US2019149568A1PendingUtilityA1
Device activity and data traffic signature-based detection of mobile device health
Est. expirySep 8, 2034(~8.1 yrs left)· nominal 20-yr term from priority
Inventors:Ross Bott
H04L 63/1416H04L 63/145H04L 63/1425
57
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
The subject matter described herein includes methods, systems, and computer program products for data traffic signature-based detection and protection against malware. According to one method, data traffic and behavior associated with a computing device is monitored and a device activity signature is created that includes an abstraction of the data traffic. A classification of the device activity signature is determined and a policy decision for the computing device is applied based on the determined classification.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method comprising:
monitoring data traffic and other activity associated with a computing device; creating a device activity signature of the data traffic and other device behavior that includes an abstraction of the activity and data traffic; determining a classification of the device activity signature; and applying a policy decision for the computing device based on the determined classification.
2 . The method of claim 1 , wherein monitoring the device activity includes collecting device and application activity data recorded by an operating system associated with the device and stored in counters, logs, or system files, or collecting activity directly from hardware device or mobile application.
3 . The method of claim 1 , wherein monitoring the device activity includes utilizing data collection software installed on the computing device.
4 . The method of claim 1 , wherein creating the device activity signature includes characterizing at least one of: all traffic from the computing device or traffic associated with individual applications executed by the computing device.
5 . The method of claim 1 , wherein creating the device activity signature includes at least one of: a byte volume of traffic, a connection volume, a number of application errors, a type of application error, network destination, network protocol, application protocol, IP port, patterns in the content of the transmission, device location, network technology in use, application transmitting or receiving the data, and an indication whether the screen is on or off and/or whether the user is engaging in other activity on the device such as typing or talking.
6 . The method of claim 1 , wherein determining a classification of the device activity signature includes classifying the device activity signature as either normal or anomalous.
7 . The method of claim 1 , wherein determining a classification of the device activity signature includes determining one of a degree of similarity or a degree of difference between the device activity signature and a reference device activity signature.
8 . The method of claim 7 , wherein the reference device activity signature includes one of: a device behavior or traffic signature based on a population of devices similar to the computing device or a signature associated with the computing device at a previous time.
9 . The method of claim 1 , further comprising updating the device activity signature to incorporate an expected signature based on user-initiated changes to applications installed on the computing device.
10 . The method of claim 9 , wherein the expected signature is associated with installing and executing a new application on the computing device.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.