Distributed monitoring, evaluation, and response for multiple devices

US 9,753,796 B2
Filed: 12/06/2013
Issued: 09/05/2017
Est. Priority Date: 12/06/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a server, collecting observation data based on a first data collection policy from a plurality of devices, the collected observation data including information associated with device configuration, device state, and device behavior with regard to (1) an execution of an application on at least one of the plurality of devices and at least one of (2) a hardware or a firmware component on the at least one of the plurality of devices and (3) access to a network resource by the at least one of the plurality of devices;

at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;

at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different than the first data collection policy;

at the server, collecting first device data based on the derived second data collection policy from a first device of the plurality of devices;

at the server comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being identified by the first device data;

at the server determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and

upon the determination, generating alert information by the server, wherein the alert information when processed causes performance of a first action on the first device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data is collected from a set of devices. The data is associated with the devices, mobile application programs (apps), web applications, users, or combinations of these. A norm is established using the collected data. The norm is compared with data collected from a particular device. If there is a deviation outside of a threshold deviation between the norm and the data collected from the particular device, a response is initiated.

443 Citations

17 Claims

1. A method comprising:
- at a server, collecting observation data based on a first data collection policy from a plurality of devices, the collected observation data including information associated with device configuration, device state, and device behavior with regard to (1) an execution of an application on at least one of the plurality of devices and at least one of (2) a hardware or a firmware component on the at least one of the plurality of devices and (3) access to a network resource by the at least one of the plurality of devices;
  
  at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;
  
  at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different than the first data collection policy;
  
  at the server, collecting first device data based on the derived second data collection policy from a first device of the plurality of devices;
  
  at the server comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being identified by the first device data;
  
  at the server determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and
  
  upon the determination, generating alert information by the server, wherein the alert information when processed causes performance of a first action on the first device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the action on the first device comprises:
    - blocking the first device from accessing a service.
  - 3. The method of claim 1 wherein the action on the first device comprises:
    - transmitting to the first device instructions to uninstall an application program on the first device.
  - 4. The method of claim 1 wherein the step of generating an alert further comprises:
    - transmitting a message to an administrator.
  - 5. The method of claim 1 wherein the observation data collected comprisesa first set of observation data associated with an organization and collected from a first subset of the plurality of devices associated with the organization, anda second set of observation data collected from a second subset of the plurality of device not associated with the organization.

6. A method comprising:
- at a server, monitoring a plurality of devices for observation data based on a first data monitoring policy, the monitored observation data including information associated with device configuration, device state, and device behavior with regard to (1) an execution of an application on at least one of the plurality of devices and at least one of (2) a hardware or a firmware component on the at least one of the plurality of devices and (3) access to a network resource by the at least one of the plurality of devices;
  
  at the server, establishing a normal pattern of activity occurring on the plurality of devices based on the monitored observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;
  
  at the server, deriving a second data monitoring policy from the determined normal pattern of activity occurring on the plurality of devices, the second data monitoring policy being different than the first data monitoring policy;
  
  at the server, monitoring a first device of the plurality of devices for first device data based on the derived second data monitoring policy;
  
  at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being identified by the monitored first device data;
  
  at the server, determining that the first pattern of activity associated with the first device of the plurality of devices is outside of a threshold deviation from the normal pattern of activity; and
  
  upon the determination, modifying the second data monitoring policy for monitoring of the first device by the server.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6 wherein the step of modifying the second data monitoring policy comprises:
    - increasing the monitoring of the first device.
  - 8. The method of claim 6 wherein the step of modifying the second data monitoring policy comprises:
    - decreasing the monitoring of the first device.
  - 9. The method of claim 6 wherein the normal pattern of activity indicates that a first event occurs during a first context, and the step of determining that activity on the first device is outside the normal pattern of activity comprises:
    - determining that the first event occurred on the first device during a second context, different from the first context.
  - 10. The method of claim 6 wherein the step of determining that the first pattern of activity on the first device is outside the normal pattern of activity comprises:
    - receiving from the first device an indication that a shared library has been loaded on the first device from a memory card.
  - 11. The method of claim 6 comprising:
    - generating a model of characteristics for a specific application program on the plurality of device; and
      
      wherein the step of determining that the first pattern of activity on the first device is outside the normal pattern of activity comprises;
      
      determining that the application program, on the first device and identified as being the same as the specific application program, has a characteristic that is not included in the model of characteristics.
  - 12. The method of claim 6 wherein the step of monitoring the plurality of devices comprises:
    - monitoring a first subset of the plurality of devices for first events associated with the application program on the plurality of devices; and
      
      monitoring a second subset of the plurality of devices for second events associated with the application program,wherein the second subset of devices is not monitored for the first events, and the first subset of devices is not monitored for the second events.

13. A method comprising:
- at a server, distributing first policies to a plurality of devices, the plurality of devices includes a first device;
  
  at a server, receiving, from the plurality of devices, observation data responsive to the first policies for observation data, the received observation data including information associated with device configuration, device state, and device behavior with regard to (1) an execution of an application on at least one of the plurality of devices and at least one of (2) a hardware or a firmware component on the at least one of the plurality of devices and (3) access to a network resource by the at least one of the plurality of devices;
  
  at the server, determining a normal pattern of activity occurring on the plurality of devices using the received observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;
  
  at the server, receiving first device data from a first device of the plurality of devices, the first device data being based on a second policy that has been derived from the normal pattern of activity occurring on the plurality of devices;
  
  at the server, determining a first pattern of activity occurring on the first device using the received first device data;
  
  at the server, comparing the normal pattern of activity with the first pattern of activity occurring on the first device;
  
  at the server, determining that the first pattern of activity deviates from the normal pattern of activity outside of a threshold value; and
  
  upon the determination, transmitting by the server, a second policy to the first device to replace the first policy distributed to the first device.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13 wherein the first policy specifies collection of a first level of detail, and the second policy specifies collection of a second level of detail greater than the first level of detail.
  - 15. The method of claim 13 wherein the first policy specifies sampling data associated with the first device at a first frequency, and the second policy specifies sampling the data at a second frequency, greater than the first frequency.
  - 16. The method of claim 13 wherein the received observation data does not comprise personally identifiable information (PII).
  - 17. The method of claim 13 wherein a violation of the normal pattern of activity is detected when the normal pattern of activity specifies a first sequence of events, and the first pattern of activity specifies a second sequence of the events, different from the first sequence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Wyatt, Timothy Micheal, Buck, Brian James, Hering, John Gunther, Gupta, Amit, Abey, Alex Cameron
Primary Examiner(s)
Hasan, Syed

Application Number

US14/099,737
Publication Number

US 20150163121A1
Time in Patent Office

1,369 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0754   by exceeding limits

G06F 11/0766   Error or fault reporting or...

G06F 11/3006   where the computing system ...

G06F 11/3072   where the reporting involve...

G06F 11/3089   Monitoring arrangements det...

G06F 11/3409   for performance assessment

G06F 11/3447   Performance evaluation by m...

G06F 11/3452   Performance evaluation by s...

G06F 11/3466   Performance evaluation by t...

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Distributed monitoring, evaluation, and response for multiple devices

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

443 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed monitoring, evaluation, and response for multiple devices

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

443 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links