Intrusion detection on computing devices
First Claim
1. A method comprising:
- collecting, by a processing device, raw data corresponding to physical manipulations of a user interface device;
converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user, wherein the CTD comprises a first plurality of data sets, each of the first plurality of data sets identifies an individual behavioral characteristic corresponding to one of the physical manipulations of the user interface device by the current user;
identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD, wherein the characteristic model comprises a second plurality of data sets, each of the second plurality of data sets identifies an expected behavioral characteristic corresponding to one of the physical manipulations of the user device by an authenticated user;
determining, by the processing device, a set of threat scores, wherein each of the set of threat scores is determined by comparing one of the first plurality of data sets against a corresponding one of the second plurality of data sets stored in the characteristic model; and
determining, by the processing device, that the current user is not the authenticated user when more than one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores;
performing, by the processing device, a corrective action when the current user is not the authenticated user; and
collecting, by the processing device, additional raw data corresponding to additional physical manipulations of the user interface device when none or one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores.
4 Assignments
0 Petitions
Accused Products
Abstract
A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform operations. The operations include collecting, by a processing device, raw data regarding a user action. The operations also include converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user. The operations also include identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD. The operations also include generating, by the processing device, a predictor from a comparison of the CTD against the corresponding characteristic model, wherein the predictor comprises a score indicating a probability that the user action came from an authenticated user.
-
Citations
20 Claims
-
1. A method comprising:
-
collecting, by a processing device, raw data corresponding to physical manipulations of a user interface device; converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user, wherein the CTD comprises a first plurality of data sets, each of the first plurality of data sets identifies an individual behavioral characteristic corresponding to one of the physical manipulations of the user interface device by the current user; identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD, wherein the characteristic model comprises a second plurality of data sets, each of the second plurality of data sets identifies an expected behavioral characteristic corresponding to one of the physical manipulations of the user device by an authenticated user; determining, by the processing device, a set of threat scores, wherein each of the set of threat scores is determined by comparing one of the first plurality of data sets against a corresponding one of the second plurality of data sets stored in the characteristic model; and determining, by the processing device, that the current user is not the authenticated user when more than one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores; performing, by the processing device, a corrective action when the current user is not the authenticated user; and collecting, by the processing device, additional raw data corresponding to additional physical manipulations of the user interface device when none or one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform operations comprising:
-
collecting, by a processing device, raw data corresponding to physical manipulations of a user interface device; converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user, wherein the CTD comprises a first plurality of data sets, each of the first plurality of data sets identifies an individual behavioral characteristic corresponding to one of the physical manipulations of the user interface device by the current user; identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD, wherein the characteristic model comprises a second plurality of data sets, each of the second plurality of data sets identifies an expected behavioral characteristic corresponding to one of the physical manipulations of the user device by an authenticated user; and determining, by the processing device, a set of threat scores, wherein each of the set of threat scores is determined by comparing one of the first plurality of data sets against a corresponding one of the second plurality of data sets stored in the characteristic model; and determining, by the processing device, that the current user is not the authenticated user when more than one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores; performing, by the processing device, a corrective action when the current user is not the authenticated user; and collecting, by the processing device, additional raw data corresponding to additional physical manipulations of the user interface device when none or one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computing system, comprising:
-
a data storage device; and a processing device, operatively coupled to the data storage device, to; collect raw data corresponding to physical manipulations of a user interface device; convert the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user, wherein the CTD comprises a first plurality of data sets, each of the first plurality of data sets identifies an individual behavioral characteristic corresponding to one of the physical manipulations of the user interface device by the current user; identify a characteristic model corresponding to the behavior characteristics represented by the CTD, wherein the characteristic model comprises a second plurality of data sets, each of the second plurality of data sets identifies an expected behavioral characteristic corresponding to one of the physical manipulations of the user device by an authenticated user; and determine a set of threat scores, wherein each of the set of threat scores is determined by comparing one of the first plurality of data sets against a corresponding one of the second plurality of data sets stored in the characteristic model; and determine that the current user is not the authenticated user when more than one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores; perform a corrective action when the current user is not the authenticated user; and collect additional raw data corresponding to additional physical manipulations of the user interface device when none or one of the individual behavioral characteristics of the current user deviates from the expected behavioral characteristics of the authenticated user as reflected in the set of threat scores. - View Dependent Claims (18, 19, 20)
-
Specification