FreshPatents.com Logo
stats FreshPatents Stats
3 views for this patent on FreshPatents.com
2014: 2 views
2013: 1 views
Updated: December 09 2014
newTOP 200 Companies filing patents this week


Advertise Here
Promote your product, service and ideas.

    Free Services  

  • MONITOR KEYWORDS
  • Enter keywords & we'll notify you when a new patent matches your request (weekly update).

  • ORGANIZER
  • Save & organize patents so you can view them later.

  • RSS rss
  • Create custom RSS feeds. Track keywords without receiving email.

  • ARCHIVE
  • View the last few months of your Keyword emails.

  • COMPANY DIRECTORY
  • Patents sorted by company.

Your Message Here

Follow us on Twitter
twitter icon@FreshPatents

Biometric chain of provenance

last patentdownload pdfdownload imgimage previewnext patent

20120268241 patent thumbnailZoom

Biometric chain of provenance


The present disclosure is directed towards methods and systems for ensuring integrity of biometric data for one or more transactions. A mobile biometric device may acquire biometric information of an individual. A ranging module of a transaction device may determine that a distance between the mobile biometric device and a physical location of a first transaction with the individual is within a predefined value. The transaction device may link, responsive to the determination, the acquired biometric information to the first transaction if the biometric information is acquired within a specific time limit from the distance determination. The transaction device may link the acquired biometric information to a universal biometric record of the individual. A biometric integrity engine may compare information from the first transaction and a second transaction for inconsistency or fraud.
Related Terms: Biometric Device

Browse recent Eyelock Inc. patents - ,
Inventors: Keith J. Hanna, Hector T. Hoyos
USPTO Applicaton #: #20120268241 - Class: 340 552 (USPTO) - 10/25/12 - Class 340 


view organizer monitor keywords


The Patent Description & Claims data below is from USPTO Patent Application 20120268241, Biometric chain of provenance.

last patentpdficondownload pdfimage previewnext patent

RELATED APPLICATION

The present application claims the benefit of and priority to U.S. Provisional Patent Application No. 61/476,826, entitled “Mobile Biometric Authentication System”, filed Apr. 19, 2011, and claims the benefit of and priority to Provisional Patent Application No. 61/541,118, entitled “Remote Authorization System”, filed Sep. 30, 2011, both of which are incorporated herein by reference in their entireties for all purposes.

FIELD OF THE DISCLOSURE

The present disclosure relates to identity verification technologies, and more specifically to systems and methods directed to providing or ensuring a biometric chain of provenance.

BACKGROUND

The potential for fraud in financial transactions has increased significantly due to the increasing diversity in the means for transactions to be performed. For example, it is often challenging to ensure that biometrics acquired by a biometrics device are really those of an individual at the biometrics device. Moreover, in certain contexts, it may be necessary or more acceptable to acquire biometric of a moving individual without constraining the individual's advance or movements. However, conventional systems are typically not very robust against fraud and/or mistake when biometric acquisition is decoupled from traditional access control systems, or when individuals whose biometrics are being acquired are not rigidly constrained for the biometric acquisition process. Some ability to track an individual across one or more transactions may be a way to reduce fraudulent activity.

SUMMARY

The present disclosure describes methods and systems for tracking the provenance of an individual between disparate transactions that they perform, be they logical and/or physical access transactions. The present methods and systems may use acquisition and optional matching of potentially disparate biometrics at each point of transaction, and may provide means to ensure the provenance of each step within each transaction and/or between each transaction.

In some aspects, we leverage on one or more of the following to ensure integrity of acquired biometrics linked to one or more transactions: 1) the ability to track a particular individual to a transaction, and 2) the ability to track one transaction to a second transaction. In this way, the activity of a single individual can be tracked from one transaction to the next. This Biometric Chain of Provenance (BCP) can then be audited and verified, for example, not just between two transactions, but between many transactions that the individual performs. Every transaction, be it buying a coffee or buying a house or setting up a bank account, is therefore an opportunity for the integrity of the biometric chain of provenance to be validated. Any inconsistencies in the BCP computed either in real-time while a transaction is performed, or after-the-fact indicates that fraudulent activity is occurring (or potentially occurring) or has occurred (or potentially occurred). Due to the BCP, there is a substantial audit-trail and therefore we may: a) detect fraud based on the detection of anomalies in the audit-trail, b) identify the fraudster based on information contained in the audit-trail, and c) deter fraudulent activity since fraudsters know that such a biometric-based audit trail is known to exist.

As mentioned above, the ability to track a particular individual to a transaction can be a critical element in the process. Biometrics is the field of measurement of human characteristics, and the acquisition and optional matching of biometric data can be a component in such a process. However, it may be important that the provenance of the biometric information itself is ensured step by step between the individual, a device (static or mobile) that collects the biometric data, any point of sale (POS) terminal that communicates to said device, and the rest of the transactional system, for example in everyday environments, such as a busy check-out line with multiple people, or in a mobile unattended environment. The present disclosure describes embodiments of such methods in detail.

It is also recognized that the device platforms on which transactions are performed are becoming more disparate, as are the locations where they are performed. Devices and applications may therefore contain only certain biometrics such as iris, face or voice due to cost or availability constraints. The iris biometric in particular can be a powerful biometric for tracking transactions due to its standardization and its accuracy. If there is a need to search through millions of records to associate transactions just based on a biometric, then the iris biometric may be best-placed to do so compared to face and voice and many other biometrics. This can be most significant at the beginning of the BCP when a customer presents themselves to open up a new account, for example. A verification step in the BCP may check whether the customer should be linked to prior BCP activity (e.g., is the customer attempting to assume multiple identities). This can be performed reliably and quickly with the iris biometric. However, as discussed earlier, the platforms on which transactions are performed are becoming more disparate and non-iris biometrics may be used. The present disclosure describes in detail embodiments of methods for maintaining the Biometric Chain of Provenance even when disparate biometrics are used.

In one aspect, the present disclosure is directed to a method for ensuring integrity of biometric data linked to one or more transactions. A mobile biometric device may acquire biometric information of an individual. A ranging device may determine that a distance between the mobile biometric device and a physical location of a transaction with the individual is within a predefined value. The ranging device or a transaction device may link, responsive to the determination, the acquired biometric information to the transaction if the biometric information is acquired within a specific time limit from the distance determination.

In some embodiments, the ranging device or transaction device may compute the specific time limit based on an amount or rate of change in the location of the mobile biometric device. The ranging device may determine the distance between the mobile biometric device and the physical location via a global positioning system. The ranging device may determine the distance between the mobile biometric device and the physical location using a short-range location system, using one or more of a: radio-frequency, laser, infra-red and audio ranging process. In some embodiments, the biometric device may transmit the acquired biometric information to a biometric matching device located at or connected to the physical location. The biometric device may transmit the acquired biometric information to a transaction device located at or connected to the physical location if the distance is determined to be within the predefined value.

In some embodiments, the ranging device or transaction device may link the acquired biometric information to the transaction if the acquired biometric information is received by a transaction device associated with the physical location within a predetermined time period of initiating the transaction. The ranging device or transaction device may link the acquired biometric information to the transaction if the distance between the physical location and the biometric device at the time the transaction is initiated is within a specified value. The transaction device at the physical location may allow or deny the transaction at the physical location based on biometric verification using the acquired biometric information. The transaction device may allow or deny the transaction based on biometric verification using the acquired biometric information, the transaction comprising one of: a point-of-sale transaction, a point-of-service transaction, and an access control transaction.

In some embodiments, the ranging device determines the distance between the mobile biometric device and a physical location based on strength of a signal received at one of: the physical location and the mobile biometric device, and transmitted by the other. The biometric device and/or the transaction device may identify the individual based on the acquired biometrics, and linking the transaction at the physical location with the individual. The biometric device and/or the transaction device may retrieve an identifier of the individual based on the acquired biometrics, and linking the transaction at the physical location with the identifier. The transaction device may link the transaction with another transaction linked to the individual, and comparing information of both transactions for inconsistency or fraud. The transaction device may link the transaction to a universal biometric record of the individual. The universal biometric record may include biometric information of a first type that matches the acquired biometric information.

In another aspect, the disclosure is directed to a method for ensuring integrity of biometric data linked to one or more transactions. A biometric device may acquire biometric information of an individual. A transaction device may link the acquired biometric information to a first transaction of the individual and a universal biometric record of the individual. The universal biometric record may include biometric information of a first type that matches the acquired biometric information, and may include biometric information of a second type. The transaction device or a biometric integrity engine may identify, via the universal biometric record, a second transaction. The second transaction may be linked to acquired biometric information that matches the biometric information of the second type. The transaction device or biometric integrity engine may compare information from the first transaction and the second transaction for inconsistency or fraud.

In yet another aspect, the disclosure is directed to a method for ensuring integrity of biometric data linked to one or more transactions. A biometric device may acquire biometric information of an individual. A transaction device may link the acquired biometric information to a first transaction of the individual. The universal biometric record may include an identifier of the individual and/or biometric information of a first type that matches the acquired biometric information. The transaction device or a biometric integrity engine may identify a second transaction linked with the identifier of the individual. The transaction device or biometric integrity engine may compare information from the first transaction and the second transaction for inconsistency or fraud.

In still another aspect, the disclosure is directed to a system for ensuring integrity of biometric data linked to one or more transactions. The system may include a mobile biometric device acquiring biometric information of an individual. A ranging device may determine that a distance between the mobile biometric device and a physical location of a transaction with the individual is within a predefined value. The ranging device or a transaction device of the physical location may link, responsive to the determination, the acquired biometric information to the transaction if the biometric information is acquired within a specific time limit from the distance determination.

In some embodiments, the system includes a database comprising a universal biometric record of the individual, for linking to the transaction. The universal biometric record may include biometric information of a first type that matches the acquired biometric information, and biometric information of a second type. The ranging device may compute the specific time limit based on an amount or rate of change in the location of the mobile biometric device. In certain embodiments, the system includes a mirror module at the physical location. The mirror module may be oriented to allow the acquisition of the biometric data using a rear-facing camera on the biometric device. In some embodiments, the system includes a second biometric device for acquiring imagery of the individual at substantially the same time as the acquisition of the biometric data.

BRIEF DESCRIPTION OF THE DRAWINGS

The following figures depict certain illustrative embodiments of the methods and systems described herein, where like reference numerals refer to like elements. Each depicted embodiment is illustrative of these methods and systems and not limiting.

FIG. 1A is a block diagram illustrative of an embodiment of a networked environment with a client machine that communicates with a server;

FIGS. 1B and 1C are block diagrams illustrative of embodiments of computing machines for practicing the methods and systems described herein;

FIG. 2A depicts one embodiment of a system for determining or ensuring a biometric chain of provenance;

FIG. 2B depicts one embodiment of a universal biometric record used in the present systems and methods.

FIG. 2C depicts one embodiment of a method for determining or ensuring a biometric chain of provenance;

FIGS. 2D and 2E depict examples of a chain or network of biometric provenance established using embodiments of the present systems and methods;

FIG. 3A depicts an embodiment of the present system providing access control to one or more users;

FIG. 3B depicts one embodiment of the present system providing access control to each user;

FIG. 3C depicts one embodiment of the present system comprising a mobile access control device;

FIG. 4 depicts one embodiment of a mobile access control device of one embodiment of the present system;

FIG. 5 depicts another embodiment of a mobile access control device comprising features that may be incorporated with a mobile phone or other personal device;

FIG. 6 depicts yet another embodiment of a mobile access control device;

FIG. 7 depicts embodiments of a system for determining or ensuring a biometric chain of provenance in different form factors;

FIG. 8 depicts one embodiment of a system, from a top view, for determining or ensuring a biometric chain of provenance;

FIG. 9 depicts one embodiment of a method for determining or ensuring a biometric chain of provenance;

FIG. 10 depicts one embodiment of certain steps of a method for determining or ensuring a biometric chain of provenance;

FIG. 11 depicts an embodiment of a mobile access control device acquiring imagery of at least a portion of a face;

FIG. 12 depicts an embodiment of the present system incorporating image stabilization;

FIG. 13 depicts an embodiment of the present system incorporating residual motion detection;

FIGS. 14-19 depicts some embodiments of certain steps of a method for determining or ensuring a biometric chain of provenance;

FIG. 20 depicts one embodiment of the present system configured for multiple users;

FIGS. 21 and 22 depict embodiments of access nodes with multiple transceiver modules;

FIG. 23 depicts another embodiment of the present system involving multiple users;

FIG. 24 depicts another embodiment of a system for acquisition of face imagery and iris imagery using a single sensor;

FIGS. 25-27 depict certain embodiments of certain steps of a method for determining or ensuring a biometric chain of provenance;

FIG. 28 depicts one embodiment of a system for determining or ensuring a biometric chain of provenance;

FIG. 29 depicts one scenario in which a chain of biometric providence is confirmed by one embodiment of the present system;

FIG. 30 depicts one scenario in which a chain of biometric providence is denied by one embodiment of the present system;

FIG. 31 depicts another scenario in which a chain of biometric providence is confirmed by one embodiment of the present system;

FIGS. 32 and 33 depict certain scenarios in which a chain of biometric providence is denied by an embodiment of the present system; and

FIG. 34 depicts one embodiment of a method for ensuring integrity of biometric data linked to one or more transactions.

DETAILED DESCRIPTION

Before addressing other aspects of the systems and methods for providing or ensuring a biometric chain of provenance, a description of system components and features suitable for use in the present systems and methods may be helpful. FIG. 1A illustrates one embodiment of a computing environment 101 that includes one or more client machines 102A-102N (generally referred to herein as “client machine(s) 102”) in communication with one or more servers 106A-106N (generally referred to herein as “server(s) 106”). Installed in between the client machine(s) 102 and server(s) 106 is a network.

In one embodiment, the computing environment 101 can include an appliance installed between the server(s) 106 and client machine(s) 102. This appliance can mange client/server connections, and in some cases can load balance client connections amongst a plurality of backend servers. The client machine(s) 102 can in some embodiment be referred to as a single client machine 102 or a single group of client machines 102, while server(s) 106 may be referred to as a single server 106 or a single group of servers 106. In one embodiment a single client machine 102 communicates with more than one server 106, while in another embodiment a single server 106 communicates with more than one client machine 102. In yet another embodiment, a single client machine 102 communicates with a single server 106.

A client machine 102 can, in some embodiments, be referenced by any one of the following terms: client machine(s) 102; client(s); client computer(s); client device(s); client computing device(s); local machine; remote machine; client node(s); endpoint(s); endpoint node(s); or a second machine. The server 106, in some embodiments, may be referenced by any one of the following terms: server(s), local machine; remote machine; server farm(s), host computing device(s), or a first machine(s).

The client machine 102 can in some embodiments execute, operate or otherwise provide an application that can be any one of the following: software; a program; executable instructions; a virtual machine; a hypervisor; a web browser; a web-based client; a client-server application; a thin-client computing client; an ActiveX control; a Java applet; software related to voice over internet protocol (VoIP) communications like a soft IP telephone; an application for streaming video and/or audio; an application for facilitating real-time-data communications; a HTTP client; a FTP client; an Oscar client; a Telnet client; or any other set of executable instructions. Still other embodiments include a client device 102 that displays application output generated by an application remotely executing on a server 106 or other remotely located machine. In these embodiments, the client device 102 can display the application output in an application window, a browser, or other output window. In one embodiment, the application is a desktop, while in other embodiments the application is an application that generates a desktop.

The computing environment 101 can include more than one server 106A-106N such that the servers 106A-106N are logically grouped together into a server farm 106. The server farm 106 can include servers 106 that are geographically dispersed and logically grouped together in a server farm 106, or servers 106 that are located proximate to each other and logically grouped together in a server farm 106. Geographically dispersed servers 106A-106N within a server farm 106 can, in some embodiments, communicate using a WAN, MAN, or LAN, where different geographic regions can be characterized as: different continents; different regions of a continent; different countries; different states; different cities; different campuses; different rooms; or any combination of the preceding geographical locations. In some embodiments the server farm 106 may be administered as a single entity, while in other embodiments the server farm 106 can include multiple server farms 106.

In some embodiments, a server farm 106 can include servers 106 that execute a substantially similar type of operating system platform (e.g., WINDOWS NT, manufactured by Microsoft Corp. of Redmond, Wash., UNIX, LINUX, or SNOW LEOPARD.) In other embodiments, the server farm 106 can include a first group of servers 106 that execute a first type of operating system platform, and a second group of servers 106 that execute a second type of operating system platform. The server farm 106, in other embodiments, can include servers 106 that execute different types of operating system platforms.

The server 106, in some embodiments, can be any server type. In other embodiments, the server 106 can be any of the following server types: a file server; an application server; a web server; a proxy server; an appliance; a network appliance; a gateway; an application gateway; a gateway server; a virtualization server; a deployment server; a SSL VPN server; a firewall; a web server; an application server or as a master application server; a server 106 executing an active directory; or a server 106 executing an application acceleration program that provides firewall functionality, application functionality, or load balancing functionality. In some embodiments, a server 106 may be a RADIUS server that includes a remote authentication dial-in user service. Some embodiments include a first server 106A that receives requests from a client machine 102, forwards the request to a second server 106B, and responds to the request generated by the client machine 102 with a response from the second server 106B. The first server 106A can acquire an enumeration of applications available to the client machine 102 and well as address information associated with an application server 106 hosting an application identified within the enumeration of applications. The first server 106A can then present a response to the client\'s request using a web interface, and communicate directly with the client 102 to provide the client 102 with access to an identified application.

Client machines 102 can, in some embodiments, be a client node that seeks access to resources provided by a server 106. In other embodiments, the server 106 may provide clients 102 or client nodes with access to hosted resources. The server 106, in some embodiments, functions as a master node such that it communicates with one or more clients 102 or servers 106. In some embodiments, the master node can identify and provide address information associated with a server 106 hosting a requested application, to one or more clients 102 or servers 106. In still other embodiments, the master node can be a server farm 106, a client 102, a cluster of client nodes 102, or an appliance.

One or more clients 102 and/or one or more servers 106 can transmit data over a network 104 installed between machines and appliances within the computing environment 101. The network 104 can comprise one or more sub-networks, and can be installed between any combination of the clients 102, servers 106, computing machines and appliances included within the computing environment 101. In some embodiments, the network 104 can be: a local-area network (LAN); a metropolitan area network (MAN); a wide area network (WAN); a primary network 104 comprised of multiple sub-networks 104 located between the client machines 102 and the servers 106; a primary public network 104 with a private sub-network 104; a primary private network 104 with a public sub-network 104; or a primary private network 104 with a private sub-network 104. Still further embodiments include a network 104 that can be any of the following network types: a point to point network; a broadcast network; a telecommunications network; a data communication network; a computer network; an ATM (Asynchronous Transfer Mode) network; a SONET (Synchronous Optical Network) network; a SDH (Synchronous Digital Hierarchy) network; a wireless network; a wireline network; or a network 104 that includes a wireless link where the wireless link can be an infrared channel or satellite band. The network topology of the network 104 can differ within different embodiments, possible network topologies include: a bus network topology; a star network topology; a ring network topology; a repeater-based network topology; or a tiered-star network topology. Additional embodiments may include a network 104 of mobile telephone networks that use a protocol to communicate among mobile devices, where the protocol can be any one of the following: AMPS; TDMA; CDMA; GSM; GPRS UMTS; 3G; 4G; or any other protocol able to transmit data among mobile devices.

Illustrated in FIG. 1B is an embodiment of a computing device 100, where the client machine 102 and server 106 illustrated in FIG. 1A can be deployed as and/or executed on any embodiment of the computing device 100 illustrated and described herein. Included within the computing device 100 is a system bus 150 that communicates with the following components: a central processing unit 121; a main memory 122; storage memory 128; an input/output (I/O) controller 123; display devices 124A-124N; an installation device 116; and a network interface 118. In one embodiment, the storage memory 128 includes: an operating system, software routines, and a client agent 120. The I/O controller 123, in some embodiments, is further connected to a key board 126, and a pointing device 127. Other embodiments may include an I/O controller 123 connected to more than one input/output device 130A-130N.

FIG. 1C illustrates one embodiment of a computing device 100, where the client machine 102 and server 106 illustrated in FIG. 1A can be deployed as and/or executed on any embodiment of the computing device 100 illustrated and described herein. Included within the computing device 100 is a system bus 150 that communicates with the following components: a bridge 170, and a first I/O device 130A. In another embodiment, the bridge 170 is in further communication with the main central processing unit 121, where the central processing unit 121 can further communicate with a second I/O device 130B, a main memory 122, and a cache memory 140. Included within the central processing unit 121, are I/O ports, a memory port 103, and a main processor.

Embodiments of the computing machine 100 can include a central processing unit 121 characterized by any one of the following component configurations: logic circuits that respond to and process instructions fetched from the main memory unit 122; a microprocessor unit, such as: those manufactured by Intel Corporation; those manufactured by Motorola Corporation; those manufactured by Transmeta Corporation of Santa Clara, Calif.; the RS/6000 processor such as those manufactured by International Business Machines; a processor such as those manufactured by Advanced Micro Devices; or any other combination of logic circuits. Still other embodiments of the central processing unit 122 may include any combination of the following: a microprocessor, a microcontroller, a central processing unit with a single processing core, a central processing unit with two processing cores, or a central processing unit with more than one processing core.

While FIG. 1C illustrates a computing device 100 that includes a single central processing unit 121, in some embodiments the computing device 100 can include one or more processing units 121. In these embodiments, the computing device 100 may store and execute firmware or other executable instructions that, when executed, direct the one or more processing units 121 to simultaneously execute instructions or to simultaneously execute instructions on a single piece of data. In other embodiments, the computing device 100 may store and execute firmware or other executable instructions that, when executed, direct the one or more processing units to each execute a section of a group of instructions. For example, each processing unit 121 may be instructed to execute a portion of a program or a particular module within a program.

In some embodiments, the processing unit 121 can include one or more processing cores. For example, the processing unit 121 may have two cores, four cores, eight cores, etc. In one embodiment, the processing unit 121 may comprise one or more parallel processing cores. The processing cores of the processing unit 121 may in some embodiments access available memory as a global address space, or in other embodiments, memory within the computing device 100 can be segmented and assigned to a particular core within the processing unit 121. In one embodiment, the one or more processing cores or processors in the computing device 100 can each access local memory. In still another embodiment, memory within the computing device 100 can be shared amongst one or more processors or processing cores, while other memory can be accessed by particular processors or subsets of processors. In embodiments where the computing device 100 includes more than one processing unit, the multiple processing units can be included in a single integrated circuit (IC). These multiple processors, in some embodiments, can be linked together by an internal high speed bus, which may be referred to as an element interconnect bus.

In embodiments where the computing device 100 includes one or more processing units 121, or a processing unit 121 including one or more processing cores, the processors can execute a single instruction simultaneously on multiple pieces of data (SIMD), or in other embodiments can execute multiple instructions simultaneously on multiple pieces of data (MIMD). In some embodiments, the computing device 100 can include any number of SIMD and MIMD processors.

The computing device 100, in some embodiments, can include an image processor, a graphics processor or a graphics processing unit. The graphics processing unit can include any combination of software and hardware, and can further input graphics data and graphics instructions, render a graphic from the inputted data and instructions, and output the rendered graphic. In some embodiments, the graphics processing unit can be included within the processing unit 121. In other embodiments, the computing device 100 can include one or more processing units 121, where at least one processing unit 121 is dedicated to processing and rendering graphics.

One embodiment of the computing machine 100 includes a central processing unit 121 that communicates with cache memory 140 via a secondary bus also known as a backside bus, while another embodiment of the computing machine 100 includes a central processing unit 121 that communicates with cache memory via the system bus 150. The local system bus 150 can, in some embodiments, also be used by the central processing unit to communicate with more than one type of I/O device 130A-130N. In some embodiments, the local system bus 150 can be any one of the following types of buses: a VESA VL bus; an ISA bus; an EISA bus; a MicroChannel Architecture (MCA) bus; a PCI bus; a PCI-X bus; a PCI-Express bus; or a NuBus. Other embodiments of the computing machine 100 include an I/O device 130A-130N that is a video display 124 that communicates with the central processing unit 121. Still other versions of the computing machine 100 include a processor 121 connected to an I/O device 130A-130N via any one of the following connections: HyperTransport, Rapid I/O, or InfiniBand. Further embodiments of the computing machine 100 include a processor 121 that communicates with one I/O device 130A using a local interconnect bus and a second I/O device 130B using a direct connection.

The computing device 100, in some embodiments, includes a main memory unit 122 and cache memory 140. The cache memory 140 can be any memory type, and in some embodiments can be any one of the following types of memory: SRAM; BSRAM; or EDRAM. Other embodiments include cache memory 140 and a main memory unit 122 that can be any one of the following types of memory: Static random access memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM); Dynamic random access memory (DRAM); Fast Page Mode DRAM (FPM DRAM); Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM); Extended Data Output DRAM (EDO DRAM); Burst Extended Data Output DRAM (BEDO DRAM); Enhanced DRAM (EDRAM); synchronous DRAM (SDRAM); JEDEC SRAM; PC100 SDRAM; Double Data Rate SDRAM (DDR SDRAM); Enhanced SDRAM (ESDRAM); SyncLink DRAM (SLDRAM); Direct Rambus DRAM (DRDRAM); Ferroelectric RAM (FRAM); or any other type of memory. Further embodiments include a central processing unit 121 that can access the main memory 122 via: a system bus 150; a memory port 103; or any other connection, bus or port that allows the processor 121 to access memory 122.

One embodiment of the computing device 100 provides support for any one of the following installation devices 116: a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives of various formats, USB device, a bootable medium, a bootable CD, a bootable CD for GNU/Linux distribution such as KNOPPIX®, a hard-drive or any other device suitable for installing applications or software. Applications can in some embodiments include a client agent 120, or any portion of a client agent 120. The computing device 100 may further include a storage device 128 that can be either one or more hard disk drives, or one or more redundant arrays of independent disks; where the storage device is configured to store an operating system, software, programs applications, or at least a portion of the client agent 120. A further embodiment of the computing device 100 includes an installation device 116 that is used as the storage device 128.

The computing device 100 may further include a network interface 118 to interface to a Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56 kb, X.25, SNA, DECNET), broadband connections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET), wireless connections, or some combination of any or all of the above. Connections can also be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, RS485, IEEE 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, CDMA, GSM, WiMax and direct asynchronous connections). One version of the computing device 100 includes a network interface 118 able to communicate with additional computing devices 100′ via any type and/or form of gateway or tunneling protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS), or the Citrix Gateway Protocol manufactured by Citrix Systems, Inc. Versions of the network interface 118 can comprise any one of: a built-in network adapter; a network interface card; a PCMCIA network card; a card bus network adapter; a wireless network adapter; a USB network adapter; a modem; or any other device suitable for interfacing the computing device 100 to a network capable of communicating and performing the methods and systems described herein.

Embodiments of the computing device 100 include any one of the following I/O devices 130A-130N: a keyboard 126; a pointing device 127; mice; trackpads; an optical pen; trackballs; microphones; drawing tablets; video displays; speakers; inkjet printers; laser printers; and dye-sublimation printers; or any other input/output device able to perform the methods and systems described herein. An I/O controller 123 may in some embodiments connect to multiple I/O devices 103A-130N to control the one or more I/O devices. Some embodiments of the I/O devices 130A-130N may be configured to provide storage or an installation medium 116, while others may provide a universal serial bus (USB) interface for receiving USB storage devices such as the USB Flash Drive line of devices manufactured by Twintech Industry, Inc. Still other embodiments include an I/O device 130 that may be a bridge between the system bus 150 and an external communication bus, such as: a USB bus; an Apple Desktop Bus; an RS-232 serial connection; a SCSI bus; a FireWire bus; a FireWire 800 bus; an Ethernet bus; an AppleTalk bus; a Gigabit Ethernet bus; an Asynchronous Transfer Mode bus; a HIPPI bus; a Super HIPPI bus; a SerialPlus bus; a SCl/LAMP bus; a FibreChannel bus; or a Serial Attached small computer system interface bus.

In some embodiments, the computing machine 100 can execute any operating system, while in other embodiments the computing machine 100 can execute any of the following operating systems: versions of the MICROSOFT WINDOWS operating systems; the different releases of the Unix and Linux operating systems; any version of the MAC OS manufactured by Apple Computer; OS/2, manufactured by International Business Machines; Android by Google; any embedded operating system; any real-time operating system; any open source operating system; any proprietary operating system; any operating systems for mobile computing devices; or any other operating system. In still another embodiment, the computing machine 100 can execute multiple operating systems. For example, the computing machine 100 can execute PARALLELS or another virtualization platform that can execute or manage a virtual machine executing a first operating system, while the computing machine 100 executes a second operating system different from the first operating system.

The computing machine 100 can be embodied in any one of the following computing devices: a computing workstation; a desktop computer; a laptop or notebook computer; a server; a handheld computer; a mobile telephone; a portable telecommunication device; a media playing device; a gaming system; a mobile computing device; a netbook, a tablet; a device of the IPOD or IPAD family of devices manufactured by Apple Computer; any one of the PLAYSTATION family of devices manufactured by the Sony Corporation; any one of the Nintendo family of devices manufactured by Nintendo Co; any one of the XBOX family of devices manufactured by the Microsoft Corporation; or any other type and/or form of computing, telecommunications or media device that is capable of communication and that has sufficient processor power and memory capacity to perform the methods and systems described herein. In other embodiments the computing machine 100 can be a mobile device such as any one of the following mobile devices: a JAVA-enabled cellular telephone or personal digital assistant (PDA); any computing device that has different processors, operating systems, and input devices consistent with the device; or any other mobile computing device capable of performing the methods and systems described herein. In still other embodiments, the computing device 100 can be any one of the following mobile computing devices: any one series of Blackberry, or other handheld device manufactured by Research In Motion Limited; the iPhone manufactured by Apple Computer; Palm Pre; a Pocket PC; a Pocket PC Phone; an Android phone; or any other handheld mobile device. Having described certain system components and features that may be suitable for use in the present systems and methods, further aspects are addressed below.

Having described embodiments of computing devices and environments that may be suitable for the methods and systems for tracking the provenance of an individual between disparate transactions that they perform, certain embodiments of the methods and systems will be described in detail. The individual may be involved in one more logical and/or physical access transactions. Embodiments of the present systems and methods may use acquisition and/or matching of potentially disparate biometrics at each point of transaction. In some embodiments, the present systems and methods may provide means to ensure the provenance of each step within each transaction and/or between each transaction.

Certain embodiments of the present methods and system may counter fraudulent activity by using 1) the ability to track a particular individual to a transaction, and/or 2) the ability to track one transaction to a second transaction. Biometrics is the field of measurement of human characteristics, and the acquisition and/or matching of biometric data can be a component in such a process. FIG. 2A depicts one embodiment of a method for ensuring integrity of acquired biometrics for linking to one or more transactions. An individual shown on the left of the figure performs a Transaction A. On the right of the figure, either the same or a different individual may attempt to perform a Transaction B. Integrity may be ensured via a biometric chain of provenance (BCP) between transactions A and B, which may provide transaction-related information after-the-fact or in real-time, and may depend on whether the individuals are in fact the same or different. In Transaction B, as illustrated in FIG. 2A, the customer may use a mobile device to acquire biometric data. The customer may use his/her mobile device to communicate to a static device such as Point of Sale (POS) terminal.

In some embodiments, the first link in Transaction B for the BCP is associating the acquisition of the biometric of the user to the mobile device. This may involve a specific physical location and/or a particular time (Link 1B). For example, provenance of the biometric acquisition may be less assured if the biometric was acquired far (e.g., 100 m) from the point of sale terminal rather than in front of checkout staff. Various methods for performing this as well as other provenance checks are described later.

In certain embodiments, the second link in Transaction B for the BCP may involve associating the mobile device to the POS terminal at a specific location and time (Link 2B). This may be governed by the physics of the communication method between the mobile device and the POS terminal and/or other methods. Embodiments of such methods are described later.

In some embodiments, the third link in Transaction B for the BCP may involve association of the biometric information acquired during the transaction with a Universal Biometric record (UBR). In certain embodiments, the UBR may be stored locally at the site of the transaction or at a back-end server, for example. The UBR record may include multiple biometrics acquired at a time of customer enrollment or registration into the system. This attempted association can be done using a combination of one or more of: i) using a unique ID number of the mobile device to index into a Unique Universal Identifier (UUID) number that may be part of the UBR, ii) using the biometric data that has been acquired and to perform biometric matching on a database containing a plurality of UBR records or with a single UBR record if used in combination with the indexing method, and iii) acquisition of the biometric data without real-time matching for later forensic and provenance analysis, either by automatic processing or human analysis.

In some embodiments, if an automatic biometric search is performed for biometric matching, then depending on the accuracy of the biometric used on the mobile phone, such an automatic search can yield many matches (e.g., face biometric), can yield a unique match result (e.g., the iris), or can yield no matches. In the case shown in FIG. 2A, Transaction B, the face data may be acquired (e.g., not matched) and the unique ID of the mobile phone may be used to index into a UUID number and the associated UBR record, thereby creating provenance link 3B.

We have now described links 1B, 2B, 3B in the BCP. We next consider the other end of the BCP—links 1A, 2A, 3A which relate to Transaction A. These links may be performed by a similar approach as in links 1B, 2B, 3B, although another embodiment of the methods and systems is illustrated for Transaction A. Specifically, the biometric device can be a static device and not a mobile device. The device may capture iris imagery and not face imagery, for example. In this embodiment, link 3A may link the acquired iris biometric to the iris biometric component of the UBR.

In some embodiments, a step in confirming or rejecting the BCP comprises associating the candidate UBR records that have been located in Transaction A and B by search or by indexing, and checking the integrity of the provenance, either in real-time or after-the-fact for reasons of detection, deterrence, and prosecution. In certain embodiments, the attempted association can be done in one or more ways: i) comparing the UUID numbers of Transaction A and B and checking for a match, and/or ii) using the biometric data recovered or acquired during Transaction A and B and performing a match. The first method may be performed by first associating Transaction A to the UUID of the indexed record identified for Transaction A (Link 4A′), and similarly for Transaction B (Link 4B′). Then the recovered UUID numbers for Transaction A and B may be compared (Link 5′). The second biometric match method can be simple if the biometric used for Transaction A and B are the same. In such cases, those biometrics can be compared directly with each other, or with the reference biometric acquired at a time of registration/enrollment. However, the approach may be more complicated if Transaction A was performed with one biometric while Transaction B was performed with another biometric. In some embodiments, we may address this by choosing to match a biometric that is contained in both UUID records since not all biometric fields/structures in the USB may be populated. The biometric matching may select at least one biometric that was acquired at the time of either Transaction A or B, since this comprises very recent biometric information rather than just biometric information captured at the time of registration. This method of choosing overlapping biometrics may be represented by links 4A and 4B respectively for each of Transaction A and B. In one embodiment, it may be determined that the iris is the biometric in common with the two UBR records, and in the case of Transaction A, iris data was in fact acquired. Then, the chosen overlapping biometrics for Transaction A and B may be compared in Link 5. In this way, one biometric used in Transaction A can be biometrically associated to another biometric used in Transaction B using the UBR. This allows multiple biometrics to co-exist in the biometric chain of provenance.

In some embodiments, it may be difficult to acquire facial biometric data on a mobile device because the camera on the device is rear-facing and not front-facing, We may address this by placing a (e.g., small) mirror module at the point of transaction such that when the camera of the mobile device is placed near it, images of the user may be reflected and captured. This can be achieved, for example, by using a first mirror in the module that is oriented at a 45 degree angle to the camera\'s optical axis and a second mirror that is oriented at 90 degrees to the first mirror.

In some embodiments, it may be useful to acquire a second facial biometric from a different geometric perspective than the first facial biometric. For example, the first facial biometric may be acquired from the mobile device while the second facial biometric may be acquired from an existing security camera located in the ceiling for example, near the point of transaction, or from a webcam on the user\'s laptop. One possible advantage is that the second facial biometric can be configured to have a wider field of view of coverage than the first facial biometric and can capture context of any fraudulent activity. At the time of the transaction, images and/or video of the transaction can be acquired from both the first and second facial biometric cameras simultaneously. In order to reduce storage space for the biometric data for the transaction, imagery can be acquired from the second facial biometric camera from a (e.g., small) cut-out region covering the region near the transaction (e.g., point of sale). In some embodiments, the approach of capturing the same biometric from a different geometric perspective makes it harder to spoof the biometric capture. This is because a potential fraudster will likely need to plan the spoof from two perspectives simultaneously. In general, such an approach can add an extra layer of security, and biometric data from the different geometric perspectives can be checked to ensure the integrity of acquired biometrics linked to a transaction.

FIG. 2B shows a more detailed view of the UBR. The UBR may comprise multiple biometric records acquired at a time of registration/enrollment for a particular customer, for example, face, iris, voice, palm and fingerprint biometrics. The UUID may be a Universal Unique Identifier that is a number or identifier created to be unique over a population of customers or individuals. The UBR can contain an index to traditional personal information such as name, address and account number information.

Each link in the biometric chain of provenance may be subjected to a set of provenance rules. If any of those rules are breached within any link, then provenance may not be assured. In such a case, the transaction may be flagged and not allowed to proceed, or further forensic analysis may be performed on related BCPs to investigate further. FIG. 2C shows one embodiment of a summary of a BCP process. The column on the left shows certain steps in the provenance chain, as described above. The column in the middle gives a description of the link, and what associations are tested. The column on the right shows the result of the provenance check for that particular link. If all rules for all links pass successfully, then as shown at the bottom of the middle column, the concatenation of all the inferences from each link can lead to the conclusion that, in this case, the person performing Transaction A is the same as the person performing Transaction B.

The BCP can be performed not just between two transactions, but between multiple serial transactions or across a network of transactions where cross-validation of transactions may be performed in real-time or forensically. For example, FIG. 2D shows how the BCP maybe extended to validate transactions over a chain of multiple (e.g., four) transactions. FIG. 2E on the other hand, shows how the BCP may be extended to incorporate a network of transactions. Additional confirmation may be provided by validating against additional transactions. Such validation may take longer, but can provide added confirmation for higher value transactions. For example, if the transaction involves buying a coffee, then it may be appropriate to check the BCP for one or two transactions, for example appropriate to such a low-value transaction. However, if the transaction involves a significant purchase such as a car or house, then all or a substantial number of available BCP checks can be performed for both low and high value transactions previously performed, to check for consistency of the BCP.

One test of the Biometric Chain of Provenance may be that biometric chains of provenance should not overlap unless the same person is involved in the transaction(s). In other words, a further test of the BCP is the lack of matching to other BCPs. While it may be processor-intensive to test all possible combinations of matches of BCPs, such a process can be performed (e.g., by a biometric validation or integrity engine) as a background computing process and not on a transaction-by-transaction basis. Anomalies may be reported as they are detected.



Download full PDF for full patent description/claims.

Advertise on FreshPatents.com - Rates & Info


You can also Monitor Keywords and Search for tracking patents relating to this Biometric chain of provenance patent application.
###
monitor keywords

Browse recent Eyelock Inc. patents

Keyword Monitor How KEYWORD MONITOR works... a FREE service from FreshPatents
1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored.
3. Each week you receive an email with patent applications related to your keywords.  
Start now! - Receive info on patent apps like Biometric chain of provenance or other areas of interest.
###


Previous Patent Application:
Operating device for operating a machine in the field of automation engineering
Next Patent Application:
Security system for containers
Industry Class:
Communications: electrical
Thank you for viewing the Biometric chain of provenance patent info.
- - - Apple patents, Boeing patents, Google patents, IBM patents, Jabil patents, Coca Cola patents, Motorola patents

Results in 0.89927 seconds


Other interesting Freshpatents.com categories:
Software:  Finance AI Databases Development Document Navigation Error

###

Data source: patent applications published in the public domain by the United States Patent and Trademark Office (USPTO). Information published here is for research/educational purposes only. FreshPatents is not affiliated with the USPTO, assignee companies, inventors, law firms or other assignees. Patent applications, documents and images may contain trademarks of the respective companies/authors. FreshPatents is not responsible for the accuracy, validity or otherwise contents of these public document patent application filings. When possible a complete PDF is provided, however, in some cases the presented document/images is an abstract or sampling of the full patent application for display purposes. FreshPatents.com Terms/Support
-g2-0.3093
Key IP Translations - Patent Translations

     SHARE
  
           

stats Patent Info
Application #
US 20120268241 A1
Publish Date
10/25/2012
Document #
13450151
File Date
04/18/2012
USPTO Class
340/552
Other USPTO Classes
International Class
06F7/04
Drawings
43


Your Message Here(14K)


Biometric Device


Follow us on Twitter
twitter icon@FreshPatents

Eyelock Inc.

Browse recent Eyelock Inc. patents