MACHINE-LEARNING BEHAVIORAL ANALYSIS TO DETECT DEVICE THEFT AND UNAUTHORIZED DEVICE USAGE
First Claim
1. A method for detecting unauthorized electronic device usage, comprising:
- generating one or more training feature vectors that represent one or more user-specific behaviors observed on an electronic device over a predefined training period L;
generating a local user profile model from the one or more training feature vectors, wherein the local user profile model re-expresses the one or more user-specific behaviors observed over the predefined training period L according to K centroids that indicate a temporal context associated therewith;
transmitting, by the electronic device, the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create plural baseline profile models;
receiving, from the server, the plural baseline profile models and information indicating one of the plural baseline profile models in which the electronic device has membership;
generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed on the electronic device, wherein the user-specific behaviors are observed from sensor data acquired on the electronic device;
generating a current user profile model from the one or more feature vectors, wherein the current user profile model comprises a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors and a data grammar that defines one or more rules to represent patterns in the centroid sequence;
comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models stored at the electronic device to identify one of the plural baseline profile models closest to the current user profile model; and
detecting an operator change at the electronic device in response to determining that the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosure relates to machine-learning behavioral analysis to detect device theft and unauthorized device usage. In particular, during a training phase, an electronic device may generate a local user profile that represents observed user-specific behaviors according to a centroid sequence, wherein the local user profile may be classified into a baseline profile model that represents aggregate behaviors associated with various users over time. Accordingly, during an authentication phase, the electronic device may generate a current user profile model comprising a centroid sequence re-expressing user-specific behaviors observed over an authentication interval, wherein the current user profile model may be compared to plural baseline profile models to identify the baseline profile model closest to the current user profile model. As such, an operator change may be detected where the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership.
115 Citations
40 Claims
-
1. A method for detecting unauthorized electronic device usage, comprising:
-
generating one or more training feature vectors that represent one or more user-specific behaviors observed on an electronic device over a predefined training period L; generating a local user profile model from the one or more training feature vectors, wherein the local user profile model re-expresses the one or more user-specific behaviors observed over the predefined training period L according to K centroids that indicate a temporal context associated therewith; transmitting, by the electronic device, the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create plural baseline profile models; receiving, from the server, the plural baseline profile models and information indicating one of the plural baseline profile models in which the electronic device has membership; generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed on the electronic device, wherein the user-specific behaviors are observed from sensor data acquired on the electronic device; generating a current user profile model from the one or more feature vectors, wherein the current user profile model comprises a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors and a data grammar that defines one or more rules to represent patterns in the centroid sequence; comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models stored at the electronic device to identify one of the plural baseline profile models closest to the current user profile model; and detecting an operator change at the electronic device in response to determining that the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 13, 14, 15)
-
-
2. (canceled)
-
11. A method for detecting unauthorized electronic device usage, comprising:
-
storing plural baseline profile models at an electronic device, wherein the electronic device has membership in one of the plural baseline profile models; generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed on the electronic device, wherein the one or more user-specific behaviors are observed from sensor data acquired on the electronic device; generating a current user profile model from the one or more feature vectors, wherein the current user profile model represents one or more patterns in the temporal context associated with the one or more user-specific behaviors; comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models stored at the electronic device to identify one of the plural baseline profile models closest to the current user profile model; detecting an operator change at the electronic device in response to determining that the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership; comparing the current user profile model to one or more authorized user profile models stored on the electronic device in response to the detected operator change; and generating a notification indicating that a current operator is authorized to use the electronic device in response to determining that a distance from the current user profile model to at least one of the authorized user profile models is under a threshold value. - View Dependent Claims (12)
-
-
16. An electronic device, comprising:
-
means for generating one or more training feature vectors that represent one or more user-specific behaviors observed on the electronic device over a training period; means for generating a local user profile model from the one or more training feature vectors, wherein the local user profile model re-expresses the one or more user-specific behaviors observed over the training period according to one or more centroids that indicate a temporal context associated therewith; means for transmitting the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create plural baseline profile models; means for receiving, from the server, the plural baseline profile models and information indicating one of the plural baseline profile models in which the electronic device has membership; means for generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from sensor data acquired on the electronic device; means for generating a current user profile model from the one or more feature vectors, wherein the current user profile model comprises a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors and a data grammar that defines one or more rules to represent patterns in the centroid sequence; means for comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model; and means for detecting an operator change at the electronic device according to whether the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership. - View Dependent Claims (18, 19, 20, 23)
-
-
17. (canceled)
-
21. An electronic device, comprising:
-
means for storing plural baseline profile models, wherein the electronic device has membership in one of the plural baseline profile models; means for generating one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from sensor data acquired on the electronic device; means for generating a current user profile model from the one or more feature vectors, wherein the current user profile model represents one or more patterns in the temporal context associated with the one or more user-specific behaviors; means for comparing the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model; means for detecting an operator change at the electronic device in response to the baseline profile model closest to the current user profile model differing from the baseline profile model in which the electronic device has membership; means for comparing the current user profile model to one or more authorized user profile models in response to the detected operator change; and means for generating a notification indicating that a current operator is authorized to use the electronic device in response to a distance from the current user profile model to at least one of the authorized user profile models being under a threshold value. - View Dependent Claims (22)
-
-
24. An electronic device, comprising:
-
a local repository configured to store plural baseline profile models, wherein the electronic device has membership in one of the plural baseline profile models; one or more sensors configured to acquire sensor data; one or more processors; a behavioral analysis platform configured to execute on the one or more processors, wherein the behavioral analysis platform is configured to generate one or more training feature vectors that represent one or more user-specific behaviors observed on the electronic device over a training period and to generate a local user profile model that re-expresses the one or more user-specific behaviors observed over the training period according to one or more centroids that indicate a temporal context associated therewith; a transmitter configured to transmit the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create the plural baseline profile models; a receiver configured to receive, from the server, the plural baseline profile models and information indicating the one of the plural baseline profile models in which the electronic device has membership; and a user authentication platform configured to execute on the one or more processors, wherein the user authentication platform is configured to; generate one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from the acquired sensor data; map the one or more feature vectors to a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors; generate a current user profile model, wherein the current user profile model comprises the centroid sequence mapped to the one or more feature vectors and a data grammar that defines one or more rules to represent patterns in the centroid sequence; and identify one of the plural baseline profile models closest to the current user profile model; and detect an operator change according to whether the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership. - View Dependent Claims (27, 28, 29, 32)
-
-
25-26. -26. (canceled)
-
30. An electronic device, comprising:
-
a local repository configured to store plural baseline profile models, wherein the electronic device has membership in one of the plural baseline profile models; one or more sensors configured to acquire sensor data; one or more processors; and a behavioral analysis and user authentication platform configured to execute on the one or more processors, wherein the behavioral analysis and user authentication platform is configured to; generate one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from the acquired sensor data; generate a current user profile model from the one or more feature vectors, wherein the current user profile model represents one or more patterns in the temporal context associated with the one or more user-specific behaviors; compare the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model; detect an operator change at the electronic device in response to the baseline profile model closest to the current user profile model differing from the baseline profile model in which the electronic device has membership; compare the current user profile model to one or more authorized user profile models in response to the detected operator change; and generate a notification indicating that a current operator is authorized to use the electronic device in response to a distance from the current user profile model to at least one of the authorized user profile models being under a threshold value. - View Dependent Claims (31)
-
-
33. A computer-readable storage medium having computer-executable instructions recorded thereon, wherein executing the computer-executable instructions on an electronic device having one or more processors causes the one or more processors to:
-
generate one or more training feature vectors that represent one or more user-specific behaviors observed on the electronic device over a training period; generate a local user profile model from the one or more training feature vectors, wherein the local user profile model re-expresses the one or more user-specific behaviors observed over the training period according to one or more centroids that indicate a temporal context associated therewith; transmit the local user profile model to a server, wherein the server is configured to execute a clustering algorithm on the local user profile model transmitted from the electronic device and local user profile models transmitted from one or more other electronic devices to create plural baseline profile models; receive, from the server, the plural baseline profile models and information indicating one of the plural baseline profile models in which the electronic device has membership; generate one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from sensor data acquired on the electronic device; generate a current user profile model from the one or more feature vectors, wherein the current user profile model comprises a centroid sequence that re-expresses the temporal context associated with the one or more user-specific behaviors and a data grammar that defines one or more rules to represent patterns in the centroid sequence; compare the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model; and detect an operator change at the electronic device according to whether the baseline profile model closest to the current user profile model differs from the baseline profile model in which the electronic device has membership. - View Dependent Claims (35, 36, 37, 40)
-
-
34. (canceled)
-
38. A computer-readable storage medium having computer-executable instructions recorded thereon, wherein executing the computer-executable instructions on an electronic device having one or more processors causes the one or more processors to:
-
store plural baseline profile models, wherein the electronic device has membership in one of the plural baseline profile models; generate one or more feature vectors representing a temporal context associated with one or more user-specific behaviors observed from sensor data acquired on the electronic device; generate a current user profile model from the one or more feature vectors, wherein the current user profile model represents one or more patterns in the temporal context associated with the one or more user-specific behaviors; compare the current user profile model generated from the one or more feature vectors to the plural baseline profile models to identify one of the plural baseline profile models closest to the current user profile model; detect an operator change at the electronic device in response to the baseline profile model closest to the current user profile model differing from the baseline profile model in which the electronic device has membership; compare the current user profile model to one or more authorized user profile models in response to the detected operator change; and generate a notification indicating that a current operator is authorized to use the electronic device in response to a distance from the current user profile model to at least one of the authorized user profile models being under a threshold value. - View Dependent Claims (39)
-
Specification