MACHINE-LEARNING BEHAVIORAL ANALYSIS TO DETECT DEVICE THEFT AND UNAUTHORIZED DEVICE USAGE

US 20160300049A1
Filed: 04/09/2015
Published: 10/13/2016
Est. Priority Date: 04/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting unauthorized electronic device usage, comprising:

generating one or more training feature vectors that represent one or more user-specific behaviors observed on an electronic device over a predefined training period L;

generating a local user profile model from the one or more training feature vectors, wherein the local user profile model re-expresses the one or more user-specific behaviors observed over the predefined training period L according to K centroids that indicate a temporal context associated therewith;

transmitting, by the electronic device, the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create plural baseline profile models;

receiving, from the server, the plural baseline profile models and information indicating one of the plural baseline profile models in which the electronic device has membership;

generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed on the electronic device, wherein the user-specific behaviors are observed from sensor data acquired on the electronic device;

generating a current user profile model from the one or more feature vectors, wherein the current user profile model comprises a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors and a data grammar that defines one or more rules to represent patterns in the centroid sequence;

comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models stored at the electronic device to identify one of the plural baseline profile models closest to the current user profile model; and

detecting an operator change at the electronic device in response to determining that the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure relates to machine-learning behavioral analysis to detect device theft and unauthorized device usage. In particular, during a training phase, an electronic device may generate a local user profile that represents observed user-specific behaviors according to a centroid sequence, wherein the local user profile may be classified into a baseline profile model that represents aggregate behaviors associated with various users over time. Accordingly, during an authentication phase, the electronic device may generate a current user profile model comprising a centroid sequence re-expressing user-specific behaviors observed over an authentication interval, wherein the current user profile model may be compared to plural baseline profile models to identify the baseline profile model closest to the current user profile model. As such, an operator change may be detected where the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership.

115 Citations

40 Claims

1. A method for detecting unauthorized electronic device usage, comprising:
- generating one or more training feature vectors that represent one or more user-specific behaviors observed on an electronic device over a predefined training period L;
  
  generating a local user profile model from the one or more training feature vectors, wherein the local user profile model re-expresses the one or more user-specific behaviors observed over the predefined training period L according to K centroids that indicate a temporal context associated therewith;
  
  transmitting, by the electronic device, the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create plural baseline profile models;
  
  receiving, from the server, the plural baseline profile models and information indicating one of the plural baseline profile models in which the electronic device has membership;
  
  generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed on the electronic device, wherein the user-specific behaviors are observed from sensor data acquired on the electronic device;
  
  generating a current user profile model from the one or more feature vectors, wherein the current user profile model comprises a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors and a data grammar that defines one or more rules to represent patterns in the centroid sequence;
  
  comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models stored at the electronic device to identify one of the plural baseline profile models closest to the current user profile model; and
  
  detecting an operator change at the electronic device in response to determining that the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 13, 14, 15)
- - 3. The method recited in claim 1, wherein the server is further configured to classify the local user profile model transmitted from the electronic device into one of the plural baseline profile models closest to the local user profile model, wherein the baseline profile model in which the electronic device has membership corresponds to the baseline profile model closest to the local user profile model.
  - 4. The method recited in claim 1, wherein the one or more user-specific behaviors used to generate the current user profile model are observed over an authentication period M that is substantially shorter than the predefined training period L.
  - 5. The method recited in claim 1, wherein the plural baseline profile models created at the server comprise K baseline profile models.
  - 6. The method recited in claim 1, wherein the server is further configured to track the membership associated with the electronic device over time to maintain an anonymous user behavior profile associated with the electronic device.
  - 7. The method recited in claim 1, wherein comparing the current user profile model to the plural baseline profile models comprises:
    - calculating one or more metrics that define a distance from the current user profile model to each baseline profile model to quantify a similarity between the data grammar associated with the current user profile model and each baseline profile model; and
      
      identifying one of the plural baseline profile models having a smallest distance from the current user profile model, wherein the identified baseline profile model corresponds to the baseline profile model closest to the current user profile model.
  - 8. The method recited in claim 7, wherein the one or more calculated metrics comprise at least one metric that quantifies the similarity between the data grammar associated with the current user profile model and each baseline profile model according to a global comparison between the one or more rules defined in the data grammar associated with the current user profile model and each baseline profile model.
  - 9. The method recited in claim 7, wherein the one or more calculated metrics comprise at least one metric that quantifies the similarity between the data grammar associated with the current user profile model and each baseline profile model according to a content-based comparison between one or more individual rules in the data grammar associated with the current user profile model and each baseline profile model.
  - 10. The method recited in claim 1, further comprising:
    - authenticating a current operator associated with the electronic device in response to determining that the baseline profile model closest to the current user profile model matches the baseline profile model in which the electronic device has membership.
  - 13. The method recited in claim 1, further comprising:
    - triggering one or more of a recovery action or a protective action in response to detecting the operator change.
  - 14. The method recited in claim 1, wherein the electronic device has at least one of an accelerometer, a gyroscope, or a touchscreen configured to acquire the sensor data.
  - 15. The method recited in claim 1, wherein the one or more user-specific behaviors include at least one of pulling the electronic device from a pocket, motion of the electronic device when walking, unlocking the electronic device, entering data into the electronic device, or answering a call received at the electronic device.

2. (canceled)

11. A method for detecting unauthorized electronic device usage, comprising:
- storing plural baseline profile models at an electronic device, wherein the electronic device has membership in one of the plural baseline profile models;
  
  generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed on the electronic device, wherein the one or more user-specific behaviors are observed from sensor data acquired on the electronic device;
  
  generating a current user profile model from the one or more feature vectors, wherein the current user profile model represents one or more patterns in the temporal context associated with the one or more user-specific behaviors;
  
  comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models stored at the electronic device to identify one of the plural baseline profile models closest to the current user profile model;
  
  detecting an operator change at the electronic device in response to determining that the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership;
  
  comparing the current user profile model to one or more authorized user profile models stored on the electronic device in response to the detected operator change; and
  
  generating a notification indicating that a current operator is authorized to use the electronic device in response to determining that a distance from the current user profile model to at least one of the authorized user profile models is under a threshold value.
- View Dependent Claims (12)
- - 12. The method recited in claim 11, further comprising:
    - triggering one or more of a recovery action or a protective action in response to determining that the distance from the current user profile model to each authorized user profile is above the threshold value.

16. An electronic device, comprising:
- means for generating one or more training feature vectors that represent one or more user-specific behaviors observed on the electronic device over a training period;
  
  means for generating a local user profile model from the one or more training feature vectors, wherein the local user profile model re-expresses the one or more user-specific behaviors observed over the training period according to one or more centroids that indicate a temporal context associated therewith;
  
  means for transmitting the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create plural baseline profile models;
  
  means for receiving, from the server, the plural baseline profile models and information indicating one of the plural baseline profile models in which the electronic device has membership;
  
  means for generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from sensor data acquired on the electronic device;
  
  means for generating a current user profile model from the one or more feature vectors, wherein the current user profile model comprises a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors and a data grammar that defines one or more rules to represent patterns in the centroid sequence;
  
  means for comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model; and
  
  means for detecting an operator change at the electronic device according to whether the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership.
- View Dependent Claims (18, 19, 20, 23)
- - 18. The electronic device recited in claim 16, wherein the means for comparing the current user profile model to the plural baseline profile models comprises:
    - means for calculating one or more metrics that define a distance from the current user profile model to each baseline profile model; and
      
      means for identifying one of the plural baseline profile models having a smallest distance from the current user profile model, wherein the identified baseline profile model corresponds to the baseline profile model closest to the current user profile model.
  - 19. The electronic device recited in claim 18, wherein the one or more calculated metrics comprise at least one metric that quantifies a similarity between the data grammar associated with the current user profile model and each baseline profile model according to one or more of a global comparison between the one or more rules defined in the data grammar associated with the current user profile model and each baseline profile model or a content-based comparison between one or more individual rules in the data grammar associated with the current user profile model and each baseline profile model.
  - 20. The electronic device recited in claim 16, further comprising:
    - means for authenticating a current operator in response to a determination that the baseline profile model closest to the current user profile model matches the baseline profile model in which the electronic device has membership.
  - 23. The electronic device recited in claim 16, further comprising:
    - means for triggering one or more of a recovery action or a protective action in response to the operator change.

17. (canceled)

21. An electronic device, comprising:
- means for storing plural baseline profile models, wherein the electronic device has membership in one of the plural baseline profile models;
  
  means for generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from sensor data acquired on the electronic device;
  
  means for generating a current user profile model from the one or more feature vectors, wherein the current user profile model represents one or more patterns in the temporal context associated with the one or more user-specific behaviors;
  
  means for comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model;
  
  means for detecting an operator change at the electronic device in response to the baseline profile model closest to the current user profile model differing from the baseline profile model in which the electronic device has membership;
  
  means for comparing the current user profile model to one or more authorized user profile models in response to the detected operator change; and
  
  means for generating a notification indicating that a current operator is authorized to use the electronic device in response to a distance from the current user profile model to at least one of the authorized user profile models being under a threshold value.
- View Dependent Claims (22)
- - 22. The electronic device recited in claim 21, further comprising:
    - means for triggering one or more of a recovery action or a protective action in response to the distance from the current user profile model to each authorized user profile being above the threshold value.

24. An electronic device, comprising:
- a local repository configured to store plural baseline profile models, wherein the electronic device has membership in one of the plural baseline profile models;
  
  one or more sensors configured to acquire sensor data;
  
  one or more processors;
  
  a behavioral analysis platform configured to execute on the one or more processors, wherein the behavioral analysis platform is configured to generate one or more training feature vectors that represent one or more user-specific behaviors observed on the electronic device over a training period and to generate a local user profile model that re-expresses the one or more user-specific behaviors observed over the training period according to one or more centroids that indicate a temporal context associated therewith;
  
  a transmitter configured to transmit the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create the plural baseline profile models;
  
  a receiver configured to receive, from the server, the plural baseline profile models and information indicating the one of the plural baseline profile models in which the electronic device has membership; and
  
  a user authentication platform configured to execute on the one or more processors, wherein the user authentication platform is configured to;
  
  generate one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from the acquired sensor data;
  
  map the one or more feature vectors to a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors;
  
  generate a current user profile model, wherein the current user profile model comprises the centroid sequence mapped to the one or more feature vectors and a data grammar that defines one or more rules to represent patterns in the centroid sequence; and
  
  identify one of the plural baseline profile models closest to the current user profile model; and
  
  detect an operator change according to whether the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership.
- View Dependent Claims (27, 28, 29, 32)
- - 27. The electronic device recited in claim 24, wherein the user authentication platform is further configured to:
    - calculate one or more metrics that define a distance from the current user profile model to each baseline profile model; and
      
      identify one of the plural baseline profile models having a smallest distance from the current user profile model, wherein the identified baseline profile model corresponds to the baseline profile model closest to the current user profile model.
  - 28. The electronic device recited in claim 27, wherein the one or more calculated metrics comprise at least one metric that quantifies a similarity between the data grammar associated with the current user profile model and each baseline profile model according to one or more of a global comparison between the one or more rules defined in the data grammar associated with the current user profile model and each baseline profile model or a content-based comparison between one or more individual rules in the data grammar associated with the current user profile model and each baseline profile model.
  - 29. The electronic device recited in claim 24, wherein the user authentication platform is further configured to authenticate a current operator in response to a determination that the baseline profile model closest to the current user profile model matches the baseline profile model in which the electronic device has membership.
  - 32. The electronic device recited in claim 24, wherein the user authentication platform is further configured to trigger one or more of a recovery action or a protective action in response to the operator change.

25-26. -26. (canceled)

30. An electronic device, comprising:
- a local repository configured to store plural baseline profile models, wherein the electronic device has membership in one of the plural baseline profile models;
  
  one or more sensors configured to acquire sensor data;
  
  one or more processors; and
  
  a behavioral analysis and user authentication platform configured to execute on the one or more processors, wherein the behavioral analysis and user authentication platform is configured to;
  
  generate one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from the acquired sensor data;
  
  generate a current user profile model from the one or more feature vectors, wherein the current user profile model represents one or more patterns in the temporal context associated with the one or more user-specific behaviors;
  
  compare the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model;
  
  detect an operator change at the electronic device in response to the baseline profile model closest to the current user profile model differing from the baseline profile model in which the electronic device has membership;
  
  compare the current user profile model to one or more authorized user profile models in response to the detected operator change; and
  
  generate a notification indicating that a current operator is authorized to use the electronic device in response to a distance from the current user profile model to at least one of the authorized user profile models being under a threshold value.
- View Dependent Claims (31)
- - 31. The electronic device recited in claim 30, wherein the comparison module is further configured to trigger one or more of a recovery action or a protective action in response to the distance from the current user profile model to each authorized user profile being above the threshold value.

33. A computer-readable storage medium having computer-executable instructions recorded thereon, wherein executing the computer-executable instructions on an electronic device having one or more processors causes the one or more processors to:
- generate one or more training feature vectors that represent one or more user-specific behaviors observed on the electronic device over a training period;
  
  generate a local user profile model from the one or more training feature vectors, wherein the local user profile model re-expresses the one or more user-specific behaviors observed over the training period according to one or more centroids that indicate a temporal context associated therewith;
  
  transmit the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create plural baseline profile models;
  
  receive, from the server, the plural baseline profile models and information indicating one of the plural baseline profile models in which the electronic device has membership;
  
  generate one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from sensor data acquired on the electronic device;
  
  generate a current user profile model from the one or more feature vectors, wherein the current user profile model comprises a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors and a data grammar that defines one or more rules to represent patterns in the centroid sequence;
  
  compare the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model; and
  
  detect an operator change at the electronic device according to whether the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership.
- View Dependent Claims (35, 36, 37, 40)
- - 35. The computer-readable storage medium recited in claim 33, wherein executing the computer-executable instructions on the electronic device further causes the one or more processors to:
    - calculate one or more metrics that define a distance from the current user profile model to each baseline profile model; and
      
      identify one of the plural baseline profile models having a smallest distance from the current user profile model, wherein the identified baseline profile model corresponds to the baseline profile model closest to the current user profile model.
  - 36. The computer-readable storage medium recited in claim 35, wherein the one or more calculated metrics comprise at least one metric that quantifies a similarity between the data grammar associated with the current user profile model and each baseline profile model according to one or more of a global comparison between the one or more rules defined in the data grammar associated with the current user profile model and each baseline profile model or a content-based comparison between one or more individual rules in the data grammar associated with the current user profile model and each baseline profile model.
  - 37. The computer-readable storage medium recited in claim 33, wherein executing the computer-executable instructions on the electronic device further causes the one or more processors to:
    - authenticate a current operator in response to a determination that the baseline profile model closest to the current user profile model matches the baseline profile model in which the electronic device has membership.
  - 40. The computer-readable storage medium recited in claim 33, wherein executing the computer-executable instructions on the electronic device further causes the one or more processors to:
    - trigger one or more of a recovery action or a protective action in response to the operator change.

34. (canceled)

38. A computer-readable storage medium having computer-executable instructions recorded thereon, wherein executing the computer-executable instructions on an electronic device having one or more processors causes the one or more processors to:
- store plural baseline profile models, wherein the electronic device has membership in one of the plural baseline profile models;
  
  generate one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from sensor data acquired on the electronic device;
  
  generate a current user profile model from the one or more feature vectors, wherein the current user profile model represents one or more patterns in the temporal context associated with the one or more user-specific behaviors;
  
  compare the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model;
  
  detect an operator change at the electronic device in response to the baseline profile model closest to the current user profile model differing from the baseline profile model in which the electronic device has membership;
  
  compare the current user profile model to one or more authorized user profile models in response to the detected operator change; and
  
  generate a notification indicating that a current operator is authorized to use the electronic device in response to a distance from the current user profile model to at least one of the authorized user profile models being under a threshold value.
- View Dependent Claims (39)
- - 39. The computer-readable storage medium recited in claim 38, wherein executing the computer-executable instructions on the electronic device further causes the one or more processors to:
    - trigger one or more of a recovery action or a protective action in response to the distance from the current user profile model to each authorized user profile being above the threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
GUEDALIA, Isaac David, SCHWARTZ, Adam

Granted Patent

US 9,536,072 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 18/23213   with fixed number of cluste...

G06F 18/24137   Distances to cluster centroïds

G06F 21/316   by observing the pattern of...

G06F 21/88   Detecting or preventing the...

G06N 20/00   Machine learning

G06N 5/046   Forward inferencing; Produc...

G06N 5/047   Pattern matching networks; ...

G06V 10/424   Syntactic representation, e...

G06V 30/1985   Syntactic analysis, e.g. us...

G06V 40/20   Movements or behaviour, e.g...

MACHINE-LEARNING BEHAVIORAL ANALYSIS TO DETECT DEVICE THEFT AND UNAUTHORIZED DEVICE USAGE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

115 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

MACHINE-LEARNING BEHAVIORAL ANALYSIS TO DETECT DEVICE THEFT AND UNAUTHORIZED DEVICE USAGE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others