US2021248230A1PendingUtilityA1

Detecting Irregularities on a Device

67
Assignee: ELASTICSEARCH BVPriority: Sep 13, 2013Filed: Apr 30, 2021Published: Aug 12, 2021
Est. expirySep 13, 2033(~7.2 yrs left)· nominal 20-yr term from priority
Inventors:Stephen Dodson
G06F 21/50G06F 21/554G06F 21/552H04L 63/14G06F 21/56
67
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. An example method includes receiving new ones of data items indicative of the device's current operation; determining whether the new ones of data items deviate from the device's typical operation by comparing the new ones of data items to a profile relating to the typical operation of the device, wherein the deviating includes either using an infrequently used one of incoming ports and outgoing ports or continually accessing a new website. The example method can further include based on the determining: updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and generating an alert if the new ones of data items do deviate from the typical operation of the device.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for detection of irregularities of a device in a network, the method comprising:
 receiving new ones of data items indicative of a current operation of a device;   determining whether the new ones of data items deviate from typical operation of the device by comparing the new ones of data items to a profile relating to the typical operation of the device, the profile comprising one or more: (i) incoming ports associated with processes, (ii) outgoing ports associated with processes; and (iii) Internet Protocol (IP) addresses associated with processes, wherein the deviating from the typical operation of the device includes either using an infrequently used one of the incoming ports or the outgoing ports or continually accessing a new website;   based on the determining, updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and   based on the determining, generating an alert if the new ones of data items do deviate from the typical operation of the device.   
     
     
         2 . The method of  claim 1 , further comprising:
 detecting a plurality of the data items relating to the typical operation of the device; and   creating the device baseline profile including the plurality of the data items relating to the typical operation of the device, the plurality of the data items comprising one or more: (i) the incoming ports associated with processes, (ii) the outgoing ports associated with the processes, and (iii) the IP addresses associated with the processes.   
     
     
         3 . The method of  claim 1 , wherein the deviating from the typical operation of the device further includes transferring unusual amounts of data. 
     
     
         4 . The method of  claim 1 , wherein the deviating from the typical operation of the device further includes connecting to an unexpected one of the IP addresses. 
     
     
         5 . The method of  claim 1 , wherein the deviating from the typical operation of the device further includes using an infrequently used one of the incoming ports and the outgoing ports. 
     
     
         6 . The method of  claim 1 , wherein the deviating from the typical operation of the device further includes connecting to an unexpected one of the IP addresses. 
     
     
         7 . The method of  claim 1 , wherein the irregularities comprise malware. 
     
     
         8 . The method of  claim 1 , wherein the irregularities comprise fraud. 
     
     
         9 . The method of  claim 1 , further comprising analyzing headers in email messages sent through the network. 
     
     
         10 . The method of  claim 9 , wherein the headers in the email message include a time, a destination, a source, and an email size and the analyzing includes one or more of the time, destination, source, and email size. 
     
     
         11 . The method of  claim 1 , wherein data sources for the data items include proxy logs and NetFlow records which record the destination of data sent through the outgoing ports and record the source of data received through the incoming ports. 
     
     
         12 . A system for detection of irregularities of a device, the system comprising:
 a hardware processor; and   a memory communicatively coupled with the hardware processor, the memory storing instructions which when executed by the hardware processor performs a method, the method comprising:
 receiving new ones of data items indicative of a current operation of a device; 
 determining whether the new ones of data items deviate from typical operation of the device by comparing the new ones of data items to a profile relating to the typical operation of the device, the profile comprising one or more: (i) incoming ports associated with processes, (ii) outgoing ports associated with processes; and (iii) Internet Protocol (IP) addresses associated with processes, wherein the deviating from the typical operation of the device includes either using an infrequently used one of the incoming ports or the outgoing ports or continually accessing a new website; 
 based on the determining, updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and 
 based on the determining, generating an alert if the new ones of data items do deviate from the typical operation of the device. 
   
     
     
         13 . The system of  claim 12 , wherein the deviating from the typical operation of the device further includes transferring unusual amounts of data. 
     
     
         14 . The system of  claim 12 , wherein the deviating from the typical operation of the device further includes connecting to an unexpected one of the IP addresses. 
     
     
         15 . The system of  claim 12 , wherein the deviating from the typical operation of the device further includes using an infrequently used one of the incoming ports or the outgoing ports. 
     
     
         16 . The system of  claim 12 , wherein the deviating from the typical operation of the device further includes connecting to an unexpected one of the IP addresses. 
     
     
         17 . The system of  claim 12 , wherein the method further comprises:
 detecting a plurality of the data items relating to the typical operation of the device; and   creating the device baseline profile including the plurality of the data items relating to the typical operation of the device, the plurality of the data items comprising one or more: (i) the incoming ports associated with processes, (ii) the outgoing ports associated with the processes, and (iii) the IP addresses associated with the processes.   
     
     
         18 . A method for detection of irregularities of a device, the method comprising:
 receiving new ones of data items indicative of a current operation of a device on a network;   determining whether the new ones of data items deviate from typical operation of the device by comparing the new ones of data items to a profile relating to the typical operation of the device, the profile comprising one or more: (i) incoming ports associated with processes, (ii) outgoing ports associated with processes; and (iii) Internet Protocol (IP) addresses associated with processes, wherein the deviating from the typical operation of the device includes using an infrequently used one of the incoming ports and the outgoing ports, continually accessing a new website and transferring unusual amounts of data, or connecting to an unexpected IP address and transferring unusual amounts of data;   based on the determining, updating the device baseline profile to create an updated device baseline profile with the new ones of data items if the new ones of data items do not deviate from the typical operation of the device; and   based on the determining, generating an alert if the new ones of data items do deviate from the typical operation of the device.   
     
     
         19 . The method of  claim 18 , wherein data sources for the data items include proxy logs and/or NetFlow records which record the destination of data sent through the outgoing ports and record the source of data received through the incoming ports. 
     
     
         20 . The method of  claim 18 , wherein the irregularities comprise malware or fraud.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.