Systems and methods for detecting user activities to identify deceptive activity

US 8,898,777 B1
Filed: 10/14/2011
Issued: 11/25/2014
Est. Priority Date: 10/14/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method to determine whether user interaction activities are indicative of deceptive actions, comprising:

detecting performance of at least one user interaction activity on a computing device in order to detect confidence scheme intrusions into the computing device, wherein the user interaction activity comprises a user receiving a request to grant a remote computing device access to the computing device;

logging the performance of the at least one user interaction activity;

analyzing a past history of the logged user interaction activities on the computing device to determine a frequency of occurrence of each user interaction activity;

assigning a score to the detected at least one user interaction activity, wherein the score is based on the frequency of occurrence in the past of the at least one user interaction activity;

determining whether the logged user interaction activity matches a signature, wherein the signature comprises a sequence of at least one user interaction activity; and

generating a notification message based on the determination that the logged user interaction activity matches the signature, wherein the notification message comprises a query to the user of whether the user is in communication with another user and whether the other user is requesting that the user grant remote access to the computing device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method to determine whether user interaction activities are indicative of deceptive actions is described. Performance of at least one user interaction activity on a computing device is detected. The performance of the at least one user interaction activity is logged. A determination is made as to whether the logged user interaction activity matches a signature. A notification message is generated based on the determination that the logged user interaction activity matches the signature.

25 Citations

View as Search Results

11 Claims

1. A computer-implemented method to determine whether user interaction activities are indicative of deceptive actions, comprising:
- detecting performance of at least one user interaction activity on a computing device in order to detect confidence scheme intrusions into the computing device, wherein the user interaction activity comprises a user receiving a request to grant a remote computing device access to the computing device;
  
  logging the performance of the at least one user interaction activity;
  
  analyzing a past history of the logged user interaction activities on the computing device to determine a frequency of occurrence of each user interaction activity;
  
  assigning a score to the detected at least one user interaction activity, wherein the score is based on the frequency of occurrence in the past of the at least one user interaction activity;
  
  determining whether the logged user interaction activity matches a signature, wherein the signature comprises a sequence of at least one user interaction activity; and
  
  generating a notification message based on the determination that the logged user interaction activity matches the signature, wherein the notification message comprises a query to the user of whether the user is in communication with another user and whether the other user is requesting that the user grant remote access to the computing device.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising determining whether the logged user interaction activity matches the signature when an end point is detected.
  - 3. The method of claim 2, wherein the end point comprises a file download, initialization of a remote access session, or accessing a website requesting sensitive data.
  - 4. The method of claim 1, further comprising preventing the performance of an end point until a determination is made as to whether the logged at least one user interaction activity matches the signature.

5. A computing device configured to determine whether user interaction activities are indicative of deceptive actions, comprising:
- a processor;
  
  memory in electronic communication with the processor;
  
  instructions stored in the memory, the instructions being executable by the processor to;
  
  detect performance of at least one user interaction activity on a computing device in order to detect confidence scheme intrusions into the computing device, wherein the user interaction activity comprises a user receiving a request to grant a remote computing device access to the computing device;
  
  log the performance of the at least one user interaction activity;
  
  analyze a past history of the logged user interaction activities on the computing device to determine a frequency of occurrence of each user interaction activity;
  
  assign a score to the detected at least one user interaction activity, wherein the score is based on the frequency of occurrence in the past of the at least one user interaction activity,determine whether the logged user interaction activity matches a signature wherein the signature comprises a sequence of at least one user interaction activity; and
  
  generate a notification message based on the determination that the logged user interaction activity matches the signature, wherein the notification message comprises a query to the user of whether the user is in communication with another user and whether the other user is requesting that the user grant remote access to the computing device.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The computing device of claim 5, wherein the instructions being executable by the processor to:
    - determine whether the logged user interaction activity matches the signature when an end point is detected.
  - 7. The computing device of claim 6, wherein the end point comprises a file download, initialization of a remote access session, or accessing a website requesting sensitive data.
  - 8. The computing device of claim 5, wherein the user interaction activity comprises an interaction between a user and the computing device.
  - 9. The computing device of claim 5, wherein the instructions being executable by the processor to:
    - prevent the performance of an end point until a determination is made as to whether the logged at least one user interaction activity matches the signature.

10. A computer-program product to determine, via a processor, whether user interaction activities are indicative of deceptive actions, the computer-program product comprising a non-transitory computer-readable medium storing instructions thereon, the instructions being executable by the processor to:
- detect performance of at least one user interaction activity on a computing device in order to detect confidence scheme intrusions into the computing device, wherein the user interaction activity comprises a user receiving a request to grant a remote computing device access to the computing device;
  
  log the performance of the at least one user interaction activity;
  
  analyze a past history of the logged user interaction activities on the computing device to determine a frequency of occurrence of each user interaction activity;
  
  assign a score to the detected at least one user interaction activity, wherein the score is based on the frequency of occurrence in the past of the at least one user interaction activity,determine whether the logged user interaction activity matches a signature wherein the signature comprises a sequence of at least one user interaction activity; and
  
  generate a notification message based on the determination that the logged user interaction activity matches the signature, wherein the notification message comprises a query to the user of whether the user is in communication with another user and whether the other user is requesting that the user grant remote access to the computing device.
- View Dependent Claims (11)
- - 11. The computer-program product of claim 10, wherein the instructions are executable by the processor to:
    - determine whether the logged user interaction activity matches the signature when an end point is detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Oliver, Ian
Primary Examiner(s)
Reza, Mohammad W

Application Number

US13/273,915
Time in Patent Office

1,138 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Systems and methods for detecting user activities to identify deceptive activity

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for detecting user activities to identify deceptive activity

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others