Invention for Machine learning behavioral analysis to detect device misuse and theft

Invented by Isaac David Guedalia, Adam Schwartz, Qualcomm Inc

The rise of technology has brought about a new era of convenience and efficiency, but it has also opened up new avenues for criminal activity. One such area is device misuse and theft, which can lead to significant financial losses for businesses and individuals alike. However, with the advent of machine learning behavioral analysis, there is now a powerful tool available to detect and prevent such activities.

Machine learning behavioral analysis is a form of artificial intelligence that uses algorithms to analyze patterns of behavior. This technology can be used to monitor the behavior of users on devices such as smartphones, laptops, and tablets. By analyzing the data generated by these devices, machine learning algorithms can detect anomalies and identify potential instances of misuse or theft.

The market for machine learning behavioral analysis is rapidly growing, as more and more businesses and individuals seek to protect their devices and data. According to a report by MarketsandMarkets, the global market for behavioral biometrics is expected to reach $3.9 billion by 2024, with a compound annual growth rate of 23.7%.

One of the key advantages of machine learning behavioral analysis is its ability to detect subtle changes in behavior that may indicate misuse or theft. For example, if a user suddenly starts accessing sensitive data at unusual times or from unusual locations, this could be a sign of unauthorized access. Machine learning algorithms can detect these changes and alert the relevant parties, allowing them to take action before any damage is done.

Another advantage of machine learning behavioral analysis is its ability to adapt to changing circumstances. As criminals become more sophisticated in their methods, machine learning algorithms can learn from these new patterns of behavior and adjust their detection methods accordingly. This means that the technology is always evolving and improving, making it an effective tool for long-term protection against device misuse and theft.

In conclusion, the market for machine learning behavioral analysis to detect device misuse and theft is growing rapidly, as businesses and individuals seek to protect their devices and data from criminal activity. With its ability to detect subtle changes in behavior and adapt to changing circumstances, machine learning behavioral analysis is a powerful tool for preventing and detecting device misuse and theft. As technology continues to evolve, it is likely that this technology will become even more sophisticated and effective, making it an essential tool for anyone looking to protect their devices and data.

The Qualcomm Inc invention works as follows

The disclosure is a machine-learning behavior analysis for detecting device theft and unauthorized usage. During a training stage, an electronic device can generate a local profile of observed user-specific behavior according to a centrroid sequence. The local profile is then classified into a base profile model which represents aggregate behaviors over time associated with different users. In an authentication phase, an electronic device can generate a user profile that includes a centroid model re-expressing observed user-specific behavior over an authentication period. The current user model is then compared with multiple baseline profiles to determine the one closest to the user profile. In this way, an operator’s change can be detected when the baseline model closest to the user profile model is different from the baseline model that the electronic device belongs to.

Background for Machine learning behavioral analysis to detect device misuse and theft

Today, electronic devices have become widespread. These electronic devices allow users to access the Internet, perform online transactions, such as shopping or banking online, and more. As well as many other applications, such as finding directions to a specific location. Many modern electronic devices are equipped with wireless communication and almost all the Internet features of non-mobile computer systems. These electronic devices can include mobile phones, cellular telephones, portable computers and desktop computers, as well as personal digital assistants. They also have all the Internet features of non-mobile computer systems.

Accordingly, electronic devices are widely available and can improve the quality of life and productivity of users. Electronic devices, and especially mobile devices, are vulnerable to theft, loss or unauthorized usage. Electronic devices can contain private, confidential and/or hard-to-replace information. The loss of this data will compound the loss of an electronic device. Even though an electronic device can be replaced physically, the data on it is often confidential or irreplaceable. The authorized user may also have to deal with the ramifications of losing or stealing an electronic device, such as information being misused or another person gaining access. In many cases, the authorized user will not discover the loss of an electronic device for hours or days. During this time, an unauthorized person may have accessed sensitive data or misappropriated information, made national and international calls, or charged the authorized user’s account with goods and services through online purchases and transactions. Moreover, electronic devices can be used to run a variety of applications from different sources. This can lead to users installing malicious applications (e.g. malware) on electronic devices without their knowledge. Unwanted malware can, for example, impersonate an authorized user, send unauthorised short message service (SMS), conduct transmissions to debit the telecommunications account associated with the device (usually in an effort to generate revenue for attackers), steal personal information, or engage in malicious and/or illegal activity.

The ubiquity and potential theft of electronic devices, as well as the possibility that they may be used unauthorizedly or stolen, makes it necessary to develop better techniques for detecting electronic device theft.

The following is a simplified overview of one or more aspects disclosed in this document. The following summary is not intended to be an exhaustive overview of all aspects and/or implementations contemplated, nor to define the scope of any aspect or embodiment. The following summary is intended to simplify certain concepts related to one or more embodiments and/or aspects of the mechanisms described herein.

Machine-learning behavioral analyses may be used in various ways to detect device theft or unauthorized usage. In particular, an electronic device can generate a local profile of observed user-specific behavior according to a centrroid sequence. The local profile is then classified into a base profile model which represents aggregate behaviors over time associated with different users. In an authentication phase, an electronic device can generate a user profile that includes a centroid model re-expressing observed user-specific behavior over an authentication period. The current user model is then compared with multiple baseline profiles to determine the one closest to the user profile. In this way, an operator’s change can be detected when the baseline model closest to the user profile model is different from the baseline model that the electronic device belongs to.

The method of detecting unauthorized use of electronic devices may include storing multiple baseline profiles at an electronic unit that is a member of one of those models, creating one or several feature vectors that represent a temporal environment associated with one user-specific behavior observed on the device, and then generating a user profile from these feature vectors. This user profile includes a centroid model that re-expresses a context that is associated with that one user-specific behavior, as well as a data grammar which defines rules for representing patterns in the a

The method can also include a phase of training that includes generating one- or more training features vectors that represent user-specific behavior observed on the device over a defined training period. This is followed by generating a locally user profile from these training feature vectors.

The method can include comparing the user profile of a current device to the multiple baseline profiles during the authentication phase. This may involve calculating metrics to define the distance between the user profile and the baseline model. The current operator of the electronic device can be authenticated by determining whether the baseline model that is closest to the user profile model corresponds to the baseline model to which the electronic devices belongs. In other embodiments, the change in operator may trigger a recovery and/or protective action. In other embodiments, a comparison may be made between the current profile and one or more authorized profiles stored on the device. A notification may then be generated to inform the user that they are authorized to use the device if the distance between the profile and at least one authorized profile is below a threshold.

The electronic device can include a plurality of baseline profiles, in which it is a member, means to generate one or multiple feature vectors that represent a temporal contextual context that is associated with one user-specific behavior observed in sensor data acquired by the device, means to create a current profile from one or several feature vectors. This current profile includes a centroid model that re-expresses a temporal environment associated with these behaviors, and a datagram that defines rules for representing patterns in that centroid,

The electronic device can include a local repository that stores multiple baseline profiles, and the device is a member of one of those models. It may also have one, two, or three sensors that acquire sensor data. A behavioral analysis platform and user authentication module may be installed on one, two, or three processors.

The computer-readable medium can have computer-executable instruction recorded on it. Executing the computer-executable instruction on an electronic devices with one- or multiple-processors will cause the processors to: store plural baseline profiles, where the electronic device is a member of one of the plurality baseline models; generate one- or-more feature vectors that represent a temporal contextual context associated with one- or-more user-specific behavior observed in sensor data acquired by the electronic system; generate a current profile from the feature vectors and generates, using the feature vectors and generates, one-specific behavioral data, which based on-specific behaviors, from sensor data, from a-based a-specific behaviors, from the feature vectors based on-specific behavior based on-specific behaviors based on-specific behaviors, or-specific from the feature vectors; a feature vectors and the feature vectors and the feature vectors and the feature vectors, the feature vectors and the feature vectors.

The accompanying drawings and detailed descriptions will make it clear to those in the know that there are other objects and benefits associated with the embodiments and aspects disclosed herein.

The following description and drawings show examples of exemplary embodiments. Those skilled in the relevant art will recognize alternative embodiments after reading this disclosure. They may be constructed or practiced without deviating from the scope of the disclosure. “Well-known elements may also be left out or not described at all to avoid obscuring the details of the embodiments and aspects disclosed herein.

The word “exemplary” is used here to mean “serving as an example, instance, or illustration.” “The word ‘exemplary’ is used in this document to mean a’serving as an illustration, example or example. Any embodiment described herein as ?exemplary? It is not necessary to construe any embodiment as superior or more advantageous than other embodiments. The term “embodiments” is also not to be construed as preferable or advantageous over other embodiments. “Embodiments” does not require all embodiments to include the feature, benefit or mode of operation discussed.

The terminology used in this document describes only certain embodiments and should not limit the disclosures made herein. The singular forms ‘a,’ and?an,? are used in this document. ?an,? The plural forms of?an,? The plural form is also intended, unless it’s clear from the context. The terms “comprises” will also be understood. ?comprising,? ?includes,? and/or ?including,? When used herein to specify the presence, they indicate the presence of specified features, integers or steps, or components. However, it does not exclude the addition or presence of other features, or integers or steps, or components or groups thereof.

Furthermore, many aspects of the invention are described as sequences of actions that can be performed, for example by elements of a computer device. You will recognize that the various actions described in this document can be performed either by specific circuits such as an application-specific integrated circuit (ASIC), or by program instructions executed by one or multiple processors. These sequences of actions can also be considered as being embodied in any computer-readable storage medium that contains a set of computer instructions which, upon execution, would cause an associated processing to perform the functionality described. The disclosure can be implemented in many different ways, and all forms are within the scope. For each aspect described in this document, the form of that aspect may also be described as, for instance, “logic configured to?” “Logic configured to perform the described action” is one example of a description for each aspect.

The terms “client device” and “user equipment” are used in this document. ?user equipment? (or ?UE? ), ?user terminal,? ?user device,? ?communication device,? ?wireless device,? ?wireless communications device,? ?handheld device,? ?mobile device,? ?mobile terminal,? ?mobile station,? ?handset,? ?access terminal,? ?subscriber device,? ?subscriber terminal,? ?subscriber station,? ?terminal,? The terms?terminal’ and?variants thereof’ are interchangeable to refer to any mobile or stationary device which can operate, communicate over a wireless network, via a wired connection, with a radio network (RAN), that implements an e.g. IEEE 802.11, over a Wired network. “, and/or other devices via direct device-to device (D2D), or peer-to peers (P2P) connections.

The term “Internet of Things Device” is used in this document. (or ?IoT device?) Any object can be considered an IoT device (e.g. a sensor or appliance). It is an object that can be addressed (e.g. an Internet protocol (IP), Bluetooth identifier, near-field communications (NFC) ID). It can send information via a wireless or wired connection to other devices. An IoT device may have an active communication interface, such as a modem, a transceiver, a transmitter-receiver, or the like, a passive interface (e.g., a quick response (QR) code, a radio-frequency identification (RFID) tag, an NFC tag, etc. The IoT device can have a particular set of attributes (e.g., a device state or status such as whether the IoT device is on or off, open or closed, idle/active/available for task execution/busy etc.), and/or combining them. A device that is part of the IoT can be characterized by a specific set of attributes. These include a device status (e.g. a device’s state, whether it is open or closed, active or idle, ready to execute tasks or not, etc.), a cooling function or heating function as well as environmental monitoring and recording functions, light-emitting or sound-emitting functions, etc. The IoT device can have a set of attributes (e.g., a device state or status, such as whether the IoT device is on or off, open or closed, idle or active, available for task execution or busy, etc., a cooling or heating function, an environmental monitoring or recording function, a light-emitting or sound-emitting feature, etc.) that are embedded into and/or monitored by a central processor unit (CPU), ASIC, microprocessor or IoT devices can include, for example, but not be limited to, refrigerators and toasters, ovens and microwaves. They may also include dishwashers or clothes dryers. IoT devices can also include mobile phones, desktops, laptops, tablets, PDAs, etc. The personal network can be made up of a mixture of legacy devices. Internet-accessible devices (e.g., laptop or desktop computers, cell phones, etc.) in addition to devices that do not typically have Internet-connectivity (e.g., dishwashers, etc.).

According to different aspects, grammars have become an increasingly important tool for analyzing data streams. Specifically, generative grammars treat data streams naturally as narratives, which can reveal inherent structures. This may have practical applications, including device security, unsupervised classifying, taxonomy creation, nearest neighbor search, scientific discovery and navigation. Grammars usually group data into clusters, and thus offer some compression. They are measured and compared based on the compression ratios. The grammar can provide more information than the space-saving percentage. Grammars can be measured in both a syntactic and semantic way, based on the content and form of the grammar. In this sense, the different grammars may be compared using appropriate metrics in order to draw conclusions about the relative similarity and/or difference between the sources that are associated with the data streams. This can lead to a deeper understanding of the data unsupervised. Grammars that are similar in syntactic structure may indicate one relationship while grammars with similar semantic structure may suggest a different relationship. Many electronic devices include sensors, instrumentation and other monitoring features. As such, various aspects and embodiments of the present invention may take advantage of these capabilities to observe local behavior in order to create datagrammars that model behavior associated to an authorized user. These grammars can then be compared with a grammar which models subsequent behavior to detect theft or unauthorized use using various distance metrics.

As used in this document, the term “device” is generic. The term “device” can refer to a device that is part of the Internet of Things, such as a client, subscriber, terminal or station. In the various embodiments and aspects described herein the clusters may represent proxy data that re-expresses the data items that were originally sequenced into the clusters.

Click here to view the patent on Google Patents.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *