DETECTION OF COMPROMISED DEVICES VIA USER STATES
First Claim
1. A system for controlling device security, the system comprising:
- at least one hardware device processor;
one or more supervised learning models; and
a controller that controls device security by;
obtaining a first set of device activity data indicating current device activity on a device;
obtaining a second set of user activity data indicating a current activity state of one or more legitimate users of the device;
determining whether the indicated current activity state of the one or more legitimate users indicates that at least one of the one or more legitimate users is in an active state on the device, or that none of the one or more legitimate users is in an active state on the device;
determining a statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, by a comparison with at least one of the one or more supervised learning models, including;
determining a probability of occurrence of at least one device activity event that is indicated in the first set of device activity data, given the indicted current activity state of the one or more legitimate users, anddetermining whether the determined probability is within a predetermined fitness threshold value; and
initiating a security alert action, based on a result of the determination of the statistical fit indicating a compromised state of the device.
1 Assignment
0 Petitions
Accused Products
Abstract
Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.
-
Citations
20 Claims
-
1. A system for controlling device security, the system comprising:
-
at least one hardware device processor; one or more supervised learning models; and a controller that controls device security by; obtaining a first set of device activity data indicating current device activity on a device; obtaining a second set of user activity data indicating a current activity state of one or more legitimate users of the device; determining whether the indicated current activity state of the one or more legitimate users indicates that at least one of the one or more legitimate users is in an active state on the device, or that none of the one or more legitimate users is in an active state on the device; determining a statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, by a comparison with at least one of the one or more supervised learning models, including; determining a probability of occurrence of at least one device activity event that is indicated in the first set of device activity data, given the indicted current activity state of the one or more legitimate users, and determining whether the determined probability is within a predetermined fitness threshold value; and initiating a security alert action, based on a result of the determination of the statistical fit indicating a compromised state of the device. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
controlling management of device security by; generating one or more statistical models that include statistical probability information that is associated with determinations of compromised devices, the generating using automated supervised learning, the generating including; generating at least one first model that includes data describing one or more legitimate activities of the device during one or more legitimate user-active states, and generating at least one second model that includes data describing one or more legitimate activities of the device during one or more legitimate user-inactive states; determining a security status of the device based on obtaining a first set of device current activity data indicating current device activity on the device, and checking the indicated current device activity against the one or more statistical models; and initiating a security alert action, based on a result of the checking indicating a compromised state of the device. - View Dependent Claims (8, 9, 10, 11)
-
12. A system comprising:
-
at least one hardware device processor; one or more feature sets; and a controller that controls device security by; obtaining a plurality of signals indicating a current activity state of a user of a device and a current device activity on the device; determining whether the indicated current activity state of the user indicates that the current user is in an active state on the device, or in an inactive state on the device; determining a statistical fit of the indicated current device activity on the device, with the indicated current activity state of the user, by a comparison with at least one of the feature sets, including; determining a probability of occurrence of at least one device activity event that is indicated in the obtained plurality of signals, given the indicted current activity state of the user, and determining whether the determined probability is within a predetermined fitness threshold value; and initiating a security alert action, based on a result of the determination of the statistical fit indicating a compromised state of the device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification