Adaptive security network, sensor node and method for detecting anomalous events in a security network

US 8,779,921 B1
Filed: 05/14/2010
Issued: 07/15/2014
Est. Priority Date: 05/14/2010
Status: Active Grant

First Claim

Patent Images

1. A sensor node configured for detecting anomalous events in a security network, the sensor node comprising:

at least one sensor coupled for acquiring sensor data pertaining to the security network;

a storage medium coupled for storing;

a plurality of event signatures corresponding to previously identified anomalous events, wherein the previously identified anomalous events comprise threat-events and non-threat events;

a set of event property filters specified for each of the stored event signatures, wherein each set of event property filters defines a plurality of parameters that the sensor data must meet in order to detect an anomalous event in the sensor data, and wherein the set of event property filters comprise a minimum threshold value filter, a minimum time filter, and an event count filter; and

a set of program instructions, which uses the plurality of event signatures and the sets of event property filters for detecting an anomalous event within the sensor data and, once the anomalous event is detected, the set of program instructions are configured for classifying the detected event as a threat-event, a non-threat event, or an unidentified event; and

a processor coupled for executing the set of program instructions to detect and classify the anomalous event.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An adaptive security network, sensor node and methods for detecting and responding to anomalous events in a security network are provided herein. In general, the adaptive security network comprises a plurality of sensor nodes interconnected to form a communication network, wherein each sensor node is configured for detecting an anomalous event occurring within a vicinity of the sensor node and for identifying the detected anomalous event as a specific threat-event, a specific non-threat event or an unidentified event. In addition, the adaptive security network comprises a central processing and control system coupled to the plurality of sensor nodes for receiving an event notification message from at least one of the sensor nodes indicating an identity of an anomalous event detected by the at least one sensor node. Upon receiving the event notification message, the central processing and control system is configured for confirming the identity of the anomalous event provided by the at least one sensor node and for responding to the anomalous event once the identity is confirmed.

150 Citations

27 Claims

1. A sensor node configured for detecting anomalous events in a security network, the sensor node comprising:
- at least one sensor coupled for acquiring sensor data pertaining to the security network;
  
  a storage medium coupled for storing;
  
  a plurality of event signatures corresponding to previously identified anomalous events, wherein the previously identified anomalous events comprise threat-events and non-threat events;
  
  a set of event property filters specified for each of the stored event signatures, wherein each set of event property filters defines a plurality of parameters that the sensor data must meet in order to detect an anomalous event in the sensor data, and wherein the set of event property filters comprise a minimum threshold value filter, a minimum time filter, and an event count filter; and
  
  a set of program instructions, which uses the plurality of event signatures and the sets of event property filters for detecting an anomalous event within the sensor data and, once the anomalous event is detected, the set of program instructions are configured for classifying the detected event as a threat-event, a non-threat event, or an unidentified event; and
  
  a processor coupled for executing the set of program instructions to detect and classify the anomalous event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The sensor node as recited in claim 1, wherein the set of program instructions comprise:
    - first program instructions for comparing the sensor data to the plurality of event signatures, wherein if the first program instructions determine that the sensor data substantially matches one or more of the event signatures, the set of program instructions further comprise;
      
      second program instructions for applying an appropriate set of event property filters corresponding to the one or more matching event signatures to the sensor data;
      
      third program instructions for detecting an anomalous event only if the sensor data meets the parameters defined within the appropriate set of event property filters;
      
      fourth program instructions for classifying the detected event as one of the previously identified anomalous events, wherein said classifying identifies the threat-event or the non-threat event corresponding to the one or more matching event signatures; and
      
      fifth program instructions for generating an event notification message including the identified event, wherein the event notification message is transmitted from the sensor node to the central processing and control system.
  - 3. The sensor node as recited in claim 2, wherein if the first program instructions determine that the sensor data does not match any of the event signatures, the set of program instructions further comprise:
    - sixth program instructions for determining if the sensor data contains any suspicious attributes, wherein if suspicious attributes are detected, the set of program instructions further comprises;
      
      seventh program instructions for detecting an unidentified event; and
      
      eighth program instructions for generating an unidentified event notification message, which is transmitted from the sensor node to the central processing and control system.
  - 4. The sensor node as recited in claim 1, further comprising at least one transceiver coupled for communicating with the central processing and control system.
  - 5. The sensor node as recited in claim 1, further comprising a power cell for providing power to the sensor node and an energy harvesting device for recharging the power cell.
  - 6. The sensor node as recited in claim 1, wherein the at least one sensor comprises a plurality of sensors, at least some of which comprise a different sensor technology.
  - 7. The sensor node as recited in claim 1, wherein if an anomalous event is detected and classified as a non-threat event, the processor is further coupled for receiving instructions for responding to the detected non-threat event from a central processing and control system of the security network.
  - 8. The sensor node as recited in claim 1, wherein the set of event property filters further comprise one or more of a maximum threshold value filter, an event window filter and a post alarm time filter.
  - 9. The sensor node as recited in claim 7, wherein the instructions received by the processor for responding to a detected non-threat event include modifying at least one parameter within the sets of event property filters, so as to effectively tune out the detected non-threat event, while the sensor node continues to monitor the security network for other anomalous events.
  - 10. The sensor node as recited in claim 7, wherein the instructions received by the processor for responding to the detected non-threat event include at least one of the following instructions:
    - modify at least one parameter within the sets of event property filters, so as to effectively tune out the detected non-threat event, while the sensor node continues to monitor the security network for other anomalous events; and
      
      cease transmission of the event notification message identifying the detected non-threat event.

11. A method for detecting anomalous events at a sensor node arranged within a security network comprising a plurality of sensor nodes controlled by a central processing and control system, the method performed at the sensor node comprising:
- acquiring sensor data pertaining to the security network;
  
  detecting an anomalous event within the sensor data by;
  
  comparing the sensor data to event signatures stored within the sensor node, wherein the event signatures correspond to previously identified anomalous events, including threat events and non-threat events, and wherein if the sensor data substantially matches one or more of the stored event signatures, the method further comprises;
  
  applying a set of event property filters corresponding to the one or more matching event signatures to the sensor data, wherein the set of event property filters specify parameters that must be met in order to detect an anomalous event within the sensor data, and wherein the set of event property filters comprise a minimum threshold value filter, a minimum time filter, and an event count filter; and
  
  detecting an anomalous event only if the sensor data satisfies the parameters within the set of event property filters; and
  
  classifying the detected anomalous event as a threat-event or a non-threat event, wherein the classifying step identifies the threat-event or the non-threat event corresponding to the one or more matching event signatures.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method as recited in claim 11, wherein after said classifying, the method further comprises:
    - generating an event notification message including the identified threat-event or non-threat event; and
      
      transmitting the event notification message to the central processing and control system.
  - 13. The method as recited in claim 12, wherein if the event notification message identifies a non-threat event, the method further comprises at least one of the following:
    - changing a sensitivity level of at least one of the event property filters, so as to effectively tune out the detected non-threat event, while continuing to monitor the security network for other anomalous events; and
      
      ceasing transmission of the event notification message identifying the detected non-threat event.
  - 14. The method as recited in claim 12, wherein if the event notification message identifies a threat event, the method further comprises receiving a request from the central processing and control system for transmitting additional data from the sensor node to the central processing and control system.
  - 15. The method as recited in claim 11, wherein if the sensor data does not match any of the event signatures, the method further comprise:
    - determining if the sensor data contains any suspicious attributes, wherein if suspicious attributes are detected, the method further comprises;
      
      detecting an unidentified event;
      
      generating an unidentified event notification message; and
      
      transmitting the unidentified event notification message to the central processing and control system.
  - 16. The method as recited in claim 11, wherein if the detected anomalous event is classified as a non-threat event, the method further comprises receiving instructions from the central processing and control system for responding to the non-threat.
  - 17. The method as recited in claim 11, wherein the set of event property filters further comprise one or more of a maximum threshold value filter, an event window filter and a post alarm time filter.

18. A security network, comprising:
- a plurality of sensor nodes interconnected to form a communication network, wherein each sensor node is configured for detecting an anomalous event occurring within a vicinity of the sensor node and for identifying the detected anomalous event as a specific threat-event, a specific non-threat event or an unidentified event; and
  
  a central processing and control system coupled to the plurality of sensor nodes for receiving an event notification message from at least one of the sensor nodes indicating an identity of an anomalous event detected by the at least one sensor node, wherein upon receiving the event notification message, the central processing and control system is configured for confirming the identity of the anomalous event provided by the at least one sensor node by applying a set of event property filters to the event notification message and for responding to the anomalous event once confirmation is made, wherein the set of event property filters comprise a minimum threshold value filter, a minimum time filter, and an event count filter.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The security network as recited in claim 18, wherein the central processing and control system is further configured for confirming the identity of the anomalous event provided by the at least one sensor node by comparing the event notification message to other event notification messages received from other sensor nodes.
  - 20. The security network as recited in claim 18, wherein if the central processing and control system confirms the identity of an anomalous event as a specific threat event, the central processing system is further configured for:
    - generating an alarm signal attributed to the at least one sensor node;
      
      forwarding the alarm signal to a user interface system of the security network for displaying and alerting a user to the specific threat event at the at least one sensor node;
      
      responding to the alarm signal based on a priority setting specified for the specific threat event; and
      
      storing details of the specific threat event within an event log.
  - 21. The security network as recited in claim 18, wherein if the central processing and control system confirms the identity of an anomalous event as a specific non-threat event, the central processing system is further configured for:
    - generating a warning signal attributed to the at least one sensor node;
      
      forwarding the warning signal to a user interface system of the security network for displaying and alerting a user to the specific non-threat event at the at least one sensor node;
      
      sending instructions to the at least one sensor node for responding to the specific non-threat event; and
      
      storing details of the specific non-threat event within an event log.
  - 22. The security network as recited in claim 21, wherein the instructions sent to the at least one sensor node for responding to the specific non-threat event comprise at least one of the following:
    - changing a sensitivity level of at least one parameter used by the at least one sensor node for detecting and identifying the specific non-threat event, so that the at least one sensor node can ignore the specific non-threat event, while continuing to monitor the security network for other anomalous events; and
      
      ceasing transmission of the event notification message identifying the specific non-threat event.
  - 23. The security network as recited in claim 18, wherein if the central processing and control system confirms the identity of an anomalous event as an unidentified event, the central processing system is further configured for storing details of the unidentified event within an event log.
  - 24. The security network as recited in claim 23, wherein the central processing and control system is further configured for analyzing the details of the unidentified event stored within the event log in order to identify the unidentified event.
  - 25. The security network as recited in claim 23, wherein the central processing and control system is further configured for predicting the occurrence of a future threat event by analyzing details of unidentified events stored within the event log over time.
  - 26. The security network as recited in claim 18, further comprising a user interface system in communication with the central processing and control system, wherein the user interface system comprises a graphical user interface (GUI) including a user-interactive map of the security network for displaying the location and status of each of the sensor nodes.
  - 27. The security network as recited in claim 26, wherein the GUI comprises graphical and textual means for:
    - displaying a status of one or more of the sensor nodes;
      
      displaying details of a specific threat-event, a specific non-threat event or an unidentified event detected by one or more of the sensor nodes;
      
      displaying a historical log of events associated with one or more of the sensor nodes; and
      
      selecting operational settings of one or more of the sensor nodes, wherein said selecting comprises setting sensitivity levels of parameters used by the sensor nodes for detecting and identifying the specific threat events and the specific non-threat events, and assigning priority settings for responding to the specific threat events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ReconaSense, Inc. (Tranquility Ventures, Inc.)
Original Assignee
Solio Security, Inc.
Inventors
Curtiss, David
Primary Examiner(s)
Wu, Daniel
Assistant Examiner(s)
Barakat, Mohamed

Application Number

US12/780,655
Time in Patent Office

1,523 Days
Field of Search

340/541, 340/524, 340/525, 340521-522, 248152-155
US Class Current

340/541
CPC Class Codes

G08B 25/009 Signalling of the alarm con...

Adaptive security network, sensor node and method for detecting anomalous events in a security network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

150 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive security network, sensor node and method for detecting anomalous events in a security network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links