Crowd based detection of device compromise in enterprise setting

US 9,888,021 B2
Filed: 09/29/2015
Issued: 02/06/2018
Est. Priority Date: 09/29/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting anomalous behavior of mobile computing devices, the method comprising:

establishing, by a plurality of mobile computing devices, a mobile ad hoc network (MANET) among the plurality of mobile computing devices, wherein each of the plurality of mobile computing devices communicates with all others of the plurality of computing devices over the MANET, and each of the plurality of mobile computing devices also communicates with a server over a network;

receiving, by one or more of the plurality of mobile computing devices from each of the plurality of mobile computing devices, device status information and environmental status information over the MANET;

detecting, by one of the one or more of the plurality of mobile computing devices, anomalous behavior of a mobile computing device of the plurality of mobile computing devices, based on the received information;

in response to detecting the anomalous behavior;

communicating, by the one of the one or more of the plurality of mobile computing devices to each of the plurality of mobile computing devices not having the anomalous device behavior, an alert relating to the detected anomalous device behavior;

receiving, by the server from each of the plurality of mobile computing devices over the network, the device status information and environmental status information;

generating, by the computing system, a predictive behavioral model of each of the plurality of mobile computing devices, based on the received device status information and environmental status information;

comparing, by the server, device status information and environmental status information being received from each of the plurality of mobile computing devices to the generated predictive behavioral model of each of the plurality of mobile computing devices to determine if anomalous behavior has occurred; and

in response to determining, by the server, that anomalous behavior has occurred;

communicating, by the server to each of the plurality of mobile computing devices not having the anomalous device behavior, an alert relating to the detected anomalous device behavior.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method, computer program product, and system for detecting anomalous behavior of computing devices are provided. The computer-implemented method for detecting anomalous behavior of computing devices may include establishing a network of computing devices; receiving shared data from the networked devices; determining device behavior; predicting future device behavior, detecting anomalous device behavior, and sending an alert in response to a detection of anomalous device behavior.

Citations

17 Claims

1. A computer-implemented method for detecting anomalous behavior of mobile computing devices, the method comprising:
- establishing, by a plurality of mobile computing devices, a mobile ad hoc network (MANET) among the plurality of mobile computing devices, wherein each of the plurality of mobile computing devices communicates with all others of the plurality of computing devices over the MANET, and each of the plurality of mobile computing devices also communicates with a server over a network;
  
  receiving, by one or more of the plurality of mobile computing devices from each of the plurality of mobile computing devices, device status information and environmental status information over the MANET;
  
  detecting, by one of the one or more of the plurality of mobile computing devices, anomalous behavior of a mobile computing device of the plurality of mobile computing devices, based on the received information;
  
  in response to detecting the anomalous behavior;
  
  communicating, by the one of the one or more of the plurality of mobile computing devices to each of the plurality of mobile computing devices not having the anomalous device behavior, an alert relating to the detected anomalous device behavior;
  
  receiving, by the server from each of the plurality of mobile computing devices over the network, the device status information and environmental status information;
  
  generating, by the computing system, a predictive behavioral model of each of the plurality of mobile computing devices, based on the received device status information and environmental status information;
  
  comparing, by the server, device status information and environmental status information being received from each of the plurality of mobile computing devices to the generated predictive behavioral model of each of the plurality of mobile computing devices to determine if anomalous behavior has occurred; and
  
  in response to determining, by the server, that anomalous behavior has occurred;
  
  communicating, by the server to each of the plurality of mobile computing devices not having the anomalous device behavior, an alert relating to the detected anomalous device behavior.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the established MANET includes a circle of trust that is formed between trusted networked mobile computing devices located within proximity of one another in a given area.
  - 3. The computer-implemented method of claim 1, wherein the device status information includes one or more device attributes selected from the group consisting of:
    - power state, power consumption, CPU usage, password attempts, and updates to other devices or a central server.
  - 4. The computer-implemented method of claim 1, wherein the detected anomalous behavior is detected by using each of the device status information, the environmental status information, a device profile derived from the detected behavior, mobile movement patterns, and repetitive actions based on time and location.
  - 5. The computer-implemented method of claim 1, wherein the mobile computing device having anomalous device behavior is denied access to the MANET by the one or more of the plurality of mobile computing devices.
  - 6. The computer-implemented method of claim 1, wherein the environmental status information includes one or more device attributes selected from the group consisting of:
    - connectivity patterns, signal strength, data throughput, location, common WiFi networks, common Bluetooth devices, and proximity sensor information.

7. A computer program product for detecting anomalous behavior of mobile computing devices, the computer program product comprising:
- one or more non-transitory computer-readable storage media and program instructions stored on one or more of the non-transitory computer-readable storage media, the program instructions comprising;
  
  program instructions to establish, by a plurality of mobile computing devices, a mobile ad hoc network (MANET) among the plurality of mobile computing devices, wherein each of the plurality of mobile computing devices communicates with all others of the plurality of computing devices over the MANET, and each of the plurality of mobile computing devices also communicates with a server over a network;
  
  program instructions to receive, by one or more of the plurality of mobile computing devices from each of the plurality of mobile computing devices, device status information and environmental status information over the MANET;
  
  program instructions to detect, by one of the one or more of the plurality of mobile computing devices, anomalous behavior of a mobile computing device of the plurality of mobile computing devices, based on the received information; and
  
  in response to detecting the anomalous behavior;
  
  program instructions to communicate, by the one of the one or more of the plurality of mobile computing devices to each of the plurality of mobile computing devices not having the anomalous device behavior, an alert relating to the detected anomalous device behavior;
  
  program instructions to receive, by the server from each of the plurality of mobile computing devices over the network, the device status information and environmental status information;
  
  program instructions to generate, by the computing system, a predictive behavioral model of each of the plurality of mobile computing devices, based on the received device status information and environmental status information;
  
  program instructions to compare, by the server, device status information and environmental status information being received from each of the plurality of mobile computing devices to the generated predictive behavioral model of each of the plurality of mobile computing devices to determine if anomalous behavior has occurred; and
  
  in response to determining, by the server, that anomalous behavior has occurred;
  
  program instructions to communicate, by the server to each of the plurality of mobile computing devices not having the anomalous device behavior, an alert relating to the detected anomalous device behavior.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, wherein the established MANET includes a circle of trust that is formed between trusted networked mobile computing devices located within proximity of one another in a given area.
  - 9. The computer program product of claim 7, wherein the device status information includes one or more device attributes selected from the group consisting of:
    - power state, power consumption, CPU usage, password attempts, and updates to other devices or a central server.
  - 10. The computer program product of claim 7, wherein the detected anomalous behavior is detected by using each of the device status information, the environmental status information, a device profile derived from the detected behavior, mobile movement patterns, and repetitive actions based on time and location.
  - 11. The computer program product of claim 7, wherein the mobile computing device having anomalous device behavior is denied access to the MANET by the one or more of the plurality of mobile computing devices.
  - 12. The computer program product of claim 7, wherein the environmental status information includes one or more device attributes selected from the group consisting of:
    - connectivity patterns, signal strength, data throughput, location, common WiFi networks, common Bluetooth devices, and proximity sensor information.

13. A computer system for detecting anomalous behavior of mobile computing devices, the computer system comprising:
- one or more computer processors, one or more non-transitory computer-readable storage media, and program instructions stored on one or more of the non-transitory computer-readable storage media for execution by at least one of the one or more processors, the program instructions, when executed by the at least one of the one or more processors, causing the computer system to perform a method comprising;
  
  establishing, by a plurality of mobile computing devices, a mobile ad hoc network (MANET) among the plurality of mobile computing devices, wherein each of the plurality of mobile computing devices communicates with all others of the plurality of computing devices over the MANET, and each of the plurality of mobile computing devices also communicates with a server over a network;
  
  receiving, by one or more of the plurality of mobile computing devices from each of the plurality of mobile computing devices, device status information and environmental status information over the MANET;
  
  detecting, by one of the one or more of the plurality of mobile computing devices, anomalous behavior of a mobile computing device of the plurality of mobile computing devices, based on the received information; and
  
  in response to detecting the anomalous behavior;
  
  communicating, by the one of the one or more of the plurality of mobile computing devices to each of the plurality of mobile computing devices not having the anomalous device behavior, an alert relating to the detected anomalous device behavior;
  
  receiving, by the server from each of the plurality of mobile computing devices over the network, the device status information and environmental status information;
  
  generating, by the computing system, a predictive behavioral model of each of the plurality of mobile computing devices, based on the received device status information and environmental status information;
  
  comparing, by the server, device status information and environmental status information being received from each of the plurality of mobile computing devices to the generated predictive behavioral model of each of the plurality of mobile computing devices to determine if anomalous behavior has occurred; and
  
  in response to determining, by the server, that anomalous behavior has occurred;
  
  communicating, by the server to each of the plurality of mobile computing devices not having the anomalous device behavior, an alert relating to the detected anomalous device behavior.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer system of claim 13, wherein the established MANET includes a circle of trust that is formed between trusted networked mobile computing devices located within proximity of one another in a given area.
  - 15. The computer system of claim 13, wherein the device status information includes one or more device attributes selected from the group consisting of:
    - power state, power consumption, CPU usage, password attempts, and updates to other devices or a central server.
  - 16. The computer system of claim 13, wherein the detected anomalous behavior is detected by using each of the device status information, the environmental status information, a device profile derived from the detected behavior, mobile movement patterns, and repetitive actions based on time and location.
  - 17. The computer system of claim 13, wherein the environmental status information includes one or more device attributes selected from the group consisting of:
    - connectivity patterns, signal strength, data throughput, location, common WiFi networks, common Bluetooth devices, and proximity sensor information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Horesh, Lior, Horesh, Raya, Pistoia, Marco, Tripp, Omer
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Khan, Sher A

Application Number

US14/868,510
Publication Number

US 20170093899A1
Time in Patent Office

861 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/1425   Traffic logging, e.g. anoma...

Crowd based detection of device compromise in enterprise setting

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Crowd based detection of device compromise in enterprise setting

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links