Protection system including machine learning snapshot evaluation
First Claim
1. A system for snapshot evaluation and user behavior classification, comprising:
- a processor;
memory circuitry to store at least one user profile;
communication circuitry to;
receive user data associated with a user of a device;
receive device information from the device and one or more other devices; and
receive a snapshot of operation of the device, the snapshot to identify at least one active operation in the device and at least one planned operation in the device at the time the snapshot was generated; and
a user behavior classification engine to;
determine whether the user is a new user;
determine whether the device is a new device;
responsive to a determination that the user is a new user;
generate a new user profile; and
associate the new user profile with the device;
responsive to a determination that the device is a new device;
determine expected device operations based, at least in part, on the received device information; and
generate a verification to indicate whether the device comprises a potential threat based, at least in part, on a comparison between the received snapshot and the expected device operations;
responsive to a determination that the device is not a new device and the user is not a new user;
determine whether a classification of user behavior has been developed;
responsive to a determination that a classification of user behavior has been developed;
identify the classification of user behavior based, at least in part, on the received snapshot and the received user data;
generate a model configuration based on the classification of user behavior; and
generate a threat analysis indicating whether the device comprises a potential threat based, at least in part, on a comparison between the model configuration and the received snapshot.
0 Assignments
0 Petitions
Accused Products
Abstract
This disclosure is directed to a protection system including machine learning snapshot evaluation. A device may comprise a machine learning engine (MLE) to generate snapshots of device operation. The MLE may use active or planned operations in the snapshot to learn user behavior. Once normal user behavior is established for the device, the MLE may be able to determine when snapshots include unusual behavior that may signify a threat to the device. Snapshots determined to include unusual behavior may be transmitted to a remote resource for evaluation. The remote resource may include at least a user behavior classification engine (UBCE) to classify the user behavior by characterizing it as at least one type of use. The snapshot may be analyzed by the UBCE to determine if potential threats exist in the device, and the threat analysis may be provided to the device for evaluation and/or corrective action.
12 Citations
18 Claims
-
1. A system for snapshot evaluation and user behavior classification, comprising:
-
a processor; memory circuitry to store at least one user profile; communication circuitry to; receive user data associated with a user of a device; receive device information from the device and one or more other devices; and receive a snapshot of operation of the device, the snapshot to identify at least one active operation in the device and at least one planned operation in the device at the time the snapshot was generated; and a user behavior classification engine to; determine whether the user is a new user; determine whether the device is a new device; responsive to a determination that the user is a new user; generate a new user profile; and associate the new user profile with the device; responsive to a determination that the device is a new device; determine expected device operations based, at least in part, on the received device information; and generate a verification to indicate whether the device comprises a potential threat based, at least in part, on a comparison between the received snapshot and the expected device operations; responsive to a determination that the device is not a new device and the user is not a new user; determine whether a classification of user behavior has been developed; responsive to a determination that a classification of user behavior has been developed; identify the classification of user behavior based, at least in part, on the received snapshot and the received user data; generate a model configuration based on the classification of user behavior; and generate a threat analysis indicating whether the device comprises a potential threat based, at least in part, on a comparison between the model configuration and the received snapshot. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for snapshot evaluation and user behavior classification, comprising:
-
receiving, via communication circuitry, user data associated with a user of a device; receiving, via the communication circuitry, device information from the device and one or more other devices; receiving, via the communication circuitry, a snapshot of operation of the device, the snapshot to identify at least one active operation in the device and at least one planned operation in the device at the time the snapshot was generated; determining, via a user behavior classification engine, whether the user is a new user; determining, via the user behavior classification engine, whether the device is a new device; responsive to a determination that the user is a new user; generating a new user profile; and associating the new user profile with the device; responsive to a determination that the device is a new device; determining expected device operations based, at least in part, on the received device information; and generating a verification to indicate whether the device comprises a potential threat based, at least in part, on a comparison between the received snapshot and the expected device operations; responsive to a determination that the device is not a new device and the user is not a new user; determining whether a classification of user behavior has been developed; responsive to a determination that a classification of user behavior has been developed; identifying, via a processor, a classification of user behavior based, at least in part, on the received snapshot and the received user data; generating, via the processor, a model configuration based on the classification of user behavior; comparing, via the processor, the model configuration and the received snapshot; and generating, via the processor, a threat analysis indicating whether the device comprises a potential threat based, at least in part, on the comparison. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. At least one non-transitory computer-readable storage medium having instructions stored thereon, which, when executed by at least one processor, cause the processor to perform operations for snapshot evaluation and user behavior classification, the operations comprising:
-
cause communication circuitry to receive; user data associated with a user of a device; device information from the device and one or more other devices; and a snapshot of operation of the device, the snapshot to identify at least one active operation in the device and at least one planned operation in the device at the time the snapshot was generated; determine whether the user is a new user; determine whether the device is a new device; responsive to a determination that the user is a new user; generate a new user profile; and associate the new user profile with the device; responsive to a determination that the device is a new device; determine expected device operations based, at least in part, on the received device information; and generate a verification to indicate whether the device comprises a potential threat based, at least in part, on a comparison between the received snapshot and the expected device operations; responsive to a determination that the device is not a new device and the user is not a new user; determine whether a classification of user behavior has been developed; responsive to a determination that a classification of user behavior has been developed; identify a classification of user behavior based, at least in part, on the received snapshot and the received user data; generate a model configuration based on the classification of user behavior; and generate a threat analysis indicating whether the device comprises a potential threat based, at least in part, on a comparison between the model configuration and the received snapshot. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification