DETECTION OF COMPROMISED DEVICES VIA USER STATES

US 20180096157A1
Filed: 10/05/2016
Published: 04/05/2018
Est. Priority Date: 10/05/2016
Status: Active Grant

First Claim

Patent Images

1. A system for controlling device security, the system comprising:

at least one hardware device processor;

one or more supervised learning models; and

a controller that controls device security by;

obtaining a first set of device activity data indicating current device activity on a device;

obtaining a second set of user activity data indicating a current activity state of one or more legitimate users of the device;

determining whether the indicated current activity state of the one or more legitimate users indicates that at least one of the one or more legitimate users is in an active state on the device, or that none of the one or more legitimate users is in an active state on the device;

determining a statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, by a comparison with at least one of the one or more supervised learning models, including;

determining a probability of occurrence of at least one device activity event that is indicated in the first set of device activity data, given the indicted current activity state of the one or more legitimate users, anddetermining whether the determined probability is within a predetermined fitness threshold value; and

initiating a security alert action, based on a result of the determination of the statistical fit indicating a compromised state of the device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Controlling device security includes obtaining a set of device activity data indicating current device activity on a device and a set of user activity data indicating a current activity state of one or more legitimate users of the device. It is determined whether the indicated current activity state of the users indicates that a legitimate user is in an active state on the device, or that none of the legitimate users is in an active state on the device. A statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, is determined, by a comparison with at least one of the models that are generated via supervised learning. A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device.

Citations

20 Claims

1. A system for controlling device security, the system comprising:
- at least one hardware device processor;
  
  one or more supervised learning models; and
  
  a controller that controls device security by;
  
  obtaining a first set of device activity data indicating current device activity on a device;
  
  obtaining a second set of user activity data indicating a current activity state of one or more legitimate users of the device;
  
  determining whether the indicated current activity state of the one or more legitimate users indicates that at least one of the one or more legitimate users is in an active state on the device, or that none of the one or more legitimate users is in an active state on the device;
  
  determining a statistical fit of the indicated current device activity on the device, with the indicated current activity state of the one or more legitimate users, by a comparison with at least one of the one or more supervised learning models, including;
  
  determining a probability of occurrence of at least one device activity event that is indicated in the first set of device activity data, given the indicted current activity state of the one or more legitimate users, anddetermining whether the determined probability is within a predetermined fitness threshold value; and
  
  initiating a security alert action, based on a result of the determination of the statistical fit indicating a compromised state of the device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the controller further:
    - determines a first set of temporal intervals corresponding to times of user-active states and a second set of temporal intervals corresponding to times of user-inactive states.
  - 3. The system of claim 1, wherein the controller further:
    - determines a first set of temporal intervals corresponding to times of user-active states and a second set of temporal intervals corresponding to times of user-inactive states, based on obtaining operating system signals during operation of the device.
  - 4. The system of claim 1, further comprising:
    - an interface that obtains one or more user privacy permissions.
  - 5. The system of claim 4, wherein the one or more user privacy permissions include:
    - at least one user permission to analyze activity on the device that is initiated by one of the legitimate users while the device is in a user-active state.
  - 6. The system of claim 1, further comprising:
    - an interface that obtains one or more user selections indicating user privacy permissions.

7. A method comprising:
- controlling management of device security by;
  
  generating one or more statistical models that include statistical probability information that is associated with determinations of compromised devices, the generating using automated supervised learning, the generating including;
  
  generating at least one first model that includes data describing one or more legitimate activities of the device during one or more legitimate user-active states, andgenerating at least one second model that includes data describing one or more legitimate activities of the device during one or more legitimate user-inactive states;
  
  determining a security status of the device based on obtaining a first set of device current activity data indicating current device activity on the device, and checking the indicated current device activity against the one or more statistical models; and
  
  initiating a security alert action, based on a result of the checking indicating a compromised state of the device.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein:
    - initiating the security alert action includes providing an alert message to a legitimate user of the device.
  - 9. The method of claim 7, wherein:
    - initiating the security alert action includes initiating a remedial action on the device.
  - 10. The method of claim 7, wherein:
    - the one or more statistical models include one or more artificial intelligence models.
  - 11. The method of claim 7, wherein:
    - determining the security status of the device includes;
      
      obtaining the first set of device current activity data indicating current device activity on the device; and
      
      obtaining a second set of user activity data indicating a current activity state of one or more legitimate users of the device.

12. A system comprising:
- at least one hardware device processor;
  
  one or more feature sets; and
  
  a controller that controls device security by;
  
  obtaining a plurality of signals indicating a current activity state of a user of a device and a current device activity on the device;
  
  determining whether the indicated current activity state of the user indicates that the current user is in an active state on the device, or in an inactive state on the device;
  
  determining a statistical fit of the indicated current device activity on the device, with the indicated current activity state of the user, by a comparison with at least one of the feature sets, including;
  
  determining a probability of occurrence of at least one device activity event that is indicated in the obtained plurality of signals, given the indicted current activity state of the user, anddetermining whether the determined probability is within a predetermined fitness threshold value; and
  
  initiating a security alert action, based on a result of the determination of the statistical fit indicating a compromised state of the device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the controller includes:
    - an updater that initiates an update of at least one of the feature sets, based on the plurality of signals indicating the current activity state of the user and the current device activity on the device.
  - 14. The system of claim 13, wherein:
    - the updater initiates the update of the at least one of the feature sets, if the result of the determination of the statistical fit does not indicate a compromised state of the device.
  - 15. The system of claim 12, wherein the controller includes:
    - an interval generator that determines a first set of temporal intervals corresponding to times of user-active states and a second set of temporal intervals corresponding to times of user-inactive states, based on obtaining operating system signals during operation of the device.
  - 16. The system of claim 15, wherein:
    - the interval generator determines the first set of temporal intervals corresponding to times of user logged-in states and the second set of temporal intervals corresponding to times of user logged-out states.
  - 17. The system of claim 15, wherein the controller includes:
    - a filter that determines a set of signals that indicate activity of the device within one of the temporal intervals, and associates the determined set of signals with the one of the temporal intervals.
  - 18. The system of claim 12, wherein the controller includes:
    - an interface that obtains one or more user selections indicating user privacy permissions.
  - 19. The system of claim 18, wherein:
    - the user privacy permissions include one or more of;
      
      user login times, oruser logout times.
  - 20. The system of claim 18, wherein:
    - the user privacy permissions include user browsing patterns.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Israel, Moshe, Ronen, Royi, Alon, Daniel, Teller, Tomer, Shteingart, Hanan

Granted Patent

US 10,534,925 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

H04L 41/06   Management of faults, event...

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

DETECTION OF COMPROMISED DEVICES VIA USER STATES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION OF COMPROMISED DEVICES VIA USER STATES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links