Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
ENHANCED ONLINE COMPUTER ACCESS CYBER SECURITY SYSTEM
Document Type and Number:
WIPO Patent Application WO/2018/128605
Kind Code:
A1
Abstract:
A CONTROL SYSTEM to restrict, enable or otherwise securely manage all human and machine or computer and software access to system/network components through conversational mode human and computer to computer exchange of information from human sources and prerecorded database information which securely prevents unauthorized human or software control or changes to system/network online computers that go way beyond any existing computer security.

Inventors:
SPRAGUE DON (US)
Application Number:
PCT/US2017/012190
Publication Date:
July 12, 2018
Filing Date:
January 04, 2017
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
SPRAGUE DON E (US)
International Classes:
G06F7/04; G06F15/177; G06Q10/06; H04L9/32
Foreign References:
US20120203677A12012-08-09
US20070010266A12007-01-11
US20030079132A12003-04-24
US6799198B12004-09-28
US20100011127A12010-01-14
US8713641B12014-04-29
Download PDF:
Claims:
Having described my invention, I claim;

1 An enhanced computer access security control system for

restricting, enabling and managing user and software access, use and changes to all system/network online computers that go way beyond any existing computer security tools comprised of:

a Access Security Managers,

b End user directory security databases,

c Enterprise directory security databases,

d Enhanced Internet service provider directory security

services databases,

e National directory security services databases,

f International directory security services databases, g Enhanced user to device access identification, device logon h Enhanced local to remote access, bidirectional logon

2 Access Security Managers as recited in claim 1 which control all user and application access to computing devices preventing unauthorized human and software use or changes using advanced security and identification.

3 End user databases as recited in claim 1 that are managed by the access security manager and contains required access security data and may also include any and all information the user chooses to record, share or otherwise manage through the access security manager .

4 Remote Enterprise, national and international databases as recited in claim 1 that maintain and share reusable enterprise and user identification information with a secure process to share the reusable information on an as needed basis.

5 Secure Service Manager function on end user devices as recited in claim 1 to control and manage changes to the end user device comprised of:

a An access security manager to enable end user to approve, disapprove or otherwise manage installation and activation of code in the end user device.

b An access security manager that is installed in the user device to approve, disapprove or otherwise manage links in email or on web pages to prevent unauthorized activation of code on the user device.

c An access security manager that replaces cookies with secure cookies that enable end user to approve, disapprove or other wise manage requests from remote applications to store or otherwise enter information of the end user device.

d An access security manager that sends secure cookies

information to remote applications requesting the information . An enhanced user to device identification and logon Secure access manager as recited in claim 1 to enable secure device access and secure system/network access comprised of:

a A system for enhanced user to device logon using facial

recognition with real time video/audio and remote viewing of video and audio.

b A bidirectional access code that establishes a logical

connections between computers that does not require legacy Ids and passwords for compute to computer access.

c A system for enhanced enabling of alternate or second user device .

d A system for enhanced Legacy ID and password management e A system for enhanced remote access

f A system for Electronic credit card management using the access security manger.

Description:
Patent Application of Don E . Sprague for

ENHANCED ONLINE COMPUTER ACCESS CYBER SECURITY SYSTEM

CROSS REFERENCE TO RELATED APPLICATIONS

Not Applicable

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

Not Applicable

NAMES OF PARTIES TO A JOINT RESEARCH AGREEMENT

Not Applicable SEQUENCE LISTING TABLE OF COMPACT DISCS

Not applicable

MICROFICHE APPENDIX

Not Applicable 6. BACKGROUND OF THE INVENTION

a. Field of invention

This invention relates to the field of security of computers in a system/network. More specifically, the invention includes a broad access security system for restricting, enabling or otherwise managing access and changes to all system/network online computers that go way beyond any existing computer security tools.

b. Description of Related Art.

There are many online security control processes using Ids and passwords to identify who is or is not permitted to access a computer resource. Fire walls have been implemented to prevent unwanted computer access. Since the early days of computer networks, code has been installed on computers to permit remote access or takeover. As business need increases, more code is installed to enable more ways to permit remote access or takeover.

Clicking on a link in an email or on a web page activates code that enables remote access or remote takeover. The large number of site ids and passwords has created a security problem that requires a new approach. It is known that the existing methods of checking the identity of humans or software seeking access to computers is not adequate.

7. BRIEF SUMMARY OF THE PRESENT INVENTION

The present invention removes existing code that permits human and machine access to computers. Then the invention installs new code to establishes an access security system for human and machine software local and remote online access. The access security system addresses business needs while providing enhanced security. The invention enables user and business to see and verify information about communication partners. The invention enables users and business to control the installation and activation of code or applications on their devices when accessing web pages or clicking on links in email or files. The invention enables users and companies to record common data then reuse it as needed.

The following main security components interact to provide enhanced security to protect all system/network online computing devices. They are described in detail later.

- Access Security Manager,

- End user directory security database.

- Enterprise directory security databases,

- enhanced internet service provider directory services databases,

- National directory security services databases,

- International directory security services master databases.

- Enhanced user to local device access identification, device logon

- Enhanced local to remote access, bidirectional logon

8. BRIEF DESCRIPTION OF DRAWINGS

Not applicable DETAIL DESCRIPTION OF THE INVENTION.

This invention includes access security managers, and remote directory services databases that use human and computer to computer

conversational mode authorization system services to create

comprehensive end to end and intermediary system/network components that address the architectural security requirement of:

- Any user on any network can communicate with any other user on any other network when authorized.

- Anything that can be recorded electronically can be delivered electronically .

To securely permit any to any, all existing openings or doors for computer access must be closed and replaced with secure doors or access ports .

- Software must be known before it is given access to computers.

- User must be known before they are given access to computers.

The first part of this invention addresses machine or computer and software identification and access then it addresses human

identification and access. a. NEW APPLICATION INSTALLATION AND ACTIVATION

All existing code to enable remote activation of an application or installation of an application must be removed. Simply clicking on a link or button will not automatically enable installation or activation of software or remote control. Clicking on a link or button to activate an application is controlled through the access security manager.

For applications not already installed on the user device: When a user clicks on a link or button in an email or file or on a web page that is intended to launch an application, the access security manager examines the activation request. If it is a request to run an application that is not on the computer, the access security manager checks the national database for known, approved or disapproved applications. Then the access security manager displays an application activation and

installation request screen with detail about the application and the developer owner report from the remote national database. The site or application data must be in layman terms. The user may click to allow or disallow the installation, or click to disallow and report a suspicious request to the online database, or click to report and label the application or site as do not communicate. If the user approves the remote request to install and run an application, the user clicks to allow the application to install. Once installed, the user must again approve the run of the application. For enterprise owned devices, the enterprise database is checked for information about approved

applications that may be installed on the computer. b. Existing application activation

The user is informed about activation of any and all existing

applications already installed on the user device. When a user clicks on a link or button to activate an application, the access security manager examines the application to be activated. If the software is already installed on the device, the access security manager use upgraded methods of displaying information about the activation of an application and seeking user approval. The upgrading includes but is not limited to display of application description and status that is in the national database. The access security manager enables the user to see detail information in laymen terms about all installed and running application. c. SECURE DEVICE ACCESS FOR SECURE SINGLE LOGON

In a closed system, a secure logon to any system component may enable a user to access any other system component. A network is essentially an extended system. Once a user has approved access to their system/network entry point, agreements between system/network components may enable the user to access all approved system/network components without additional legacy Ids and password.

There are two main areas of logon access approval

- User to local device,

- Local device to other local or remote system/network device. d. ENHANCED USER TO LOCAL DEVICE ACCESS, DEVICE LOGON

Enhanced user to device access identification enables secure single logon to the local entry device that securely communicates with remote sites and applications in a logical private system/network.

A single logon approach simplifies the management of Ids and passwords. Single logon applications have been in use since the global network architecture of any to any when authorized began over 35 years ago. One of the first single logon process was in the service provider network. Most are in the user device. Although any to any has grown as designed, the security of when authorized has been left behind. A system/network bidirectional computer to computer identification and logon makes legacy Ids and passwords obsolete.

There are existing techniques to identify a user to a device. Most are limited to a PIN and perhaps a fingerprint. Additional tools include an identification card. A combination of device to user logon

identification techniques increases security. Facial recognition and voice recognition adds a significant level of security. A still shot for facial recognition and voice recognition are requirement for

significantly more secure user to device identification. A real time motion video with voice is the next level. Real time remote viewing of the devices video and audio showing the actual user adds a significant level of user to device verification. e. ENHANCED LOCAL TO REMOTE ACCESS BIDIRECTIONAL LOGON.

As the number of Ids and passwords increases, user mismanagement becomes inevitable. Computers can manage large amounts of data better than a human. Any data that can be used electronically can be recorded and managed electronically. Ids and passwords can be securely recorded, managed and delivered electronically. Once the user has been securely identified, the computer can perform computer to computer identification tasks more efficiently and more securely than the human.

Legacy Ids and passwords may continue for many uses but secure

bidirectional logon will be required for critical financial and confidential applications.

Bidirectional registration between a local user device and the remote target site or application is through the access security managers. Once the user is securely known to the local user device, a legacy password is superfluous. To register a local device to a remote device or site, the assess security managers at both ends exchange and record component and user information. Both ends access and verify data in a remote national database with user, application and site information. As part of the registration, a bidirectional access code that is computer created then encrypted recorded at both ends for future access or logical private network connection. The access code is revoked if there are any changes to an end device. The bidirectional conversational registration exchange establishes a logical system/network connection between the two ends that remains as long as there are no system/network changes that terminate the access code.

Secure network registration to internet service providers and to the national database defined in this invention uses information that has been recorded in the user and enterprise site access security manager and used over and over. That information includes things such as; end user simple human recognizable alias ID, real IP bit address, end users real name, company name if any, all human recognizable alias addresses and real street addresses and legacy Ids and passwords. It may include computer information such as device type, serial, operating system and other software level. All the appropriate end user registration identification information is recorded in the Internet provider registration database and is mirrored in the national database. The table entry in the national database is given a bit value that includes the table location, a change level bit value and an approval listing value with known security risks.

A logical system/network connection goes to sleep when it is inactive for a period of time that is managed by both ends. To wake or

reactivate a logical system/network connection, the devices exchange access codes. Both ends send a national database query to verify the table entry status of the other end. The query includes the table location and change level bit values. The remote database sends back a positive or negative match. If the table entry in the national database is at a different level than in the query, the updated table entry is sent to the end user. Any time an end user changes their identification information, the access security manager sends the change information to be mirrored at the Internet service provider database and is propagated to the other remote database. Any time a site or user is identified as having security risk by approved security analysts, they send updates to the national database. This use of remote databases that contain real end user data enable both communication partners to actually know real information about their communication partner. A failed access code match or a failed database query result in termination of the access code and the logical system/network connection is closed. f. Access Security manager

The access security manager enables user and enterprise manager to control all computer access and change activity. The computer

manufacturer must 1) close all doors or openings that permit changes or remote takeover of all computers and 2) route all use and software changes to the computer through the access security manager. Devices are listed in the access security manager as enterprise or individual. All changes to an enterprise device must be approved by the enterprise manager. All changes to individual devices must be approved by the device owner. All change requests must be explained in layman terms. They must provide detail business owner identification and purpose of each application or request to access the device or to change or store information .

The access security manager is the users local device database used to securely record and manage all their reusable information. The user enters information once then permits the computer to reuse and share the information. The data includes but is not limited to name, physical address, phone numbers, online Ids and passwords, and financial information. Some of the information is required to register to use the open Internet.

If the user is not part of an enterprise, the user controls the access security manager. If the user device is part of an enterprise, an administrator has access to and manages the user device access security manager. An enterprise manager may limit applications or sites the device may access.

The user enters a password or pin to gain access to the access security manager. For higher security concerns, face recognition and voice recognition in addition to fingerprints are used to provide

comprehensive identification of the user attempting to access the devices security controls. The hardware and software manufactures of the device and code must configure the systems in such a way that; 1) the user cannot alter the code, 2) and the access security manager function cannot be used or altered through a network connection. Once the user enters the reusable information, they permit the access security manager to approve use and sharing of the information. g. Enterprise directory services database

The enterprise database is similar to the user device database. It is used to securely record and manage all the enterprise reusable

information. The enterprise administrator enters information once then permits the computer to reuse and share the information. The data includes but is not limited to Company name, physical address, phone numbers, all enterprise users names and online Ids and description of all applications in laymen terms. - Some of the enterprise information is required to register with an internet service provider to use the open Internet.

- Some of the information is required to be sent to the national and international databases. h. Internet Service Providers directory services database

Internet services providers enhance their databases to communicate with the user and enterprise databases and the national databases. The appropriate information they send to the national database about users and enterprises includes but not limited to user and enterprise real name, bit address, alias computer names, and real physical address. i. National and international directory security services databases

The remote national and international access security databases include detail information about known, approved or disapproved sites, users and applications. The detail data includes but is not limited to; the individual or company owner identification and layman description of the application and the real Internet Protocol bit address of the origin point of the site, application or user. For end users, the database includes detail information about the end users of the site such as their real name and real IP bit address. It also includes the users real name and physical address. It should also include a picture or screen shot of the user. Security analysts submit information about known risk from sites, applications and users.

The data in the international database is shadowed and fed from the national databases. The information in the national databases is shadowed and fed from the Internet services providers databases or may be from the enterprise and user databases.

Data in the national database consists of all known reusable appropriate identification information about users or enterprises. Some of the data in the users access security manager and in enterprise databases is sent to the national database. User and enterprise financial data is not sent to or stored in the national database.

User and enterprises and their applications may freely access the national and international databases to find or verify information about all possible communication partners. j . Remote Database security

The national and international databases are to be configured in such a way that they have a limited receive portion, a secure process portion and a limited transmit portion. The receive and transmit portions communicate with the process portion and through the network with formatted data so their operating code can not be changed through the network. The operating code can only be changed through direct hardwired connection. Access to the process portion of the system is to be in such a way that it can only be accessed through a hardwired device . National and international databases are in highly secured federal government facilities. The manufactures must configure the systems in such a way that some specified changes including those addressed in this invention can only be made through a direct hard wired or paired connected device. There will be one master international database with shadow copies in other countries. k. Alternate or second device access and use

There are existing basic methods of enabling alternate or second device use. A highly secure method of enabling use of an alternate device requires pairing and registering of the alternate device with each target site. To pair devices, the user must have been securely

identified to the devices and the primary and the alternate device must be bidirectional connected. The access security managers in both devices are set to pair. The primary device displays a code that the user must enter into the alternate device. The devices exchange confirmation then the alternate device displays a code that is entered into the primary device. The devices again exchange confirmation. Then the IDs and appropriate system/network data for each target sites are transferred to the alternate device. Then the user must access each site individually from the alternate device to establish the bidirectional access for the alternate device. The alternate device informs each individual site that it is an alternate device. The sites send a code to the users cell phone or other registered address. The user enters the code in the alternate device. The device sends the code to the site. The site then establishes the device a second device for the same user. All the same controls to register the original device are used to register the paired second device. Enterprise devices may only be paired and registered by an enterprise manager. A notice is sent to the original device owners address when a device is paired.

1. Legacy ID and password enhanced management

As a result of enhanced user to device identification, legacy Id and password management is simplified. Both secure single logon and legacy logon require enhanced user to device identification. Both require the user to use progressively more detailed device logon steps.

Site access that does not require an Id or password is not affected. Any logon that does not require approval to spend money may be considered to be low security. A simple pin to identify the user to access the device may be acceptable for low security remote site logon. Progressively more user to device identification is specified in the device to site communication requirements specified by either or both ends. Those conditions are recorded and used by the access security managers at both ends .

To access sites that do not have the access security manager, the users device Id and password vault is used. It is an abridged single logon. The access security manager may enter the ID and password or the user may access the vault to see the ID and password for the site. For the user to access the vault, the user must enter the proper level of device identification. A low security vault view requires only a Pin entry. Id and password management is somewhat manual for sites that do not have access security manager secure single logon. m. REMOTE ACCESS USE

To enable remote use for things like a support center or collaborative writing is basically the same as enabling an alternate device. The user can identify a secure remote support device level of access. For a support services remote view or takeover, the remote support user does not have access to the security manager but does have access to portions of the computer the user permitted in the access security manager. To enable remote support access requires the standard secure logon exchange of identification of end user and enterprises through the enterprise or the national database. n. Conversational authorization

Conversational authorization among components and users requires separated human input into separated components. Then it requires the conversation between the separate computer components with additional human interaction and the remote database. This separation of users and authorization control components prevents a lone user from attacking a computer. It makes a coordinated attack difficult to complete. o. Cookies replaced by secure cookies

Cookies in their existing form are not permitted through the access security manager. Cookies are replaced with secure cookies aka scookies. When a session is beginning, a contract or binding agreement command with the rules of the session is shared. The server or application session contract requirements are explained to the client or end user in layman terms.

The requesting server, site or application cannot make any changes to the receiving client or end user devices. The receiving client or users access security manager makes all user approved changes to the user device. The user may approve individual scookies requests or approve scookies from specified sites. When scookies are approved, the access security manager record information in a secure activity use area for each application. The user may click to permit their access security manager to update specific scookies recording requests without showing the approval screen.

An enterprise administrator manager controls scookies on users devices. The administrator may require the user to approve scookies or may permit the device access security manager to update specific server scookies requests without showing the approval screen to the user. The user access security manager retains a record or report of all scookies requests on the enterprise database. When a server, site or application requests scookies information from a client or user device, users access security manager displays the request to the user. The user may approve and say to always allow scookies information to be sent to that site. The user may display and manage all actual scookies data. The user may delete scookies by site or in total. p. Electronic credit card

Electronic credit card and other appropriate financial information that is used over and over may be recorded in a separate portion of the access security manager. When a target application requires a credit card entry, the application owner presents a formatted screen to the access security manager. When the user clicks on fields in the formatted screen, the access security manager displays information the user clicks to be entered in the formatted screen.

q. The sccess security manager vault may be used to record any and all reusable user information. Anything that the user knows and want to recorded and reuse may be recorded shared or otherwise managed by the user and their computer.

Although the proceeding description contains significant detail, it should not be construed to be limiting the scope of the invention, provides illustrations of the preferred embodiment of the invention. The control systems features could take many forms that do not materially alter the nature of the invention. The scope of the invention should be fixed by the following claims rather than any specific examples.