Search

US-12625927-B2 - System and method for analyzing a device

US12625927B2US 12625927 B2US12625927 B2US 12625927B2US-12625927-B2

Abstract

A system and method for analyzing a device are disclosed. In an aspect, a method can comprise determining a parameter of a device at a kernel level of a software stack associated with the device, analyzing the parameter to determine an event state, comparing the event state to a white list to determine a state of an alert trigger, and generating an alert in response to the determined state of the alert trigger.

Inventors

  • Bahar Limaye
  • Atif Ghauri
  • Sean Wechter

Assignees

  • COMCAST CABLE COMMUNICATIONS, LLC

Dates

Publication Date
20260512
Application Date
20200206

Claims (20)

  1. 1 . An apparatus comprising: one or more processors; and memory storing processor executable instructions that, when executed by the one or more processors, cause the apparatus to: monitor one or more of logical access to embedded software of a user device or physical access to hardware ports and sockets of the user device; determine, based on the monitoring of the one or more of the logical access to embedded software of the user device or the physical access to hardware ports and sockets of the user device, a physical pattern of operation associated with the user device; determine, based on one or more acceptable patterns of operation of the user device, that the physical pattern of operation associated with the user device is associated with a pattern of operation corresponding to a security issue; and cause, based on the physical pattern of operation associated with the user device being associated with the pattern of operation corresponding to the security issue, the user device to be prevented from accessing hardware ports and sockets of the apparatus and an adjustment of a monitoring protocol of data traffic associated with the user device.
  2. 2 . The apparatus of claim 1 , wherein the processor executable instructions, when executed by the one or more processors, further cause the apparatus to send, based on the physical pattern of operation associated with the user device being associated with the pattern of operation corresponding to the security issue, a notification to the user device indicating that an account is suspended.
  3. 3 . The apparatus of claim 1 , wherein the physical pattern of operation corresponding to the security issue comprises one or more of an unauthorized interaction with a hardware interface associated with the user device, one or more unauthorized secure shell (SSH) commands, or one or more unauthorized Telnet commands.
  4. 4 . The apparatus of claim 1 , wherein the processor executable instructions that, when executed by the one or more processors, cause the apparatus to determine the physical pattern of operation associated with the user device, further cause the apparatus to determine a change to an operational process of the user device.
  5. 5 . The apparatus of claim 1 , wherein the processor executable instructions, when executed by the one or more processors, further cause the apparatus to change, based on the physical pattern of operation associated with the user device being associated with the pattern of operation corresponding to the security issue, one or more services associated with the user device.
  6. 6 . The apparatus of claim 1 , wherein the processor executable instructions, when executed by the one or more processors, further cause the apparatus to suspend, based on the physical pattern of operation associated with the user device being associated with the pattern of operation corresponding to the security issue, one or more services associated with the user device.
  7. 7 . The apparatus of claim 1 , wherein the pattern of operation corresponding to the security issue comprises a pattern of physical events.
  8. 8 . The apparatus of claim 1 , wherein the processor executable instructions that, when executed by the one or more processors, cause the apparatus to determine the physical pattern of operation associated with the user device further cause the apparatus to receive the physical pattern of operation from the user device.
  9. 9 . One or more non-transitory computer-readable media storing processor-executable instructions that, when executed by at least one processor, cause the at least one processor to: monitor, by a computing device, one or more of logical access to embedded software of a user device or physical access to hardware ports and sockets of the user device; determine, based on the monitoring of the one or more of the logical access to embedded software of the user device or the physical access to hardware ports and sockets of the user device, a physical pattern of operation associated with the user device; determine, based on one or more acceptable patterns of operation of the user device, that the physical pattern of operation associated with the user device is associated with a pattern of operation corresponding to a security issue; and cause, based on the physical pattern of operation associated with the user device being associated with the pattern of operation corresponding to the security issue, the user device to be prevented from accessing hardware ports and sockets of the computing device and an adjustment of a monitoring protocol of data traffic associated with the user device.
  10. 10 . The non-transitory computer-readable media of claim 9 , wherein the processor-executable instructions, when executed by the at least one processor, further cause the at least one processor to send, based on the physical pattern of operation associated with the user device being associated with the pattern of operation corresponding to the security issue, a notification to the user device indicating that an account is suspended.
  11. 11 . The non-transitory computer-readable media of claim 9 , wherein the physical pattern of operation corresponding to the security issue comprises one or more of an unauthorized interaction with a hardware interface associated with the user device, one or more unauthorized secure shell (SSH) commands, or one or more unauthorized Telnet commands.
  12. 12 . The non-transitory computer-readable media of claim 9 , wherein the processor-executable instructions that, when executed by the at least processor, cause the at least one processor to determine the physical pattern of operation associated with the user device, further cause the at least one processor to determine a change to an operational process of the user device.
  13. 13 . The non-transitory computer-readable media claim 9 , wherein the processor-executable instructions, when executed by the at least one processor, further cause the at least one processor to change, based on the physical pattern of operation associated with the user device being associated with the pattern of operation corresponding to the security issue, one or more services associated with the user device.
  14. 14 . The non-transitory computer-readable media claim 9 , wherein the-processor-executable instructions, when executed by the at least one processor, further cause the at least one processor to suspend, based on the physical pattern of operation associated with the user device being associated with the pattern of operation corresponding to the security issue, one or more services associated with the user device.
  15. 15 . The non-transitory computer-readable media of claim 9 , wherein the pattern of operation corresponding to the security issue comprises a pattern of physical events.
  16. 16 . The non-transitory computer-readable media of claim 9 , wherein the processor-executable instructions that, when executed by the at least one processor, cause the at least one processor to determine the physical pattern of operation associated with the user device, further cause the at least one processor to receive the physical pattern of operation from the user device.
  17. 17 . A system comprising: a user device configured to: send telemetry data; and a computing device configured to: monitor one or more of logical access to embedded software of the user device or physical access to hardware ports and sockets of the user device; determine, based on the telemetry data and based on the monitoring of the one or more of the logical access to embedded software of the user device or the physical access to hardware ports and sockets of the user device, a physical pattern of operation, determine, based on one or more acceptable patterns of operation of the user device, that the physical pattern of operation is associated with a pattern of operation corresponding to a security issue, and cause, based on the physical pattern of operation being associated with the pattern of operation corresponding to the security issue, the user device to be prevented from accessing hardware ports and sockets of the computing device and an adjustment of a monitoring protocol of data traffic associated with the user device.
  18. 18 . The system of claim 17 , wherein the physical pattern of operation corresponding to the security issue comprises one or more of an unauthorized interaction with a hardware interface associated with the user device, one or more unauthorized secure shell (SSH) commands, or one or more unauthorized Telnet commands.
  19. 19 . The system of claim 17 , wherein the computing device is further configured to determine a change to an operational process of the user device.
  20. 20 . The system of claim 17 , wherein the computing device is further configured to change, based on the physical pattern of operation being associated with the pattern of operation corresponding to the security issue, one or more services associated with the user device.

Description

CROSS REFERENCE TO RELATED PATENT APPLICATION This application is a continuation of U.S. application Ser. No. 15/722,950, filed on Oct. 2, 2017, which is a continuation of U.S. application Ser. No. 13/441,397, filed on Apr. 6, 2012 and issued as U.S. Pat. No. 9,817,951, which are herein incorporated by reference in their entirety. BACKGROUND Electronic device compromise can result in substantial business and personal loss. Historically, information technology systems have been monitored to detect compromised devices from a server-side perspective, rather than from a client. However, conventional server-side security monitoring does not provide sufficient protection against the broad range of new security threats. New threats exploit modern open communication protocols and leverage state-of-the-art processing power on advanced and non-proprietary operating systems. Existing protection methods are limited and include: network controls on distribution servers that aggregate and transport content, embedded controls in outdated protocols such as simple network management protocol (e.g., SNMPv1 SNMPv2), and protection of video assets through digital rights management (DRM) cryptographic keys. Next-generation video delivery devices enable unprecedented capabilities in comparison to legacy devices. Conventional server-side controls are not configured to detect compromise of a video delivery endpoint. In the age of the advanced persistent security threat, a proactive response is needed to provide a comprehensive security solution. SUMMARY It is to be understood that both the following general description and the following detailed description are exemplary and explanatory only and are not restrictive, as claimed. Provided are methods and systems for analyzing and/or monitoring a device. The system and methods of the present disclosure can be used to monitor physical and/or logical parameters of devices for potential security threats. The systems and methods of the present disclosure can be used to monitor operational patterns of a device to identify potential security threats. In an aspect, the systems and methods can be implemented as a client-side monitoring resource. In an aspect, the systems and methods of the present disclosure can utilize anomic motion detection (AMD) to proactively monitor the security disposition of a device (e.g., video delivery device, content consuming device) resulting in risk reduction and cost avoidance related to security breaches. The AMD technology can leverage pattern recognition from logical access to embedded software and physical access to ports or sockets associated with a particular device. In an aspect, an endpoint device should only be modified using prescribed patterns and events. Thus, any movement (e.g., changes, detected events or patterns) deviating from such an established “white list” can result in a notable event (e.g., alert trigger event) to be investigated. For example, if a hard-drive is connected to a universal serial bus (USB) port and mounted as a read/write resource, an unauthorized action may be forthcoming. In an aspect, a method for analyzing a device can comprise determining a parameter of a device at a kernel level of a software stack associated with the device and analyzing the parameter to determine an event state. As an example, the event state can be compared to a white list to determine a state of an alert trigger and an alert can be generated in response to the determined state of the alert trigger. In an aspect, a method for analyzing a device can comprise determining a plurality of parameters of a device, detecting a change in one or more of the plurality of parameters of the device, and defining a pattern of operation of the device based upon one or more of the plurality of parameters and the detected change in the one or more of the plurality of parameters. As an example, the pattern of operation of the device can be compared to a comparator pattern to determine an event state and an alert can be generated in response to the determined event state. In an aspect, a system can comprise a memory for storing a detection element and a processor in communication with the memory. The processor can be configured to determine a parameter of a device at a kernel level of a software stack associated with the device using the detection element, to analyze the parameter to determine an event, to compare the event to a white list to determine a state of an alert trigger, and to generate an alert in response to the determined alert trigger state. Additional advantages will be set forth in part in the description which follows or may be learned by practice. The advantages will be realized and attained by means of the elements and combinations particularly pointed out in the appended claims. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive, as cla