Distributed techniques for detecting atypical or malicious wireless communications activity

US 10,419,458 B2
Filed: 01/17/2017
Issued: 09/17/2019
Est. Priority Date: 01/21/2016
Status: Active Grant

First Claim

Patent Images

1. A method in a server implemented by one or more server end stations for detecting atypical or malicious wireless communications activity via one or more of a plurality of Protects, wherein the plurality of Protects are electronic devices operable to observe wireless communications activity over a plurality of wireless protocols, the method comprising:

receiving, at the server, observation data sent by the plurality of Protects, wherein the observation data received from each of the plurality of Protects comprises data from wireless messages sniffed by that Protect or statistical data generated by that Protect based upon the wireless messages sniffed by that Protect, wherein at least one of the plurality of Protects is a mobile device that does not have a fixed location, wherein the plurality of Protects are sniffers in that they are neither a source of the wireless messages nor an intended recipient of the wireless messages;

generating, by the server, a plurality of sets of filters based at least in part upon the received observation data, wherein each of the plurality of sets of filters is;

specific to one or more but not all of the plurality of Protects,generated based upon at least some of the received observation data transmitted by the one or more Protects, andcan be used to distinguish between those of future sniffed wireless messages that are to be discarded by the one or more Protects and those of the future sniffed wireless messages that are to be reported to the server;

transmitting, by the server, each of the plurality of sets of filters to the corresponding one or more of the plurality of Protects to cause the plurality of Protects to process the future sniffed wireless messages utilizing the plurality of sets of filters;

receiving, at the server, an alert message transmitted by a first Protect of the plurality of Protects based upon an application, by the first Protect, of at least one of the plurality of sets of filters with regard to one or more additional wireless messages sniffed by the first Protect, wherein the alert message indicates that the one or more additional wireless messages involve atypical or malicious wireless communications activity;

responsive to the received alert message, executing, by the server, one or more false positive elimination procedures to determine whether the received alert message is a false positive, including;

obtaining, by the server, additional observation data from one or more other Protects of the plurality of Protects that provide a coverage overlap with the first Protect; and

determining, by the server, whether the additional observation data supports a conclusion that the one or more additional wireless messages involve atypical or malicious wireless communications activity; and

causing, by the server, an alert to be generated responsive to the one or more false positive elimination procedures determining that the alert message is not a false positive.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Distributed techniques for detecting atypical or malicious wireless communications activity are disclosed. A server can iteratively generate sets of filters based at least in part upon observation data received from one or more Protects. The filters can be used by the Protect(s) to distinguish between sniffed wireless messages that are to be discarded and those that are to be reported to the server. The server can provide the generated sets of filters to the Protect(s) to cause the Protect(s) to process additional sniffed wireless messages utilizing the one or more sets of filters. Updated filters can cause fewer subsequent sniffed wireless messages to be reported than would have been reported by use of previous filters. Limited activity reporting by the Protect(s) enables a reduced communication load compared to full activity reporting without degrading the ability of the server to detect the atypical or malicious wireless communications activity.

Citations

28 Claims

1. A method in a server implemented by one or more server end stations for detecting atypical or malicious wireless communications activity via one or more of a plurality of Protects, wherein the plurality of Protects are electronic devices operable to observe wireless communications activity over a plurality of wireless protocols, the method comprising:
- receiving, at the server, observation data sent by the plurality of Protects, wherein the observation data received from each of the plurality of Protects comprises data from wireless messages sniffed by that Protect or statistical data generated by that Protect based upon the wireless messages sniffed by that Protect, wherein at least one of the plurality of Protects is a mobile device that does not have a fixed location, wherein the plurality of Protects are sniffers in that they are neither a source of the wireless messages nor an intended recipient of the wireless messages;
  
  generating, by the server, a plurality of sets of filters based at least in part upon the received observation data, wherein each of the plurality of sets of filters is;
  
  specific to one or more but not all of the plurality of Protects,generated based upon at least some of the received observation data transmitted by the one or more Protects, andcan be used to distinguish between those of future sniffed wireless messages that are to be discarded by the one or more Protects and those of the future sniffed wireless messages that are to be reported to the server;
  
  transmitting, by the server, each of the plurality of sets of filters to the corresponding one or more of the plurality of Protects to cause the plurality of Protects to process the future sniffed wireless messages utilizing the plurality of sets of filters;
  
  receiving, at the server, an alert message transmitted by a first Protect of the plurality of Protects based upon an application, by the first Protect, of at least one of the plurality of sets of filters with regard to one or more additional wireless messages sniffed by the first Protect, wherein the alert message indicates that the one or more additional wireless messages involve atypical or malicious wireless communications activity;
  
  responsive to the received alert message, executing, by the server, one or more false positive elimination procedures to determine whether the received alert message is a false positive, including;
  
  obtaining, by the server, additional observation data from one or more other Protects of the plurality of Protects that provide a coverage overlap with the first Protect; and
  
  determining, by the server, whether the additional observation data supports a conclusion that the one or more additional wireless messages involve atypical or malicious wireless communications activity; and
  
  causing, by the server, an alert to be generated responsive to the one or more false positive elimination procedures determining that the alert message is not a false positive.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the one or more false positive elimination procedures includes:
    - determining, by the server based at least in part upon the received observation data, whether the one or more additional wireless messages, which were sent by a device, are atypical with regard to previous activity of the device or with regard to previous activity of other devices of a same type as the device.
  - 3. The method of claim 1, wherein all communications between the plurality of Protects and the server occurs through one or more aggregation modules implemented by one or more devices located at one or more sites, wherein the plurality of Protects are located at least occasionally at the one or more sites.
  - 4. The method of claim 1, wherein at least one of plurality of Protects monitors at least two of the following wireless communications types:
    - Bluetooth;
      
      Bluetooth Low Energy;
      
      Wi-Fi;
      
      Zigbee; and
      
      Cellular.
  - 5. The method of claim 4, wherein the plurality of Protects collectively monitor at least three of the wireless communications types.
  - 6. The method of claim 1, wherein at least one of the plurality of Protects is battery-powered.
  - 7. The method of claim 1, wherein the one or more additional wireless messages involve atypical or malicious wireless communications activity due to the one or more additional wireless messages:
    - involving a communication with a blacklisted network address or resource identifier;
      
      matching a defined pattern of activity known to be a signature of an attack;
      
      orinvolving an unknown device not previously observed by the plurality of Protects.
  - 8. The method of claim 1, wherein the one or more additional wireless messages involve atypical or malicious wireless communications activity due to the one or more additional wireless messages involving:
    - a previously-observed device communicating at a new location;
      
      oran amount of data being transmitted by a device that is greater than a threshold amount of data.
  - 9. The method of claim 1, wherein at least one of the plurality of Protects is deployed at a different geographic location or building than another one of the plurality of Protects.

10. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of one or more server end stations, cause the one or more server end stations to implement a server to perform operations to detect atypical or malicious wireless communications activity via one or more of a plurality of Protects, wherein the plurality of Protects are electronic devices operable to observe wireless communications activity over a plurality of wireless protocols, wherein the operations include:
- receiving observation data sent by the plurality of Protects, wherein the observation data received from each of the plurality of Protects comprises data from wireless messages sniffed by that Protect or statistical data generated by that Protect based upon the wireless messages sniffed by that Protect, wherein at least one of the plurality of Protects is a mobile device that does not have a fixed location, wherein the plurality of Protects are sniffers in that they are neither a source of the wireless messages nor an intended recipient of the wireless messages;
  
  generating a plurality of sets of filters based at least in part upon the received observation data, wherein each of the plurality of sets of filters is;
  
  specific to one or more but not all of the plurality of Protects,generated based upon at least some of the received observation data transmitted by the one or more Protects, andcan be used to distinguish between those of future sniffed wireless messages that are to be discarded by the one or more Protects and those of the future sniffed wireless messages that are to be reported to the server;
  
  transmitting each of the plurality of sets of filters to the corresponding one or more of the plurality of Protects to cause the plurality of Protects to process the future sniffed wireless messages utilizing the plurality of sets of filters;
  
  receiving an alert message transmitted by a first Protect of the plurality of Protects based upon an application, by the first Protect, of at least one of the plurality of sets of filters with regard to one or more additional wireless messages sniffed by the first Protect, wherein the alert message indicates that the one or more additional wireless messages involve atypical or malicious wireless communications activity;
  
  responsive to the received alert message, executing one or more false positive elimination procedures to determine whether the received alert message is a false positive, including;
  
  obtaining additional observation data from one or more other Protects of the plurality of Protects that provide a coverage overlap with the first Protect; and
  
  determining whether the additional observation data supports a conclusion that the one or more additional wireless messages involve atypical or malicious wireless communications activity; and
  
  causing an alert to be generated responsive to the one or more false positive elimination procedures determining that the alert message is not a false positive.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The non-transitory computer-readable storage medium of claim 10, wherein the one or more false positive elimination procedures includes:
    - determining, based at least in part upon the received observation data, whether the one or more additional wireless messages, which were sent by a device, are atypical with regard to previous activity of the device or with regard to previous activity of other devices of a same type as the device.
  - 12. The non-transitory computer-readable storage medium of claim 10, wherein all communications between the plurality of Protects and the server occurs through one or more aggregation modules implemented by one or more devices located at one or more sites, wherein the plurality of Protects are located at least occasionally at the one or more sites.
  - 13. The non-transitory computer-readable storage medium of claim 10, wherein at least one of plurality of Protects monitors at least two of the following wireless communications types:
    - Bluetooth;
      
      Bluetooth Low Energy;
      
      Wi-Fi;
      
      Zigbee; and
      
      Cellular.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein the plurality of Protects collectively monitor at least three of the wireless communications types.

15. A method in a server implemented by one or more server end stations for efficiently detecting atypical or malicious wireless communications activity via one or more Protects despite limited activity reporting from the one or more Protects to the server, wherein the limited activity reporting enables a communication load between the one or more Protects and the server to be reduced compared to full activity reporting without degrading the ability of the server to detect the atypical or malicious wireless communications activity, wherein each of the one or more Protects is an electronic device operable to observe wireless communications activity over a plurality of wireless protocols, the method comprising:
- generating, by the server, one or more sets of filters based at least in part upon observation data received from the one or more Protects, wherein the one or more sets of filters can be used by the one or more Protects to distinguish between sniffed wireless messages that are to be discarded by the one or more Protects due to being representative of normal network activity and other sniffed wireless messages that are to be reported to the server due to not being representative of normal network activity or being representative of known malicious activity, wherein the observation data resulted from the one or more Protects applying a previous one or more sets of filters and includes data from previous wireless messages sniffed by the one or more Protects or statistical data generated by the one or more Protects based upon the previous wireless messages;
  
  transmitting, by the server, the one or more sets of filters to the one or more Protects to cause the one or more Protects to process additional sniffed wireless messages utilizing the one or more sets of filters;
  
  receiving, at the server, additional observation data sent by the one or more Protects based upon the one or more Protects applying the one or more sets of filters, wherein the additional observation data comprises data from the additional sniffed wireless messages or statistical data generated based upon at least some of the additional sniffed wireless messages, wherein the one or more sets of filters caused fewer of the additional sniffed wireless messages to be reported than would have been reported if the previous one or more sets of filters had been applied to the additional sniffed wireless messages; and
  
  responsive to an alert message received by a first Protect of the one or more Protects, executing one or more false positive elimination procedures to determine whether the alert message is a false positive, including;
  
  obtaining additional observation data from at least a second Protect of the one or more Protects that provides a coverage overlap with the first Protect; and
  
  determining whether the additional observation data supports a conclusion that one or more wireless messages that caused the first Protect to issue the alert message involve atypical or malicious wireless communications activity.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, wherein:
    - the one or more Protects includes a plurality of Protects;
      
      a first set of one or more of the plurality of Protects are mobile devices that do not have a fixed location; and
      
      a second set of one or more of the plurality of Protects utilize wired energy sources and have a fixed location during use.
  - 17. The method of claim 16, wherein each of the second set of Protects are configured to report back to the server comparatively more wireless communications activity than those of the first set of Protects.
  - 18. The method of claim 15, wherein all communications between the one or more Protects and the server occurs through one or more aggregation modules implemented by one or devices located at one or more sites, wherein the one or more Protects are located at least occasionally at the one or more sites.
  - 19. The method of claim 15, wherein the one or more sets of filters include at least one rule-based attack detection filter and at least one anomaly detection filter.
  - 20. The method of claim 15, wherein the generating of the one or more sets of filters includes:
    - computing, by the server, one or more models based upon the observation data via one or more machine learning algorithms, wherein each of the one or more models is a compact mathematical representation representing normal wireless communications activity represented by the observation data; and
      
      compiling, by the server, the one or more models into the one or more sets of filters.
  - 21. The method of claim 15, wherein the one or more sets of filters allow each of the one or more Protects to determine a degree of abnormality of the additional sniffed wireless messages.

22. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of one or more server end stations, cause the one or more server end stations to implement a server to perform operations to efficiently detect atypical or malicious wireless communications activity via one or more Protects despite limited activity reporting from the one or more Protects to the server, wherein the limited activity reporting enables a communication load between the one or more Protects and the server to be reduced compared to full activity reporting without degrading the ability of the server to detect the atypical or malicious wireless communications activity, wherein each of the one or more Protects is an electronic device operable to observe wireless communications activity over a plurality of wireless protocols, wherein the operations include:
- generating one or more sets of filters based at least in part upon observation data received from the one or more Protects, wherein the one or more sets of filters can be used by the one or more Protects to distinguish between sniffed wireless messages that are to be discarded by the one or more Protects due to being representative of normal network activity and other sniffed wireless messages that are to be reported to the server due to not being representative of normal network activity or being representative of known malicious activity, wherein the observation data resulted from the one or more Protects applying a previous one or more sets of filters and includes data from previous wireless messages sniffed by the one or more Protects or statistical data generated by the one or more Protects based upon the previous wireless messages;
  
  transmitting the one or more sets of filters to the one or more Protects to cause the one or more Protects to process additional sniffed wireless messages utilizing the one or more sets of filters;
  
  receiving additional observation data sent by the one or more Protects based upon the one or more Protects applying the one or more sets of filters, wherein the additional observation data comprises data from the additional sniffed wireless messages or statistical data generated based upon at least some of the additional sniffed wireless messages, wherein the one or more sets of filters caused fewer of the additional sniffed wireless messages to be reported than would have been reported if the previous one or more sets of filters had been applied to the additional sniffed wireless messages; and
  
  responsive to an alert message received by a first Protect of the one or more Protects, executing one or more false positive elimination procedures to determine whether the alert message is a false positive, including;
  
  obtaining additional observation data from at least a second Protect of the one or more Protects that provides a coverage overlap with the first Protect; and
  
  determining whether the additional observation data supports a conclusion that one or more wireless messages that caused the first Protect to issue the alert message involve atypical or malicious wireless communications activity.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The non-transitory computer-readable storage medium of claim 22, wherein:
    - the one or more Protects includes a plurality of Protects;
      
      a first set of one or more of the plurality of Protects are mobile devices that do not have a fixed location; and
      
      a second set of one or more of the plurality of Protects utilize wired energy sources and have a fixed location during use.
  - 24. The non-transitory computer-readable storage medium of claim 23, wherein each of the second set of Protects are configured to report back to the server comparatively more wireless communications activity than those of the first set of Protects.
  - 25. The non-transitory computer-readable storage medium of claim 22, wherein all communications between the one or more Protects and the server occurs through one or more aggregation modules implemented by one or devices located at one or more sites, wherein the one or more Protects are located at least occasionally at the one or more sites.
  - 26. The non-transitory computer-readable storage medium of claim 22, wherein the one or more sets of filters include at least one rule-based attack detection filter and at least one anomaly detection filter.
  - 27. The non-transitory computer-readable storage medium of claim 22, wherein the generating of the one or more sets of filters includes:
    - computing one or more models based upon the observation data via one or more machine learning algorithms, wherein each of the one or more models is a compact mathematical representation representing normal wireless communications activity represented by the observation data; and
      
      compiling the one or more models into the one or more sets of filters.
  - 28. The non-transitory computer-readable storage medium of claim 22, wherein the one or more sets of filters allow each of the one or more Protects to determine a degree of abnormality of the additional sniffed wireless messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyiot Ltd.
Original Assignee
Cyiot Ltd.
Inventors
Moscovici, Daniel, Bandler, Natan, Schuster, Assaf
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US15/407,886
Publication Number

US 20170214702A1
Time in Patent Office

973 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 43/062   related to network traffic

H04L 43/20   the monitoring system or th...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/106   Packet or message integrity

H04W 12/122   Counter-measures against at...

H04W 12/125   Protection against power ex...

H04W 12/126   Anti-theft arrangements, e....

H04W 12/128   Anti-malware arrangements, ...

H04W 4/80   Services using short range ...

H04W 84/042   Public Land Mobile systems,...

H04W 84/12   WLAN [Wireless Local Area N...

Distributed techniques for detecting atypical or malicious wireless communications activity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed techniques for detecting atypical or malicious wireless communications activity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links