Distributed techniques for detecting atypical or malicious wireless communications activity
First Claim
1. A method in a server implemented by one or more server end stations for detecting atypical or malicious wireless communications activity via one or more of a plurality of Protects, wherein the plurality of Protects are electronic devices operable to observe wireless communications activity over a plurality of wireless protocols, the method comprising:
- receiving, at the server, observation data sent by the plurality of Protects, wherein the observation data received from each of the plurality of Protects comprises data from wireless messages sniffed by that Protect or statistical data generated by that Protect based upon the wireless messages sniffed by that Protect, wherein at least one of the plurality of Protects is a mobile device that does not have a fixed location, wherein the plurality of Protects are sniffers in that they are neither a source of the wireless messages nor an intended recipient of the wireless messages;
generating, by the server, a plurality of sets of filters based at least in part upon the received observation data, wherein each of the plurality of sets of filters is;
specific to one or more but not all of the plurality of Protects,generated based upon at least some of the received observation data transmitted by the one or more Protects, andcan be used to distinguish between those of future sniffed wireless messages that are to be discarded by the one or more Protects and those of the future sniffed wireless messages that are to be reported to the server;
transmitting, by the server, each of the plurality of sets of filters to the corresponding one or more of the plurality of Protects to cause the plurality of Protects to process the future sniffed wireless messages utilizing the plurality of sets of filters;
receiving, at the server, an alert message transmitted by a first Protect of the plurality of Protects based upon an application, by the first Protect, of at least one of the plurality of sets of filters with regard to one or more additional wireless messages sniffed by the first Protect, wherein the alert message indicates that the one or more additional wireless messages involve atypical or malicious wireless communications activity;
responsive to the received alert message, executing, by the server, one or more false positive elimination procedures to determine whether the received alert message is a false positive, including;
obtaining, by the server, additional observation data from one or more other Protects of the plurality of Protects that provide a coverage overlap with the first Protect; and
determining, by the server, whether the additional observation data supports a conclusion that the one or more additional wireless messages involve atypical or malicious wireless communications activity; and
causing, by the server, an alert to be generated responsive to the one or more false positive elimination procedures determining that the alert message is not a false positive.
1 Assignment
0 Petitions
Accused Products
Abstract
Distributed techniques for detecting atypical or malicious wireless communications activity are disclosed. A server can iteratively generate sets of filters based at least in part upon observation data received from one or more Protects. The filters can be used by the Protect(s) to distinguish between sniffed wireless messages that are to be discarded and those that are to be reported to the server. The server can provide the generated sets of filters to the Protect(s) to cause the Protect(s) to process additional sniffed wireless messages utilizing the one or more sets of filters. Updated filters can cause fewer subsequent sniffed wireless messages to be reported than would have been reported by use of previous filters. Limited activity reporting by the Protect(s) enables a reduced communication load compared to full activity reporting without degrading the ability of the server to detect the atypical or malicious wireless communications activity.
-
Citations
28 Claims
-
1. A method in a server implemented by one or more server end stations for detecting atypical or malicious wireless communications activity via one or more of a plurality of Protects, wherein the plurality of Protects are electronic devices operable to observe wireless communications activity over a plurality of wireless protocols, the method comprising:
-
receiving, at the server, observation data sent by the plurality of Protects, wherein the observation data received from each of the plurality of Protects comprises data from wireless messages sniffed by that Protect or statistical data generated by that Protect based upon the wireless messages sniffed by that Protect, wherein at least one of the plurality of Protects is a mobile device that does not have a fixed location, wherein the plurality of Protects are sniffers in that they are neither a source of the wireless messages nor an intended recipient of the wireless messages; generating, by the server, a plurality of sets of filters based at least in part upon the received observation data, wherein each of the plurality of sets of filters is; specific to one or more but not all of the plurality of Protects, generated based upon at least some of the received observation data transmitted by the one or more Protects, and can be used to distinguish between those of future sniffed wireless messages that are to be discarded by the one or more Protects and those of the future sniffed wireless messages that are to be reported to the server; transmitting, by the server, each of the plurality of sets of filters to the corresponding one or more of the plurality of Protects to cause the plurality of Protects to process the future sniffed wireless messages utilizing the plurality of sets of filters; receiving, at the server, an alert message transmitted by a first Protect of the plurality of Protects based upon an application, by the first Protect, of at least one of the plurality of sets of filters with regard to one or more additional wireless messages sniffed by the first Protect, wherein the alert message indicates that the one or more additional wireless messages involve atypical or malicious wireless communications activity; responsive to the received alert message, executing, by the server, one or more false positive elimination procedures to determine whether the received alert message is a false positive, including; obtaining, by the server, additional observation data from one or more other Protects of the plurality of Protects that provide a coverage overlap with the first Protect; and determining, by the server, whether the additional observation data supports a conclusion that the one or more additional wireless messages involve atypical or malicious wireless communications activity; and causing, by the server, an alert to be generated responsive to the one or more false positive elimination procedures determining that the alert message is not a false positive. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of one or more server end stations, cause the one or more server end stations to implement a server to perform operations to detect atypical or malicious wireless communications activity via one or more of a plurality of Protects, wherein the plurality of Protects are electronic devices operable to observe wireless communications activity over a plurality of wireless protocols, wherein the operations include:
-
receiving observation data sent by the plurality of Protects, wherein the observation data received from each of the plurality of Protects comprises data from wireless messages sniffed by that Protect or statistical data generated by that Protect based upon the wireless messages sniffed by that Protect, wherein at least one of the plurality of Protects is a mobile device that does not have a fixed location, wherein the plurality of Protects are sniffers in that they are neither a source of the wireless messages nor an intended recipient of the wireless messages; generating a plurality of sets of filters based at least in part upon the received observation data, wherein each of the plurality of sets of filters is; specific to one or more but not all of the plurality of Protects, generated based upon at least some of the received observation data transmitted by the one or more Protects, and can be used to distinguish between those of future sniffed wireless messages that are to be discarded by the one or more Protects and those of the future sniffed wireless messages that are to be reported to the server; transmitting each of the plurality of sets of filters to the corresponding one or more of the plurality of Protects to cause the plurality of Protects to process the future sniffed wireless messages utilizing the plurality of sets of filters; receiving an alert message transmitted by a first Protect of the plurality of Protects based upon an application, by the first Protect, of at least one of the plurality of sets of filters with regard to one or more additional wireless messages sniffed by the first Protect, wherein the alert message indicates that the one or more additional wireless messages involve atypical or malicious wireless communications activity; responsive to the received alert message, executing one or more false positive elimination procedures to determine whether the received alert message is a false positive, including; obtaining additional observation data from one or more other Protects of the plurality of Protects that provide a coverage overlap with the first Protect; and determining whether the additional observation data supports a conclusion that the one or more additional wireless messages involve atypical or malicious wireless communications activity; and causing an alert to be generated responsive to the one or more false positive elimination procedures determining that the alert message is not a false positive. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A method in a server implemented by one or more server end stations for efficiently detecting atypical or malicious wireless communications activity via one or more Protects despite limited activity reporting from the one or more Protects to the server, wherein the limited activity reporting enables a communication load between the one or more Protects and the server to be reduced compared to full activity reporting without degrading the ability of the server to detect the atypical or malicious wireless communications activity, wherein each of the one or more Protects is an electronic device operable to observe wireless communications activity over a plurality of wireless protocols, the method comprising:
-
generating, by the server, one or more sets of filters based at least in part upon observation data received from the one or more Protects, wherein the one or more sets of filters can be used by the one or more Protects to distinguish between sniffed wireless messages that are to be discarded by the one or more Protects due to being representative of normal network activity and other sniffed wireless messages that are to be reported to the server due to not being representative of normal network activity or being representative of known malicious activity, wherein the observation data resulted from the one or more Protects applying a previous one or more sets of filters and includes data from previous wireless messages sniffed by the one or more Protects or statistical data generated by the one or more Protects based upon the previous wireless messages; transmitting, by the server, the one or more sets of filters to the one or more Protects to cause the one or more Protects to process additional sniffed wireless messages utilizing the one or more sets of filters; receiving, at the server, additional observation data sent by the one or more Protects based upon the one or more Protects applying the one or more sets of filters, wherein the additional observation data comprises data from the additional sniffed wireless messages or statistical data generated based upon at least some of the additional sniffed wireless messages, wherein the one or more sets of filters caused fewer of the additional sniffed wireless messages to be reported than would have been reported if the previous one or more sets of filters had been applied to the additional sniffed wireless messages; and responsive to an alert message received by a first Protect of the one or more Protects, executing one or more false positive elimination procedures to determine whether the alert message is a false positive, including; obtaining additional observation data from at least a second Protect of the one or more Protects that provides a coverage overlap with the first Protect; and determining whether the additional observation data supports a conclusion that one or more wireless messages that caused the first Protect to issue the alert message involve atypical or malicious wireless communications activity. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of one or more server end stations, cause the one or more server end stations to implement a server to perform operations to efficiently detect atypical or malicious wireless communications activity via one or more Protects despite limited activity reporting from the one or more Protects to the server, wherein the limited activity reporting enables a communication load between the one or more Protects and the server to be reduced compared to full activity reporting without degrading the ability of the server to detect the atypical or malicious wireless communications activity, wherein each of the one or more Protects is an electronic device operable to observe wireless communications activity over a plurality of wireless protocols, wherein the operations include:
-
generating one or more sets of filters based at least in part upon observation data received from the one or more Protects, wherein the one or more sets of filters can be used by the one or more Protects to distinguish between sniffed wireless messages that are to be discarded by the one or more Protects due to being representative of normal network activity and other sniffed wireless messages that are to be reported to the server due to not being representative of normal network activity or being representative of known malicious activity, wherein the observation data resulted from the one or more Protects applying a previous one or more sets of filters and includes data from previous wireless messages sniffed by the one or more Protects or statistical data generated by the one or more Protects based upon the previous wireless messages; transmitting the one or more sets of filters to the one or more Protects to cause the one or more Protects to process additional sniffed wireless messages utilizing the one or more sets of filters; receiving additional observation data sent by the one or more Protects based upon the one or more Protects applying the one or more sets of filters, wherein the additional observation data comprises data from the additional sniffed wireless messages or statistical data generated based upon at least some of the additional sniffed wireless messages, wherein the one or more sets of filters caused fewer of the additional sniffed wireless messages to be reported than would have been reported if the previous one or more sets of filters had been applied to the additional sniffed wireless messages; and responsive to an alert message received by a first Protect of the one or more Protects, executing one or more false positive elimination procedures to determine whether the alert message is a false positive, including; obtaining additional observation data from at least a second Protect of the one or more Protects that provides a coverage overlap with the first Protect; and determining whether the additional observation data supports a conclusion that one or more wireless messages that caused the first Protect to issue the alert message involve atypical or malicious wireless communications activity. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
Specification