Protection system including machine learning snapshot evaluation

US 9,998,488 B2
Filed: 04/04/2017
Issued: 06/12/2018
Est. Priority Date: 12/19/2013
Status: Active Grant

First Claim

Patent Images

1. A system for snapshot evaluation and user behavior classification, comprising:

a processor;

memory circuitry to store at least one user profile;

communication circuitry to;

receive user data associated with a user of a device;

receive device information from the device and one or more other devices; and

receive a snapshot of operation of the device, the snapshot to identify at least one active operation in the device and at least one planned operation in the device at the time the snapshot was generated; and

a user behavior classification engine to;

determine whether the user is a new user;

determine whether the device is a new device;

responsive to a determination that the user is a new user;

generate a new user profile; and

associate the new user profile with the device;

responsive to a determination that the device is a new device;

determine expected device operations based, at least in part, on the received device information; and

generate a verification to indicate whether the device comprises a potential threat based, at least in part, on a comparison between the received snapshot and the expected device operations;

responsive to a determination that the device is not a new device and the user is not a new user;

determine whether a classification of user behavior has been developed;

responsive to a determination that a classification of user behavior has been developed;

identify the classification of user behavior based, at least in part, on the received snapshot and the received user data;

generate a model configuration based on the classification of user behavior; and

generate a threat analysis indicating whether the device comprises a potential threat based, at least in part, on a comparison between the model configuration and the received snapshot.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure is directed to a protection system including machine learning snapshot evaluation. A device may comprise a machine learning engine (MLE) to generate snapshots of device operation. The MLE may use active or planned operations in the snapshot to learn user behavior. Once normal user behavior is established for the device, the MLE may be able to determine when snapshots include unusual behavior that may signify a threat to the device. Snapshots determined to include unusual behavior may be transmitted to a remote resource for evaluation. The remote resource may include at least a user behavior classification engine (UBCE) to classify the user behavior by characterizing it as at least one type of use. The snapshot may be analyzed by the UBCE to determine if potential threats exist in the device, and the threat analysis may be provided to the device for evaluation and/or corrective action.

12 Citations

18 Claims

1. A system for snapshot evaluation and user behavior classification, comprising:
- a processor;
  
  memory circuitry to store at least one user profile;
  
  communication circuitry to;
  
  receive user data associated with a user of a device;
  
  receive device information from the device and one or more other devices; and
  
  receive a snapshot of operation of the device, the snapshot to identify at least one active operation in the device and at least one planned operation in the device at the time the snapshot was generated; and
  
  a user behavior classification engine to;
  
  determine whether the user is a new user;
  
  determine whether the device is a new device;
  
  responsive to a determination that the user is a new user;
  
  generate a new user profile; and
  
  associate the new user profile with the device;
  
  responsive to a determination that the device is a new device;
  
  determine expected device operations based, at least in part, on the received device information; and
  
  generate a verification to indicate whether the device comprises a potential threat based, at least in part, on a comparison between the received snapshot and the expected device operations;
  
  responsive to a determination that the device is not a new device and the user is not a new user;
  
  determine whether a classification of user behavior has been developed;
  
  responsive to a determination that a classification of user behavior has been developed;
  
  identify the classification of user behavior based, at least in part, on the received snapshot and the received user data;
  
  generate a model configuration based on the classification of user behavior; and
  
  generate a threat analysis indicating whether the device comprises a potential threat based, at least in part, on a comparison between the model configuration and the received snapshot.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein, responsive to a determination that the device comprises a potential threat, the communication circuitry is further to transmit the threat analysis to the device.
  - 3. The system of claim 1, wherein, responsive to a determination that the device does not comprise a potential threat, the user behavior classification engine is further to update the classification of user behavior based, at least in part, on the received snapshot.
  - 4. The system of claim 1, wherein the communication circuitry is further to receive at least one device characteristic selected from the group consisting of:
    - a device type;
      
      a device make;
      
      a device model;
      
      a device build date; and
      
      a device operating system.
  - 5. The system of claim 1, wherein, responsive to a determination that the device is a new device:
    - the communication circuitry is further to transmit the verification to the device; and
      
      the user behavior classification engine is further to develop the classification of user behavior based, at least in part, on the received snapshot.
  - 6. The system of claim 1, wherein, responsive to a determination that a classification of user behavior has not been developed:
    - the communication circuitry is further to receive at least one additional snapshot of operations of the device; and
      
      the user behavior classification engine is further to develop the classification of user behavior based, at least in part, on the received snapshot and the received additional snapshot.

7. A method for snapshot evaluation and user behavior classification, comprising:
- receiving, via communication circuitry, user data associated with a user of a device;
  
  receiving, via the communication circuitry, device information from the device and one or more other devices;
  
  receiving, via the communication circuitry, a snapshot of operation of the device, the snapshot to identify at least one active operation in the device and at least one planned operation in the device at the time the snapshot was generated;
  
  determining, via a user behavior classification engine, whether the user is a new user;
  
  determining, via the user behavior classification engine, whether the device is a new device;
  
  responsive to a determination that the user is a new user;
  
  generating a new user profile; and
  
  associating the new user profile with the device;
  
  responsive to a determination that the device is a new device;
  
  determining expected device operations based, at least in part, on the received device information; and
  
  generating a verification to indicate whether the device comprises a potential threat based, at least in part, on a comparison between the received snapshot and the expected device operations;
  
  responsive to a determination that the device is not a new device and the user is not a new user;
  
  determining whether a classification of user behavior has been developed;
  
  responsive to a determination that a classification of user behavior has been developed;
  
  identifying, via a processor, a classification of user behavior based, at least in part, on the received snapshot and the received user data;
  
  generating, via the processor, a model configuration based on the classification of user behavior;
  
  comparing, via the processor, the model configuration and the received snapshot; and
  
  generating, via the processor, a threat analysis indicating whether the device comprises a potential threat based, at least in part, on the comparison.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, further comprising transmitting, via the communication circuitry responsive to a determination that the device comprises a potential threat, the threat analysis to the device.
  - 9. The method of claim 7, further comprising updating, via the processor responsive to a determination that the device does not comprise a potential threat, the classification of user behavior based, at least in part, on the received snapshot.
  - 10. The method of claim 7, further comprising:
    - receiving, via the processor, at least one device characteristic selected from the group consisting of;
      
      a device type;
      
      a device make;
      
      a device model;
      
      a device build date; and
      
      a device operating system.
  - 11. The method of claim 7, further comprising, responsive to a determination that a classification of user behavior has not been developed:
    - receiving, via the communication circuitry, at least one additional snapshot of operation of the device; and
      
      developing, via the processor, the classification of user behavior based, at least in part, on the received snapshot and the received additional snapshot.
  - 12. The method of claim 7, further comprising, responsive to a determination that the device is a new device:
    - transmitting, via the communication circuitry, the verification to the device; and
      
      developing, via the user behavior classification engine, the classification of user behavior based, at least in part, on the received snapshot.

13. At least one non-transitory computer-readable storage medium having instructions stored thereon, which, when executed by at least one processor, cause the processor to perform operations for snapshot evaluation and user behavior classification, the operations comprising:
- cause communication circuitry to receive;
  
  user data associated with a user of a device;
  
  device information from the device and one or more other devices; and
  
  a snapshot of operation of the device, the snapshot to identify at least one active operation in the device and at least one planned operation in the device at the time the snapshot was generated;
  
  determine whether the user is a new user;
  
  determine whether the device is a new device;
  
  responsive to a determination that the user is a new user;
  
  generate a new user profile; and
  
  associate the new user profile with the device;
  
  responsive to a determination that the device is a new device;
  
  determine expected device operations based, at least in part, on the received device information; and
  
  generate a verification to indicate whether the device comprises a potential threat based, at least in part, on a comparison between the received snapshot and the expected device operations;
  
  responsive to a determination that the device is not a new device and the user is not a new user;
  
  determine whether a classification of user behavior has been developed;
  
  responsive to a determination that a classification of user behavior has been developed;
  
  identify a classification of user behavior based, at least in part, on the received snapshot and the received user data;
  
  generate a model configuration based on the classification of user behavior; and
  
  generate a threat analysis indicating whether the device comprises a potential threat based, at least in part, on a comparison between the model configuration and the received snapshot.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The at least one non-transitory computer-readable storage medium of claim 13, wherein the instructions, when executed by the at least one processor, cause the processor to perform operations comprising:
    - responsive to a determination that the device comprises a potential threat, cause the communication circuitry to transmit the threat analysis to the device.
  - 15. The at least one non-transitory computer-readable storage medium of claim 13, wherein the instructions, when executed by the at least one processor, cause the processor to perform operations comprising:
    - responsive to a determination that the device does not comprise a potential threat, update the classification of user behavior based, at least in part, on the received snapshot.
  - 16. The at least one non-transitory computer-readable storage medium of claim 13, wherein the instructions, when executed by the at least one processor, cause the processor to execute perform operations comprising:
    - cause the communication circuitry to receive at least one device characteristic selected from the group consisting of;
      
      a device type;
      
      a device make;
      
      a device model;
      
      a device build date; and
      
      a device operating system.
  - 17. The at least one non-transitory computer-readable storage medium of claim 13, wherein the instructions, when executed by the at least one processor, cause the processor to perform operations comprising:
    - responsive to a determination that a classification of user behavior has not been developed;
      
      cause the communication circuitry to receive at least one additional snapshot of operation of the device; and
      
      develop the classification of user behavior based, at least in part, on the received snapshot and the received additional snapshot.
  - 18. The at least one non-transitory computer-readable storage medium of claim 13, wherein the instructions, when executed by the at least one processor, cause the processor to perform operations comprising:
    - responsive to a determination that the device is a new device;
      
      cause the communication circuitry to transmit the verification to the device; and
      
      develop the classification of user behavior based, at least in part, on the received snapshot.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Kohlenberg, Tobias, Tatourian, Igor
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/479,160
Publication Number

US 20170230394A1
Time in Patent Office

434 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04W 12/68   Gesture-dependent or behavi...

Protection system including machine learning snapshot evaluation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Protection system including machine learning snapshot evaluation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others