a reliability factor equivalent to a biometric fingerprint obtained in the real world. Currently less than 5.0% of cyber criminals are caught and prosecuted. Cyber criminals rely on the anonymous nature of the internet and technology to camouflage their true identities. So, it will take other methods to identify and locate them. That is why the use of criminal profiling will almost certainly grow over time.
Criminal profiling involves linking criminal cases based on the crime scenes, the crime victims, and the criminal's behavior during a crime to create a “signature”—a behavior pattern that fulfills a physical or psychological need in the perpetrator. Profiling provides investigators with specific information about unknown suspects that will help in the identification and/or apprehension of the actual criminal. It also helps the investigators reduce the number of suspects by eliminating those who are outside the profile. The more advanced an offender, generally the less evidence of the crime he will leave behind. But, his level and method of attack would probably be the same. In many cases computers contain evidence of a crime that took place in the real world. The computer may only be incidental. Other digital forensics cases are those in which the crime was inherently one involving computer systems, such as hacking. Digital forensics is powerful because computer systems are windows into the past. Many retain vast quantities of information—either intentionally in the form of log files and archives, or inadvertently, as a result of software that does not cleanly erase memory and files. Such records can reveal an individual's state of mind or intent at the time a crime was committed.
Profiling methods evaluate multiple factors including (1) forensic analysis designed to find the meaning of any evidence or other digital artifacts left behind, (2) an assessment of the victim—how, when, where, and why a particular victim was chosen, (3) crime scene investigation to determine distinguishing characteristics, and (4) analysis of the offender's revealed characteristics and traits. Once a suspect has been identified, interactions between the victim and the criminal may be evaluated and include; (A) interpersonal relationships, (B) significance of the time and place of the crime, (C) criminal characteristics of the offender's traits, (D) the offender's criminal history, and (E) forensic awareness—whether the criminal has knowledge of police evidence collecting techniques and procedure, as well as awareness of the evidence that will be left by the various technological devices utilized in the crime. Profiling may be the most relevant in situations where intense relatively short-lived, and potentially traumatic interactions take place, that are generally characterized by the diametrically opposed interests of the offender and the victim. Therefore the influence of situational factors and the role of the victim should not be neglected. Focusing on the types of interpersonal interactions taking place across situations has also proven productive. In the digital age, visiting another person's social networking site and leaving a comment, could be considered by some to be an interpersonal interaction. Researchers in a recently published study in predictive technology, “Private traits and attributes are predictable from digital records of human behavior” (Cambridge University in the UK, and Microsoft Research, 2013), claim that they were able to use easily accessible digital records of behavior, Facebook “likes”, to accurately predict a wide range of attributes that included sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age and gender. An individual's digital fingerprints, especially those connected with social media and networking, create many new profiling and person identification opportunities. The invention disclosed herein creates the opportunity to identify the person to whom the digital fingerprint belongs—the ability to attach a name and face to the fingerprint.
Biometrics involves identifying someone by his physical, cognitive, and/or behavioral characteristics, and there are advantages and disadvantages to using this identification method for authentication purposes. While a person can imitate another for a certain amount of time, shaking the deeper patterns that are all their own can be difficult. Deeper patterns, such as how long a person might take to solve a certain problem or mental exercise, or how they interpret certain words, or how they demonstrate a preference in a response are embedded in the person's cognitive function and thinking patterns and therefore can be hard to mask.
Being able to recognize these deeper thinking patterns, means cognitive biometrics can also have advantages when it comes to identifying a person who does not wish to be identified. Cognitive biometrics opens new windows on the mind, and new opportunities to profile and identify criminals in cyberspace. It also opens up new opportunities for online credentialing. If identity management systems no longer rely only on proxies to recognize a user, but also focus on user attributes, authentication credentials could have a more permanent recognizable connection to the user as he moves from one device, machine, system, or network to another—credentials that are always in his possession and controlled by him, and that are not just arbitrarily assigned authentication credentials which in essence are simply more proxies for the user. Biometrics has a defined role within the NSTIC trusted credential initiative, and can provide assurance at the highest level. Authentication systems based on the continuous monitoring of the user's typing metrics, directly ties the user's cognitive/behavioral biometrics to his authentication credentials, for example. By transforming his accurate responses (i.e. his keystrokes) into authentication credentials on a continuous basis, authentication can be carried out without interrupting the user's normal activities. The same concept could be used to formulate the basis for a new type of trusted derived credentials for mobile devices, and could be used for multi-factor authentication. A user's accurate responses (the same responses that ultimately comprise his unique cognitive fingerprint, and are therefore always in his “possession” and under his “control” no matter what mobile computing device he is using) could be his logon/authentication credentials, or at least serve as a basis for the logon credentials assigned, and then they could be encrypted strongly. An intruder could then be tracked across devices, machines, networks, and systems without being aware of it, because his real metrics, cognitive fingerprint, and cognitive function will have been captured prior to the time any encrypted logon credentials are assigned to him as he moves from system to system.
Of all the world's creatures, only humans are capable of thinking about thinking, and learning about learning. These represent two of the highest cognitive processes mankind possesses. Much of the thinking and learning concerns how a person's brain perceives the world and processes information utilizing “cognition”, which can be defined as “the application of thought to knowing to create new knowledge”. However, current research shows that the brain is capable of unconsciously learning as well. The dividing line between the unconscious and the alert conscious brain when it comes to thinking, reasoning, learning, and remembering, is unclear at this point in time. Implicit learning takes advantage of the fact that a person's brain learns and records some things without the person knowing he has learned and recorded them. It refers to developing a thinking pattern, without any conscious knowledge of the learned pattern. This also means that users are usually not even aware they are demonstrating certain patterns or preferences when they answer questions or do mental exercises, and therefore do not specifically try to remember them. Keyboarding takes advantage of this, as it would probably take quite a while to recreate the layout of your keyboard exactly—but you can type quickly and without hesitation. Similarly, it might be possible for a user to “know” a password without being able to write or recite it exactly. As far as multi-factor authentication is concerned, matching an unknown shared profiling secret means the user must be able to match “what the user has”, “what the user knows”, and “what the user is”. A “one-time password” and a token, if applicable, would represent “what the user knows” and “what the user has”.
The invention disclosed herein creates an unknown shared profiling secret, or a series of unknown shared profiling secrets between a potential user (or an intruder posing as an authorized user) and the computer system, without the user consciously knowing that is taking place. This is accomplished by presenting the intruder with outside variables (i.e. stimulus-response scenarios), that call for responses that represent his thinking patterns, cognitive function, and cognitive skills, and that reveal certain demonstrated preferences as well. This means an identity management system could potentially be created that is based on what a user really knows, but may not consciously know or remember. For example, how long it takes him to read, interpret, think about, and enter a response to a metaphorical question involving verbal and computational skills calling for several demonstrated preferences. If a response(s) to an exact or similar stimulus-response scenario(s) has been measured and recorded previously, the computer system will have documented this information. A person in his normal cognitive state would demonstrate his normal reading speed, thinking time, and response time in making his response, whether or not he knows what those exact times are or not. Therefore, just by demonstrating the same reading speed he normally does, he might be able to make an accurate response to an unknown shared profiling secret—it is something he knows, but may not consciously know. The user would theoretically not know an unknown shared profiling secret was being created at the time he demonstrates preferences, and therefore would not be trying to duplicate, or avoid duplicating them a second time.
An unknown shared profiling secret comprising a measurable stimulus-response scenario that has been set up ahead of time could be presented. This variable could be based upon previous responses made by an intruder to a key outside logon variable(s) or regular outside variable(s); or even the acceptance response(s) that have been made previously by the intruder. Or an unknown shared profiling secret could be created by recognizing a scenario that has already taken place, which has been recorded in some way—for example the intruder's awareness of the evidence that would be left behind by the various technological devices used in the crime. The design of the unknown shared profiling secret depends on the specific metrics being looked for. The unknown shared profiling secret would be formulated based on previous demonstrations of a user's deep thinking patterns without the user being aware that he has made these demonstrations. An additional unknown shared profiling secret that calls for the same type of patterns to be revealed could then be presented later and the response compared to the demonstrated preferences and other neural coding and decoding information previously collected. Only a person demonstrating these same deep thinking patterns and interactions with the computer could reveal this unknown shared profiling secret exactly—information which neither the authorized user nor the potential intruder may be consciously be aware of. As a matter of fact, it would take a conscious effort on behalf of the intruder to disguise his real deep thinking pattern. If he is posing as an authorized user, he would have to satisfy an identity management system that is attempting to recognize that user. It has been said that a person is really a combination of three people: who he thinks he is (i.e. his “conscious self”), who others think he is (i.e. his persona/personality), and who he really is (which includes his “unconscious” self). The most basic level of trust relates to an individual's true identity. The methods disclosed herein could not be utilized in an identity management system based only on proxies for the user.
In order for a profile relating to the guilt of a specific defendant to be legally relevant, it must render the facts at issue (the commission of the crime by the defendant) more probable. Thus, it is not sufficient to state that the defendant possesses the qualities of the type of individual who could have committed the offense, because the jury must evaluate whether the defendant matching the description is in fact the offender. “There is all the difference in the world between evidence proving that the accused is a bad man, and proving that he is “the” bad man”—Lord Sumner (1918). Profiling has some inherent problems, and one of these is that it would normally be improbable that a profiler would be able to demonstrate with sufficient strength any claim that he or she can reliably and consistently identify character traits (whether personal, social, or cultural) from the crime scenes. That evidence would normally lack any reliable foundation. The four level process disclosed herein (particularly the unknown shared profiling secret and cognitive fingerprint features of it), can overcome this objection by recording responses made by the actual intruder at the crime scene, therefore providing a reliable foundation for identifying some of his character traits while the crime is taking place. Profiling is not generally designed to identify a specific person as the offender, but to help investigators limit the number of potential suspects by specifying the type of personality traits an offender most likely possesses. The word “likely” is important. Profilers tend to talk in terms of probabilities rather than absolutes.
The four level process disclosed herein, is designed to identify a specific person as the offender, and thusly goes much farther than profiling normally goes. The invention disclosed herein, creates new profiling and person identification capabilities through its ability to generate evidence that would not otherwise have been created, or exist. Creating such evidence could be compared to the police using speed detection and alcohol—testing instruments to substantiate speeding and DUI charges. This doesn't mean creating incriminating evidence where there is none—but rather creating the means to generate and collect incriminating evidence that would not otherwise have been created or exist. Each stimulus-response scenario that creates the presentation of an outside variable is really part of a larger overall stimulus-response process to gather additional digital artifacts and forensics—and introduces a new analytical tool, the cognitive fingerprint grid. The “outside response” to an “outside variable” provides the missing link that ties the digital forensic process together. By presenting false logon credentials and/or making an outside response following presentation of the legal/privacy page, an intruder is demonstrating criminal intent.
For instance, the evidence collected in a specific crime could include locating a mobile device indicating a mobile phone call was made near the time a crime was committed. The device may also provide its location at the time that call was made (which may even be part of the crime scene), and/or that may specifically identify another device or mobile phone contacted. Some texting may also have been recorded. However, none of these things necessarily identify the actual parties involved in the crime. That's a major reason why wiretapping, eavesdropping, data mining that looks for conversations and communications, videotaping, and speed detection and alcohol-testing devices may be legally implemented and potentially used to create/generate evidence of a crime. Today, an innocent bystander can create evidence of a crime through his mobile phone or video camera, sometimes even multiple crimes attributable to more than one individual at the same crime scene. Some courts have allowed the police to confiscate the devices involved in such occurrences, if the police believe they need to do so in order to keep potential evidence from being destroyed.
All the afore mentioned methods/devices, if they meet rigid legal requirements, can be used to create and collect usable electronic/digital evidence, and almost all of them have another thing in common—they can be used to create and collect such self incriminating evidence without the individual knowing it or having given his prior approval. Suspects doing what they were going to do, but caught in what they thought would be undocumented actions. The use of the stimulus-response scenario outlined herein, provides a suspect's voluntary response to an unknown shared profiling secret (which could actually be considered a conversation between identifiable parties) from the crime scene, at the time the crime is actually being committed. This evidence is possible only because of the components joined together to form the four level process outlined herein—components not normally found together otherwise; similar in concept to the speed detection and alcohol-testing devices used by the police.
Components include a specifically designed stimulus-response scenario, an unknown shared profiling secret requiring cognitive biometrics (not a proxy for the user, but what the user himself “is”), which allows for outside responses to be measured and recorded. The accurate responses are then transformed into outside credentials that are stored in a memory system that can be easily accessed using a range of different criteria (the artificial intelligence utilized is similar in concept to a DNA molecule), which can then be traced to a specific individual using the cognitive fingerprint grid and cognitive fingerprint analysis. In prior days, evidence of a crime was collected and analyzed with the hope that it could be tied to a specific individual through criminal profiling and the further collection of evidence. The invention disclosed herein, creates the opportunity for a computer system, and an intruder into that system, to jointly create usable evidence that can be tied directly to the intruder during the time the intruder is committing a crime, by utilizing a dynamic four level process.
As far as reliable physical evidence is concerned, being able to recognize the user's unique cognitive biometric fingerprint could be considered tantamount to possessing a biometric fingerprint in the real world (“What the intruder is”). Additional evidence could also include an accurate response to an unknown shared profiling secret that only the same person could make (“What the intruder has, is, and knows”). There would also be evidence of the intruder's cognitive function and patterns of behavior during the crime. The authorized user's normal response to a similar unknown shared profiling secret has already been recorded by the identity management system. The intruder's responses could now also have been recorded. A comparison can be made.
Having this evidence has to be helpful when considering a suspect. There is a good chance (i.e. a strong probability) that a serious suspect for a crime based on other evidence, who interacts with the computer in the same way, demonstrates the same thinking patterns and preferences when making a response to a similar outside variable (a user is not normally consciously aware he has displayed these preferences), has the same cognitive strengths and weaknesses, and exhibits the same decision making skills as the intruder, is in fact, the intruder. Each additional piece of evidence raises the mathematical probability of identifying the actual intruder. Obtaining further evidence of the intruder's true metrics after he becomes a suspect is critical, but can be problematic for a number of reasons, including potentially violating an individual's civil rights and protections regarding self incrimination. Further, a suspect could attempt to disguise his real keyboarding skills when asked to give a sample. Capturing a wide range of metrics at the time of the criminal act that can be measured and analyzed would be a way of creating the opportunity to identify some deeper thinking patterns that make a user unique and reflect his “core” self. These patterns can be consciously disguised by an intruder, but not indefinitely. In 1993, the US Supreme Court held in the matter of Daubert vs Merrell Dow Pharmaceutical that any scientific testimony presented in a court must be based on a theory that is testable, that has been scrutinized and found favorable by the scientific community, that has a known or potential error rate, and that is generally accepted.