Detection of compromised devices via user states

US 10,534,925 B2
Filed: 10/05/2016
Issued: 01/14/2020
Est. Priority Date: 10/05/2016
Status: Active Grant

First Claim

Patent Images

1. A system for controlling security of a device, the system comprising:

one or more processor(s); and

one or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by the one or more processor(s) to cause the system to;

obtain data describing current device activity of a device;

determine a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states;

for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state;

determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following;

for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined;

determining that none of the determined probabilities in the plurality of probabilities are within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity; and

determining that the current device activity does not statistically fit with the device'"'"'s current activity state;

based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state;

initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both (i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; and

after the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

Citations

16 Claims

1. A system for controlling security of a device, the system comprising:
- one or more processor(s); and
  
  one or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by the one or more processor(s) to cause the system to;
  
  obtain data describing current device activity of a device;
  
  determine a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states;
  
  for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state;
  
  determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following;
  
  for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined;
  
  determining that none of the determined probabilities in the plurality of probabilities are within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity; and
  
  determining that the current device activity does not statistically fit with the device'"'"'s current activity state;
  
  based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state;
  
  initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both (i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; and
  
  after the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, further comprising:
    - an interface that obtains one or more user privacy permissions.
  - 3. The system of claim 2, wherein the one or more user privacy permissions include:
    - at least one user permission to analyze activity on the device, wherein analyzing the activity is initiated while the device is in the active state.
  - 4. The system of claim 1, further comprising:
    - an interface that obtains one or more user selections indicating user privacy permissions.

5. A method for controlling security of a device, the method comprising:
- obtaining data describing current activity of a device;
  
  determining a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states;
  
  for each respective state in the plurality of different states, generating a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state;
  
  determining whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following;
  
  for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined;
  
  determining that none of the determined probabilities in the plurality of probabilities is within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity;
  
  determining that the current device activity does not statistically fit with the device'"'"'s current activity state;
  
  based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determining that the device is in a compromised state;
  
  initiating a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both;
  
  (i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; and
  
  after the device is locked, updating at least one of the profiles associated with the plurality of different states based on data representative of the current device activity.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5, wherein:
    - initiating the security alert action includes providing the alert to a legitimate user of the device.
  - 7. The method of claim 5, wherein:
    - initiating the security alert action includes initiating a remedial action on the device.
  - 8. The method of claim 5, wherein the active state is a state in which a first set of one or more processes of the device are executing during a particular time period.
  - 9. The method of claim 8, wherein the inactive state is a state in which a second set of one or more processes of the device are executing during the particular time period.

10. One or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by one or more processor(s) of a computer system to cause the computer system to:
- obtain data describing current activity of a device;
  
  determine a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states;
  
  for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state;
  
  determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following;
  
  for each respective state in the plurality of different states, determine a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined;
  
  determine that none of the determined probabilities in the plurality of probabilities is within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity;
  
  determine that the current device activity does not statistically fit with the device'"'"'s current activity state;
  
  based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state;
  
  initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both;
  
  (i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; and
  
  after the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The one or more hardware storage device(s) of claim 10, wherein execution of the computer-executable instructions further causes the computer system to:
    - assign a first weight to newly acquired device activity data, the first weight being greater in value than a second weight assigned to the data representative of the current device activity.
  - 12. The one or more hardware storage device(s) of claim 11, wherein execution of the computer-executable instructions further causes the computer system to:
    - initiate the update only when the device is identified as not being in the compromised state.
  - 13. The one or more hardware storage device(s) of claim 10, wherein execution of the computer-executable instructions further causes the computer system to:
    - provide an interface that obtains one or more user selections indicating user privacy permissions.
  - 14. The one or more hardware storage device(s) of claim 13, wherein:
    - the user privacy permissions include one or more of;
      
      user login times, oruser logout times.
  - 15. The one or more hardware storage device(s) of claim 13, wherein the user privacy permissions include user browsing patterns.

16. A system comprising:
- one or more processor(s); and
  
  one or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by the one or more processor(s) to cause the system to;
  
  obtain data describing current activity of a device;
  
  determine a current activity state of the device, wherein the current activity state includes (i) an active state in which a first set of one or more processes of the device are executing during a particular time period or (ii) an inactive state in which a second set of one or more processes of the device are executing during the particular time period, such that the device is operable in a plurality of different states;
  
  for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state;
  
  determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following;
  
  for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined;
  
  determining that none of the determined probabilities in the plurality of probabilities is within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity;
  
  determining that the current device activity does not statistically fit with the device'"'"'s current activity state;
  
  based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state;
  
  initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both;
  
  (i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; and
  
  after the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Israel, Moshe, Ronen, Royi, Alon, Daniel, Teller, Tomer, Shteingart, Hanan
Primary Examiner(s)
Henning, Matthew T

Application Number

US15/286,558
Publication Number

US 20180096157A1
Time in Patent Office

1,196 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

H04L 41/06   Management of faults, event...

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

Detection of compromised devices via user states

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of compromised devices via user states

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links