×

Detection of compromised devices via user states

  • US 10,534,925 B2
  • Filed: 10/05/2016
  • Issued: 01/14/2020
  • Est. Priority Date: 10/05/2016
  • Status: Active Grant
First Claim
Patent Images

1. A system for controlling security of a device, the system comprising:

  • one or more processor(s); and

    one or more hardware storage device(s) having stored thereon computer-executable instructions that are executable by the one or more processor(s) to cause the system to;

    obtain data describing current device activity of a device;

    determine a current activity state of the device, wherein the current activity state includes (i) an active state or (ii) an inactive state, such that the device is operable in a plurality of different states;

    for each respective state in the plurality of different states, generate a corresponding profile for each respective state based on monitored activities that are monitored while the device operates in each respective state;

    determine whether the current device activity statistically fits with the device'"'"'s current activity state based on the generated profiles by at least performing the following;

    for each respective state in the plurality of different states, determining a corresponding probability of occurrence that a particular device activity event, which is described within the data describing the device'"'"'s current device activity, is likely to occur in each respective state, whereby a plurality of probabilities are determined;

    determining that none of the determined probabilities in the plurality of probabilities are within a predetermined fitness threshold value such that the device'"'"'s current device activity includes suspicious activity; and

    determining that the current device activity does not statistically fit with the device'"'"'s current activity state;

    based on determining that the current device activity does not statistically fit with the device'"'"'s current activity state, determine that the device is in a compromised state;

    initiate a security alert action based on the determination that the device is in the compromised state, wherein the security alert action includes (i) locking the device and (ii) issuing an alert to a user, and wherein content provided within the alert includes both (i) data describing the suspicious activity and (ii) a reason indicating why the suspicious activity has been characterized as being suspicious; and

    after the device is locked, update at least one of the profiles associated with the plurality of different states based on data representative of the current device activity.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×