Detecting irregularities on a device

US 10,558,799 B2
Filed: 08/04/2017
Issued: 02/11/2020
Est. Priority Date: 09/13/2013
Status: Active Grant

First Claim

Patent Images

1. A system for detection of irregularities of a device, the system comprising:

the device;

a hardware processor; and

a memory communicatively coupled with the hardware processor, the memory storing instructions which when executed by the hardware processor performs a method, the method comprising;

creating, by a monitoring program, a device baseline profile comprising data items relating to a typical operation of the device, the data items comprising;

(i) incoming ports associated with processes,(ii) outgoing ports associated with the processes, and(iii) Internet Protocol (IP) addresses associated with the processes;

storing, in a user profile database, the device baseline profile;

receiving, by the monitoring program, new ones of data items indicative of a current operation of the device;

determining, by the monitoring program, whether the new ones of data items deviate from the typical operation of the device by comparing the new ones of data items to the stored device baseline profile that comprises;

(i) the incoming ports associated with the processes, (ii) the outgoing ports associated with the processes, and (iii) the IP addresses associated with the processes, the deviating from the typical operation of the device including continually accessing a new website;

based on the determining, updating, by the monitoring program, the stored device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and

based on the determining, generating, by an alert module, an alert if the new ones of data items do deviate from the typical operation of the device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. The system comprises a monitoring program for reviewing data relating to operation of the device, a device profile including data items relating to typical operation of the device generated from messages relating to the device; and an alert module for generating an alert on detection of unusual activity relating to the device.

Citations

17 Claims

1. A system for detection of irregularities of a device, the system comprising:
- the device;
  
  a hardware processor; and
  
  a memory communicatively coupled with the hardware processor, the memory storing instructions which when executed by the hardware processor performs a method, the method comprising;
  
  creating, by a monitoring program, a device baseline profile comprising data items relating to a typical operation of the device, the data items comprising;
  
  (i) incoming ports associated with processes,(ii) outgoing ports associated with the processes, and(iii) Internet Protocol (IP) addresses associated with the processes;
  
  storing, in a user profile database, the device baseline profile;
  
  receiving, by the monitoring program, new ones of data items indicative of a current operation of the device;
  
  determining, by the monitoring program, whether the new ones of data items deviate from the typical operation of the device by comparing the new ones of data items to the stored device baseline profile that comprises;
  
  (i) the incoming ports associated with the processes, (ii) the outgoing ports associated with the processes, and (iii) the IP addresses associated with the processes, the deviating from the typical operation of the device including continually accessing a new website;
  
  based on the determining, updating, by the monitoring program, the stored device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and
  
  based on the determining, generating, by an alert module, an alert if the new ones of data items do deviate from the typical operation of the device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the deviating from the typical operation of the device further includes transferring unusual amounts of data.
  - 3. The system of claim 1, wherein the deviating from the typical operation of the device further includes connecting to an unexpected one of the IP addresses.
  - 4. The system of claim 1, wherein the deviating from the typical operation of the device further includes using an infrequently used one of the incoming ports and the outgoing ports.
  - 5. The system of claim 1, wherein the irregularities comprise at least one of malware and fraud.

6. A method for detection of irregularities of a device, the method comprising:
- reviewing, by a monitoring program running on a hardware processor, data items of a device;
  
  detecting, by the monitoring program, a plurality of the data items relating to a typical operation of the device;
  
  creating, by the monitoring program, a device baseline profile including the plurality of the data items relating to the typical operation of the device, the plurality of the data items comprising;
  
  (i) incoming ports associated with processes,(ii) outgoing ports associated with the processes, and(iii) Internet Protocol (IP) addresses associated with the processes;
  
  receiving, by the monitoring program, new ones of data items indicative of a current operation of the device;
  
  determining, by the monitoring program, whether the new ones of data items deviate from the typical operation of the device by comparing the new ones of data items to the stored device baseline profile that comprises;
  
  (i) the incoming ports associated with the processes, (ii) the outgoing ports associated with the processes, and (iii) the IP addresses associated with the processes, wherein the deviating from the typical operation of the device includes using an infrequently used one of the incoming ports and the outgoing ports;
  
  based on the determining, updating, by the monitoring program, the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and
  
  based on the determining, generating an alert if the new ones of data items do deviate from the typical operation of the device.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6, wherein the deviating from the typical operation of the device further includes transferring unusual amounts of data.
  - 8. The method of claim 6, wherein the deviating from the typical operation of the device further includes continually accessing a new website.
  - 9. The method of claim 6, wherein the deviating from the typical operation of the device further includes connecting to an unexpected one of the IP addresses.
  - 10. The method of claim 6, wherein the irregularities comprise malware.
  - 11. The method of claim 6, wherein the irregularities comprise fraud.

12. A method for detection of irregularities in a network, the network comprising communications connections between at least one server, a computer, and a device having a plurality of outgoing connections and a plurality of incoming connections, the device running a plurality of processes, the method comprising:
- receiving, by a monitoring program running on the computer, data items relating to the network, the device, and messages exchanged within the network;
  
  automatically reviewing, by the monitoring program, the received data items;
  
  detecting a plurality of the data items relating to a typical operation of the device;
  
  creating, by the monitoring program, and storing in a database a device baseline profile including the plurality of the data items relating to the typical operation of the device, the plurality of the data items comprising;
  
  (i) incoming ports associated with processes, (ii) outgoing ports associated with the processes, and (iii) Internet Protocol (IP) addresses associated with the processes;
  
  receiving, by the monitoring program, new ones of data items indicative of a current operation of the device;
  
  determining, by the monitoring program, whether the new ones of data items deviate from the typical operation of the device by comparing the new ones of data items to the stored device baseline profile that comprises;
  
  (i) the incoming ports associated with the processes, (ii) the outgoing ports associated with the processes, and (iii) the IP addresses associated with the processes, wherein the deviating from the typical operation of the device includes using an infrequently used one of the incoming ports and outgoing ports; and
  
  continually accessing a new website;
  
  based on the determining, updating, by the monitoring program, the stored device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and
  
  based on the determining, generating an alert if the new ones of data items do deviate from the typical operation of the device.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, wherein the deviating from the typical operation of the device further includes transferring unusual amounts of data or connecting to an unexpected one of the IP addresses.
  - 14. The method of claim 12, wherein the irregularities comprise at least one of malware and fraud.
  - 15. The method of claim 12, wherein the monitoring program uses data sources for the data items based on network flow traffic statistics through the network.
  - 16. The method of claim 15, wherein the data sources include proxy logs and NetFlow records which record the destination of data sent through the outgoing connections and record the source of data received through the incoming connections.
  - 17. The method of claim 12, wherein the monitoring program analyzes:
    - headers in the data items and headers in email messages sent through the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Elasticsearch Global B.V. (Elastic N.V.)
Original Assignee
Elasticsearch Global B.V. (Elastic N.V.)
Inventors
Dodson, Stephen
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/669,698
Publication Number

US 20170329965A1
Time in Patent Office

921 Days
Field of Search

726 24
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

Detecting irregularities on a device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting irregularities on a device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links