Malware and anomaly detection via activity recognition based on sensor data

US 9,319,423 B2
Filed: 11/04/2013
Issued: 04/19/2016
Est. Priority Date: 11/04/2013
Status: Active Grant

First Claim

Patent Images

1. A system for providing malware and anomaly detection via activity recognition based on sensor data, the system comprising:

a memory that stores instructions;

a processor that executes the instructions to perform operations, the operations comprising;

analyzing sensor data collected during a selected time period from at least one sensor associated with a device;

determining a context of the device when the device is in a connected state, wherein the context of the device is determined based on the sensor data collected during the selected time period, wherein the context of the device comprises an indication as to a physical orientation of the device and a position of the device;

determining if traffic received or transmitted by the device during the connected state is in a white list; and

transmitting an alert if the traffic is not in the white list and if the context determined for the device indicates that the context does not correlate with the traffic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for malware and anomaly detection via activity recognition based on sensor is disclosed. The system may analyze sensor data collected during a selected time period from one or more sensors that are associated with a device. Once the sensor data is analyzed, the system may determine a context of the device when the device is in a connected state. The system may determine the context of the device based on the sensor data collected during the selected time period. The system may also determine if traffic received or transmitted by the device during the connected state is in a white list. Furthermore, the system may transmit an alert if the traffic is determined to not be in the white list or if the context determined for the device indicates that the context does not correlate with the traffic.

40 Citations

View as Search Results

20 Claims

1. A system for providing malware and anomaly detection via activity recognition based on sensor data, the system comprising:
- a memory that stores instructions;
  
  a processor that executes the instructions to perform operations, the operations comprising;
  
  analyzing sensor data collected during a selected time period from at least one sensor associated with a device;
  
  determining a context of the device when the device is in a connected state, wherein the context of the device is determined based on the sensor data collected during the selected time period, wherein the context of the device comprises an indication as to a physical orientation of the device and a position of the device;
  
  determining if traffic received or transmitted by the device during the connected state is in a white list; and
  
  transmitting an alert if the traffic is not in the white list and if the context determined for the device indicates that the context does not correlate with the traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the operations further comprise activating the at least one sensor associated with the device when the device is in the connected state.
  - 3. The system of claim 2, wherein the operations further comprise deactivating the at least one sensor when the selected time period has expired.
  - 4. The system of claim 1, wherein the operations further comprise assigning the traffic to a black list if the traffic received or transmitted by the device during the connected state is determined to not be in the white list.
  - 5. The system of claim 1, wherein the operations further comprise providing, with the alert, an option to block an application associated with the traffic.
  - 6. The system of claim 1, wherein the operations further comprise assigning a score to the context determined for the device.
  - 7. The system of claim 6, wherein the operations further comprise determining that the context does not correlate with the traffic if the score for the context is greater than a threshold level.
  - 8. The system of claim 1, wherein the operations further comprise assigning the traffic to the white list if the context is determined to correlate with the traffic.
  - 9. The system of claim 1, wherein the context of the device further comprises an indication of a proximity of the device to an object, an indication of a speed at which the device is moving, an indication of ambient light around the device, or an indication of an acceleration of the device.

10. A method for providing malware and anomaly detection via activity recognition based on sensor data, the method comprising:
- analyzing sensor data collected during a selected time period from at least one sensor associated with a device;
  
  determining, by utilizing instructions from memory that are executed by a processor, a context of the device when the device is in a connected state, wherein the context of the device is determined based on the sensor data collected during the selected time period, wherein the context of the device comprises an indication as to a physical orientation of the device and a position of the device;
  
  determining if traffic received or transmitted by the device during the connected state is in a white list; and
  
  transmitting an alert if the traffic is not in the white list and if the context determined for the device indicates that the context does not correlate with the traffic.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, further comprising transmitting an option to the device to accept the traffic even if the traffic is not in the whitelist and the context indicates that the context does not correlate with the traffic.
  - 12. The method of claim 11, further comprising deactivating the at least one sensor when the selected time period has expired.
  - 13. The method of claim 10, further comprising assigning the traffic to a black list if the traffic is being transmitted to a destination that is not in a contact list associated with the device.
  - 14. The method of claim 10, further comprising activating the at least one sensor associated with the device when the device is in the connected state.
  - 15. The method of claim 10, further comprising assigning a score to the context determined for the device.
  - 16. The method of claim 15, further comprising determining that the context does not correlate with the traffic if the score for the context is greater than a threshold level.
  - 17. The method of claim 10, further comprising updating the context of the device based on different sensor data collected during a different selected time period.

18. A computer-readable device comprising instructions, which when executed by a processor, cause the processor to perform operations comprising:
- analyzing sensor data collected during a selected time period from at least one sensor associated with a device;
  
  determining a context of the device when the device is in a connected state, wherein the context of the device is determined based on the sensor data collected during the selected time period, wherein the context of the device comprises an indication as to a physical orientation of the device and a position of the device;
  
  determining if traffic received or transmitted by the device during the connected state is in a white list; and
  
  transmitting an alert if the traffic is not in the white list and if the context determined for the device indicates that the context does not correlate with the traffic.
- View Dependent Claims (19, 20)
- - 19. The computer-readable device of claim 18, wherein the operations further comprise assigning a score to the context determined for the device.
  - 20. The computer-readable device of claim 19, wherein the operations further comprise determining that the context does not correlate with the traffic if the score for the context is greater than a threshold level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Jover, Roger P., Murynets, Ilona
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/070,875
Publication Number

US 20150128265A1
Time in Patent Office

897 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

H04W 12/65   Environment-dependent, e.g....

H04W 12/68   Gesture-dependent or behavi...

Malware and anomaly detection via activity recognition based on sensor data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Malware and anomaly detection via activity recognition based on sensor data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others