Detection of compromised devices via user states
First Claim
1. A system for controlling security of a device, the system comprising:
- one or more processor(s); and
one or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by the one or more processor(s) to cause the system to;
obtain data describing current device activity of a device;
determine a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states;
for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state;
determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following;
for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined;
determining that none of the determined probabilities in the plurality of probabilities are within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity; and
determining that the current device activity does not statistically fit with the device'"'"'s current activity state;
based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state;
initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both (i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; and
after the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity.
1 Assignment
0 Petitions
Accused Products
Abstract
Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.
-
Citations
16 Claims
-
1. A system for controlling security of a device, the system comprising:
-
one or more processor(s); and one or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by the one or more processor(s) to cause the system to; obtain data describing current device activity of a device; determine a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states; for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state; determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following; for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined; determining that none of the determined probabilities in the plurality of probabilities are within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity; and determining that the current device activity does not statistically fit with the device'"'"'s current activity state; based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state; initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both (i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; and after the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity. - View Dependent Claims (2, 3, 4)
-
-
5. A method for controlling security of a device, the method comprising:
-
obtaining data describing current activity of a device; determining a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states; for each respective state in the plurality of different states, generating a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state; determining whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following; for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined; determining that none of the determined probabilities in the plurality of probabilities is within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity; determining that the current device activity does not statistically fit with the device'"'"'s current activity state; based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determining that the device is in a compromised state; initiating a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both;
(i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; andafter the device is locked, updating at least one of the profiles associated with the plurality of different states based on data representative of the current device activity. - View Dependent Claims (6, 7, 8, 9)
-
-
10. One or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by one or more processor(s) of a computer system to cause the computer system to:
-
obtain data describing current activity of a device; determine a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states; for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state; determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following; for each respective state in the plurality of different states, determine a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined; determine that none of the determined probabilities in the plurality of probabilities is within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity; determine that the current device activity does not statistically fit with the device'"'"'s current activity state; based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state; initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both;
(i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; andafter the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
one or more processor(s); and one or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by the one or more processor(s) to cause the system to; obtain data describing current activity of a device; determine a current activity state of the device, wherein the current activity state includes (i) an active state in which a first set of one or more processes of the device are executing during a particular time period or (ii) an inactive state in which a second set of one or more processes of the device are executing during the particular time period, such that the device is operable in a plurality of different states; for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state; determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following; for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined; determining that none of the determined probabilities in the plurality of probabilities is within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity; determining that the current device activity does not statistically fit with the device'"'"'s current activity state; based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state; initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both;
(i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; andafter the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity.
-
Specification