Detecting irregularities on a device
US-10558799-B2 · Feb 11, 2020 · US
Detecting irregularities on a device
US11068588B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11068588-B2 |
| Application number | US-202016779164-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 31, 2020 |
| Priority date | Sep 13, 2013 |
| Publication date | Jul 20, 2021 |
| Grant date | Jul 20, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. An example method includes receiving new ones of data items indicative of the device's current operation; determining whether the new ones of data items deviate from the device's typical operation by comparing the new ones of data items to a profile relating to the typical operation of the device, wherein the deviating includes either using an infrequently used one of incoming ports and outgoing ports or continually accessing a new website. The example method can further include based on the determining: updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and generating an alert if the new ones of data items do deviate from the typical operation of the device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for detection of irregularities of a device in a network, the method comprising: receiving new ones of data items indicative of a current operation of a device; determining whether the new ones of data items deviate from typical operation of the device by comparing the new ones of data items to a profile relating to the typical operation of the device, the profile comprising: (i) incoming ports associated with processes, (ii) outgoing ports associated with processes; and (iii) Internet Protocol (IP) addresses associated with processes, wherein the deviating from the typical operation of the device includes either using an infrequently used one of the incoming ports and the outgoing ports or continually accessing a new website; based on the determining, updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and based on the determining, generating an alert if the new ones of data items do deviate from the typical operation of the device. 2. The method of claim 1 , further comprising: detecting a plurality of the data items relating to the typical operation of the device; and creating the device baseline profile including the plurality of the data items relating to the typical operation of the device, the plurality of the data items comprising: (i) the incoming ports associated with processes, (ii) the outgoing ports associated with the processes, and (iii) the IP addresses associated with the processes. 3. The method of claim 1 , wherein the deviating from the typical operation of the device further includes transferring unusual amounts of data. 4. The method of claim 1 , wherein the deviating from the typical operation of the device further includes connecting to an unexpected one of the IP addresses. 5. The method of claim 1 , wherein the deviating from the typical operation of the device further includes using an infrequently used one of the incoming ports and the outgoing ports. 6. The method of claim 1 , wherein the irregularities comprise malware. 7. The method of claim 1 , wherein the irregularities comprise fraud. 8. The method of claim 1 , further comprising analyzing headers in the data items and headers in email messages sent through the network. 9. The method of claim 1 , wherein data sources for the data items are based on network flow traffic statistics through the network. 10. The method of claim 1 , wherein data sources for the data items include proxy logs and NetFlow records which record a destination of data sent through the outgoing ports and record a source of data received through the incoming ports. 11. A system for detection of irregularities of a device, the system comprising: a hardware processor; and a memory communicatively coupled with the hardware processor, the memory storing instructions which when executed by the hardware processor performs a method, the method comprising: receiving new ones of data items indicative of a current operation of a device; determining whether the new ones of data items deviate from typical operation of the device by comparing the new ones of data items to a profile relating to the typical operation of the device, the profile comprising: (i) incoming ports associated with processes, (ii) outgoing ports associated with processes; and (iii) Internet Protocol (IP) addresses associated with processes, wherein the deviating from the typical operation of the device includes either using an infrequently used one of the incoming ports and the outgoing ports or continually accessing a new website; based on the determining, updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and based on the determining, generating an alert if the new ones of data items do deviate from the typical operation of the device. 12. The system of claim 11 , wherein the deviating from the typical operation of the device further includes transferring unusual amounts of data. 13. The system of claim 11 , wherein the deviating from the typical operation of the device further includes connecting to an unexpected one of the IP addresses. 14. The system of claim 11 , wherein the deviating from the typical operation of the device further includes using an infrequently used one of the incoming ports and the outgoing ports. 15. The system of claim 11 , wherein the method further comprises: detecting a plurality of the data items relating to the typical operation of the device; and creating the device baseline profile including the plurality of the data items relating to the typical operation of the device, the plurality of the data items comprising: (i) the incoming ports associated with processes, (ii) the outgoing ports associated with the processes, and (iii) the IP addresses associated with the processes. 16. A method for detection of irregularities of a device, the method comprising: receiving new ones of data items indicative of a current operation of a device on a network; determining whether the new ones of data items deviate from typical operation of the device by comparing the new ones of data items to a profile relating to the typical operation of the device, the profile comprising: (i) incoming ports associated with processes, (ii) outgoing ports associated with processes; and (iii) Internet Protocol (IP) addresses associated with processes, wherein the deviating from the typical operation of the device includes using an infrequently used one of the incoming ports and the outgoing ports, continually accessing a new website and transferring unusual amounts of data, or connecting to an unexpected IP address and transferring unusual amounts of data; based on the determining, updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and based on the determining, generating an alert if the new ones of data items do deviate from the typical operation of the device. 17. The method of claim 16 , wherein data sources for the data items include proxy logs and/or NetFlow records which record a destination of data sent through the outgoing ports and record a source of data received through the incoming ports. 18. The method of claim 16 , wherein the irregularities comprise malware or fraud.
Assignees
Inventors
Classifications
Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems · CPC title
involving event detection and direct action · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
- G06F21/552Primary
involving long-term monitoring or reporting · CPC title
- H04L63/14Primary
for detecting or protecting against malicious traffic · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11068588B2 cover?
- A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. An example method includes receiving new ones of data items indicative of the device's current operation; determining whether the new ones of data items deviate from the device's typical operation by comparing the new ones of data items to a profile relating to the typical opera…
- Who is the assignee on this patent?
- Elasticsearch Bv
- What technology area does this patent fall under?
- Primary CPC classification G06F21/552. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 20 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).