Intrusion detection on computing devices

US 9,686,300 B1
Filed: 07/14/2015
Issued: 06/20/2017
Est. Priority Date: 07/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

collecting, by a processing device, raw data corresponding to physical manipulations of a user interface device;

converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user, wherein the CTD comprises a first plurality of data sets, each of the first plurality of data sets identifies an individual behavioral characteristic corresponding to one of the physical manipulations of the user interface device by the current user;

identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD, wherein the characteristic model comprises a second plurality of data sets, each of the second plurality of data sets identifies an expected behavioral characteristic corresponding to one of the physical manipulations of the user device by an authenticated user;

determining, by the processing device, a set of threat scores, wherein each of the set of threat scores is determined by comparing one of the first plurality of data sets against a corresponding one of the second plurality of data sets stored in the characteristic model; and

determining, by the processing device, that the current user is not the authenticated user when more than one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores;

performing, by the processing device, a corrective action when the current user is not the authenticated user; and

collecting, by the processing device, additional raw data corresponding to additional physical manipulations of the user interface device when none or one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform operations. The operations include collecting, by a processing device, raw data regarding a user action. The operations also include converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user. The operations also include identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD. The operations also include generating, by the processing device, a predictor from a comparison of the CTD against the corresponding characteristic model, wherein the predictor comprises a score indicating a probability that the user action came from an authenticated user.

Citations

20 Claims

1. A method comprising:
- collecting, by a processing device, raw data corresponding to physical manipulations of a user interface device;
  
  converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user, wherein the CTD comprises a first plurality of data sets, each of the first plurality of data sets identifies an individual behavioral characteristic corresponding to one of the physical manipulations of the user interface device by the current user;
  
  identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD, wherein the characteristic model comprises a second plurality of data sets, each of the second plurality of data sets identifies an expected behavioral characteristic corresponding to one of the physical manipulations of the user device by an authenticated user;
  
  determining, by the processing device, a set of threat scores, wherein each of the set of threat scores is determined by comparing one of the first plurality of data sets against a corresponding one of the second plurality of data sets stored in the characteristic model; and
  
  determining, by the processing device, that the current user is not the authenticated user when more than one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores;
  
  performing, by the processing device, a corrective action when the current user is not the authenticated user; and
  
  collecting, by the processing device, additional raw data corresponding to additional physical manipulations of the user interface device when none or one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising training, by the processing device, the characteristic model from the collected raw data.
  - 3. The method of claim 1, wherein the raw data is continuously collected to maintain an authentication of the current user.
  - 4. The method of claim 1, wherein raw data comprises at least one of keyboard event data, mouse event data, touch event data, gyroscope event data, accelerometer event data, camera event data, or proximity sensor event data.
  - 5. The method of claim 1, wherein the raw data comprises data indicative of an access pathway followed by the current user.
  - 6. The method of claim 1, wherein the CTD comprises data relating to a current physical manipulation of the user interface device and a past physical manipulation of the user interface device.
  - 7. The method of claim 6, wherein the raw data comprises data collected from an application over a time period, wherein the method further comprises:
    - converting the data collected from the application over the time period into a plurality of CTD objects; and
      
      determining, by the processing device, a composite score corresponding to the plurality of CTD objects associated with the raw data collected from the application over the time period.
  - 8. The method of claim 1, wherein the raw data comprises data collected from a plurality of applications, wherein the method further comprises:
    - converting the data collected from the plurality of applications into a plurality of CTD objects; and
      
      determining, by the processing device, a composite score corresponding to the plurality of CTD objects associated with the raw data collected from the plurality of applications.

9. A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform operations comprising:
- collecting, by a processing device, raw data corresponding to physical manipulations of a user interface device;
  
  converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user, wherein the CTD comprises a first plurality of data sets, each of the first plurality of data sets identifies an individual behavioral characteristic corresponding to one of the physical manipulations of the user interface device by the current user;
  
  identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD, wherein the characteristic model comprises a second plurality of data sets, each of the second plurality of data sets identifies an expected behavioral characteristic corresponding to one of the physical manipulations of the user device by an authenticated user; and
  
  determining, by the processing device, a set of threat scores, wherein each of the set of threat scores is determined by comparing one of the first plurality of data sets against a corresponding one of the second plurality of data sets stored in the characteristic model; and
  
  determining, by the processing device, that the current user is not the authenticated user when more than one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores;
  
  performing, by the processing device, a corrective action when the current user is not the authenticated user; and
  
  collecting, by the processing device, additional raw data corresponding to additional physical manipulations of the user interface device when none or one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer readable storage medium of claim 9, wherein the operations further comprise training, by the processing device, the characteristic model from the collected raw data.
  - 11. The non-transitory computer readable storage medium of claim 9, wherein the raw data is continuously collected to maintain an authentication of the current user.
  - 12. The non-transitory computer readable storage medium of claim 9, wherein raw data comprises at least one of keyboard event data, mouse event data, touch event data, gyroscope event data, accelerometer event data, camera event data, or proximity sensor event data.
  - 13. The non-transitory computer readable storage medium of claim 9, wherein the raw data comprises data indicative of an access pathway followed by the current user.
  - 14. The non-transitory computer readable storage medium of claim 9, wherein the CTD comprises data relating to a current physical manipulation of the user interface device and a past physical manipulation of the user interface device.
  - 15. The non-transitory computer readable storage medium of claim 14, wherein the raw data comprises data collected from an application over a time period, wherein the computing system is further to:
    - convert the data collected from the application over the time period into a plurality of CTD objects; and
      
      determine a composite score corresponding to the plurality of CTD objects associated with the raw data collected from the application over the time period.
  - 16. The non-transitory computer readable storage medium of claim 9, wherein the raw data comprises data collected from a plurality of applications, wherein the computing system is further to:
    - convert the data collected from the plurality of applications into a plurality of CTD objects; and
      
      determine a composite score corresponding to the plurality of CTD objects associated with the raw data collected from the plurality of applications.

17. A computing system, comprising:
- a data storage device; and
  
  a processing device, operatively coupled to the data storage device, to;
  
  collect raw data corresponding to physical manipulations of a user interface device;
  
  convert the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user, wherein the CTD comprises a first plurality of data sets, each of the first plurality of data sets identifies an individual behavioral characteristic corresponding to one of the physical manipulations of the user interface device by the current user;
  
  identify a characteristic model corresponding to the behavior characteristics represented by the CTD, wherein the characteristic model comprises a second plurality of data sets, each of the second plurality of data sets identifies an expected behavioral characteristic corresponding to one of the physical manipulations of the user device by an authenticated user; and
  
  determine a set of threat scores, wherein each of the set of threat scores is determined by comparing one of the first plurality of data sets against a corresponding one of the second plurality of data sets stored in the characteristic model; and
  
  determine that the current user is not the authenticated user when more than one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores;
  
  perform a corrective action when the current user is not the authenticated user; and
  
  collect additional raw data corresponding to additional physical manipulations of the user interface device when none or one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores.
- View Dependent Claims (18, 19, 20)
- - 18. The computing system of claim 17, wherein the raw data is continuously collected to maintain an authentication of the current user.
  - 19. The computing system of claim 17, wherein the CTD comprises data relating to a current physical manipulation of the user interface device and a past physical manipulation of the user interface device.
  - 20. The computing system of claim 17, wherein the raw data comprises data collected from a plurality of applications, wherein the processing device is further to:
    - convert the data collected from the plurality of applications into a plurality of CTD objects; and
      
      determine a composite score corresponding to the plurality of CTD objects associated with the raw data collected from the plurality of applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
Akamai Technologies, Inc.
Inventors
Kurupati, Sreenath
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US14/798,881
Time in Patent Office

707 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 2221/2139   Recurrent verification

H04L 63/08   for authentication of entit...

H04L 63/1425   Traffic logging, e.g. anoma...

Intrusion detection on computing devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection on computing devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links