×

Distributed techniques for detecting atypical or malicious wireless communications activity

  • US 10,419,458 B2
  • Filed: 01/17/2017
  • Issued: 09/17/2019
  • Est. Priority Date: 01/21/2016
  • Status: Active Grant
First Claim
Patent Images

1. A method in a server implemented by one or more server end stations for detecting atypical or malicious wireless communications activity via one or more of a plurality of Protects, wherein the plurality of Protects are electronic devices operable to observe wireless communications activity over a plurality of wireless protocols, the method comprising:

  • receiving, at the server, observation data sent by the plurality of Protects, wherein the observation data received from each of the plurality of Protects comprises data from wireless messages sniffed by that Protect or statistical data generated by that Protect based upon the wireless messages sniffed by that Protect, wherein at least one of the plurality of Protects is a mobile device that does not have a fixed location, wherein the plurality of Protects are sniffers in that they are neither a source of the wireless messages nor an intended recipient of the wireless messages;

    generating, by the server, a plurality of sets of filters based at least in part upon the received observation data, wherein each of the plurality of sets of filters is;

    specific to one or more but not all of the plurality of Protects,generated based upon at least some of the received observation data transmitted by the one or more Protects, andcan be used to distinguish between those of future sniffed wireless messages that are to be discarded by the one or more Protects and those of the future sniffed wireless messages that are to be reported to the server;

    transmitting, by the server, each of the plurality of sets of filters to the corresponding one or more of the plurality of Protects to cause the plurality of Protects to process the future sniffed wireless messages utilizing the plurality of sets of filters;

    receiving, at the server, an alert message transmitted by a first Protect of the plurality of Protects based upon an application, by the first Protect, of at least one of the plurality of sets of filters with regard to one or more additional wireless messages sniffed by the first Protect, wherein the alert message indicates that the one or more additional wireless messages involve atypical or malicious wireless communications activity;

    responsive to the received alert message, executing, by the server, one or more false positive elimination procedures to determine whether the received alert message is a false positive, including;

    obtaining, by the server, additional observation data from one or more other Protects of the plurality of Protects that provide a coverage overlap with the first Protect; and

    determining, by the server, whether the additional observation data supports a conclusion that the one or more additional wireless messages involve atypical or malicious wireless communications activity; and

    causing, by the server, an alert to be generated responsive to the one or more false positive elimination procedures determining that the alert message is not a false positive.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×