RU2480949C1 - Method of locating lost electronic devices - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: at least one identifier of the lost device is loaded into at least one remote client computer; the lost device is searched for in the network neighbourhood of the client based on the loaded identifier of the lost device using at least one client; and parameters of the location of at least one lost device found through the search are determined.

EFFECT: enabling location of a lost electronic device based on data of clients detecting said device in the network neighbourhood, as well as the possibility of finding an electronic device with a connected network adapter.

16 cl, 10 dwg

Description

Technical field

The present invention relates to means for searching electronic devices and, more particularly, to methods for locating missing electronic devices in a data network.

State of the art

Electronic devices are an integral part of the life of a modern person. Laptops, netbooks, tablet computers and other types of portable devices account for more than half of all released computers in the world. With the help of them people communicate, work, have fun and study. A lot of personal data is stored in the device’s memory, such as contacts, photos and videos, authorization data, and much more, while corporate computers also contain official correspondence and documentation that may constitute a commercial secret.

Such devices that a person carries or takes on a trip often become the subject of robbery and theft. The goals pursued by cybercriminals can be different: to gain access to the computer’s hard drives, to sell or, in rare cases, to leave for their own use. Portable devices are easily lost due to their size and constant movement.

The community is faced with an acute issue of finding and recovering missing devices. If cellular technology allows centralized identification of mobile devices by telecom operators, then the architecture of data networks based on Ethernet, Wi-Fi, Bluetooth, etc. makes finding the connected device more complicated.

There are technologies that allow finding missing devices connected to the Internet through a special software or hardware module installed on them. This module sends a message about the location to the owner the first time you connect to the Internet. These technologies are described in WO 2007069263 A2, US 2009589437 A and US 2005293223 A.

There are also technologies for monitoring equipment within the network to prevent theft and use of external devices. A similar approach is given in application EP 1999106466 A.

EP 2005708 A describes a system and method for remotely controlling a stolen device using wireless technology.

The given descriptions of technologies, as well as available technical implementations, have a clear client-server architecture and cease to function in the event of a malfunction in one of the components of the system: a client, server, or data transmission channel. Thus, in the case of reinstalling the operating system, changing the hard drive or memory card on the computer, it is impossible to find the missing device.

This invention eliminates the described disadvantages and allows you to search for devices by identifier at the expense of other customers. In the event that the device is stolen and work is done on it to block or remove the detection module necessary for feedback from the server, this device will be found by another client who finds it on the network, for example, at the time of connection with it.

SUMMARY OF THE INVENTION

The present invention is intended to detect missing electronic devices. The technical result of the present invention is to determine the location of the missing electronic device according to customers who discovered this device in a networked environment. Putting the invention into practice makes it possible to find electronic devices with a connected network adapter. The technical result is achieved through the use of a method for determining the location of missing electronic devices, comprising the steps of downloading the identifier of the missing device to the client from a remote computer, searching for the missing device in the network environment of the client using the loaded identifier of the missing device using at least one client, determining the parameters the location of at least one missing device that was detected by the search.

In various embodiments, there may be more than one customer. There can be more than one remote computer, and they can be distributed geographically and made in the form of a server, personal computer, mobile station, or portable device. Depending on the implementation of the system that implements the presented method, clients can load multiple identifiers of missing devices in one iteration.

The location parameters of a missing device are understood to mean at least the geographical coordinates or network connection parameters of the missing device.

In another embodiment, clients define their geographic coordinates as location parameters for the missing device.

The network environment in which the client searches for missing devices contains the network devices to which the client is connected, the network devices that the client has created, and devices about which information is contained in network packets registered with the client.

The method also allows you to track changes in location parameters and determine location parameters if they have been changed.

An electronic message containing information about the location parameters of the missing device is sent to the rightful owner who registered the identifier of the missing device.

In various embodiments, the client or central server sends the electronic message to the rightful owner.

The central server also collects data on the location parameters of missing devices. After that, the collected data can be combined and sorted by the identifier of the missing device, by the legitimate user, by the time of detection.

If at least two clients are connected to the central server, then the data received from them is correlated to clarify the location parameters of the missing device. In one embodiment, the correlation is a process of overlaying areas of geographical coordinates corresponding to missing devices found by one or more identifiers by two or more clients.

By fixing the location parameters of the missing device in chronological order, one of the implementation options allows you to plot the movement of the missing device by connecting successive points corresponding to the location parameters.

An additional step allows you to determine the speed of movement of the missing device. To do this, the amount of movement committed by the missing device over a period of time corresponding to the difference in time points of determining one location parameter by one client is divided by the value of this time period. In various embodiments, the calculation of speed can be carried out both on the central server and on the client that determined the location parameters.

Another way to determine the speed of movement of a missing device is to divide the amount of movement made by the missing device over a period of time corresponding to the difference in the times the two clients detected the missing device by the value of this time period.

An important step for the capture of a missing device is not only its detection, but also the prediction of its location at times following the moment of detection. In one embodiment, the central server evaluates the location parameters of the missing device at a specified point in time after the moment of detection. Evaluation can occur by identifying the frequency in the movement of the missing device, taking into account the latest location parameters and the speed of movement of the missing device.

Brief description of the attached drawings

The accompanying drawings, which are included to provide an additional understanding of the invention and form part of this description, show embodiments of the invention and together with the description serve to explain the principles of the invention.

The claimed invention is illustrated by the following drawings, in which:

Figure 1 shows an example of a local area network containing several segments;

Figure 2 shows the process of changing the headers of a network packet when passing through network devices;

Figa shows a functional diagram of a system for determining the location of missing electronic devices (prior art);

Fig.3b shows a functional diagram of a system for determining the location of missing electronic devices;

Figure 4 shows an example of an ARP table;

Fig. 5a shows a method for detecting missing electronic devices;

Fig.5b shows a method for tracking changes in the position of missing electronic devices;

6 is an example of a general purpose computer system;

7 shows a block diagram of a client;

Fig.8 shows a functional diagram of the system in the case of an active device search by the client.

Description of Preferred Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than specific details to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined only in the scope of the attached claims.

One of the main directions of development of information technology is to increase the coverage area of high-speed Internet access networks. With the growing popularity of mobile devices such as mobile phones, smartphones, laptops, tablets, communicators, there is an increasing need for universal access to the global network: e-mail, websites and other services. Access is via local computer networks (local area networks, LAN, LAN). There are many technologies for providing wired and wireless communications for network devices, the most popular of which are Ethernet, Wi-Fi, Wi-MAX, Bluetooth and others.

In terms of access control, local networks are divided into open or public (public) and private (private). Open networks allow all devices to connect to it, while private networks use access restriction systems.

Wired networks require a cable to be connected to the device and are used in most cases for laying corporate computer networks and large local networks. Wireless technologies are more often used in public places, such as restaurants, shopping centers, urban access points. Their popularity is growing every day and Wi-Fi access points (hotspots) with an open infrastructure are increasingly appearing.

Consider another classification of networks, which allows you to determine the device parameter used for identification in the network, and directly the ability to identify the device. The participation of a computer or mobile device in the network does not always mean that information on the network topology and its other participants will be available to this computer or device. The difference in networks in this parameter is determined by the different architecture of the network, including the use of different types of network devices. The technology in various implementations allows you to effectively detect devices in all types of networks. Discovery is carried out in a network environment, which includes all devices connected to the client in a common data network and all devices discovered by the client as a result of interception of network data packets. Thus, if the portable device is connected to a wired LAN and has an active wireless adapter, then the network environment of this device will include all devices on the local network and devices whose information is found in network packets intercepted by the wireless adapter. To increase the coverage of the network environment, local networks can be created by clients, for example, based on wireless adapters.

Figure 1 shows an example of a local network containing several segments 100. Computers 101, 102 and 103 from one segment are connected by network devices of the transport or data link layer of the OSI model, for example, by switches 105. Figure 1 shows three segments 100, which include computers marked in the figure under the numbers 101 (first segment), 102 (second segment) and 103 (third segment). The segments are connected and exchange information through two routers 111. According to the shown diagram, access to the external network 110 is via router 112. If we talk about identifying computers by the physical address of the network card, then computer devices located in one segment, for example, devices under numbers 103 will be able to find out each other's MAC addresses with standard network settings.

There are many ways to identify computer devices. You can determine the computer you need using authentication programs, application serial numbers, and accounts. This invention uses identifiers that are the most difficult to eliminate, hide and replace. These include the physical address of the network interface (MAC address), the BIOSa serial number, the serial number of the hard drive (Hard Drive Serial Number), and the hardware configuration of the computer. These parameters are more reliable because they do not change when formatting (deleting data) a hard disk, in which data is lost, including the operating system, accounts, specialized applications, etc.

The considered parameters cannot give a 100% probability of identifying a computer, since the hard disk can be replaced, thereby changing the configuration of the computer. The BIOSa serial number and MAC address can be changed using special utilities. However, statistics show that a very small percentage of users, including cybercriminals, resort to these changes, which retains a positive effect in identifying lost devices by the given identifiers.

A MAC address is a unique identifier assigned to each network interface. Most link layer network protocols use one of three IEEE managed MAC address spaces: MAC-48, EUI-48, and EUI-64. Addresses in each of the spaces should theoretically be globally unique. Not all protocols use MAC addresses, and not all protocols that use MAC addresses need such uniqueness of these addresses. In broadcast networks, the MAC address uniquely identifies each node in the network to deliver data only to that node. Thus, MAC addresses are fundamental parameters of networks at the data link layer, which use protocols of a higher (network) layer. MAC-48 addresses are the most common. They are used in technologies such as Ethernet, Token ring, FDDI, WiMAX, etc. They consist of 48 bits, so the MAC-48 address space has 2 ⁴⁸ (or 281474976710656) addresses.

The MAC address is changed programmatically, since the value specified by the driver has a higher priority than the one wired to the board. In Windows, changing the MAC address can be done using the built-in OS tools. However, there is still equipment in which it is impossible to change the MAC address otherwise than using the programmer. This is usually telecommunication equipment, such as set-top boxes for IP-TV.

The changed MAC address is chosen arbitrarily and may not contain information about the OUI (unique identifier of the organization) and the device code.

In one embodiment, the system for locating missing electronic devices identifies the computer at a physical address (MAC address). Information about the MAC address is available for computers located in the same network segment. Network segment - a part of the local network that is separated from the others by the IP packet routing device (3rd level in the OSI model). Inside one segment of the device (PCs, servers, printers) can be connected using hubs, bridges or switches. A segment is also called a subnet if the logical division of the network corresponds to the physical division. Computers located in different segments can exchange information. Transmission can be implemented through IP packets.

Figure 2 shows the process of changing the headers of a network packet when passing through network devices. The figure shows devices operating at different levels of the model OSI router 111 and switch 105. Each of them receives an IP packet 210, which contains the network address of the sender IP1, the physical address of the sender device MAC1, the network address of the receiver IP4, and the physical network address the device that will transmit the MAC2 packet. The pairs IP1-MAC1 and IP4-MAC4 form the address of the sender 211 and the address of the receiver 212, respectively. When a packet passes through a router, IP packet 220 replaces the physical address of the sender and the physical address of the recipient, since the transmission of packets occurs already in the next data channel between the router and the recipient's computer device. As a result, the IP packet 220 at the output will contain the following data: IP1, MAC3, IP4, MAC4. The network layer device transmits packets to IP addresses. The switch 105 has a simpler logic of operation, transmitting packets to physical addresses. Thus, IP packet 221 will not change when passing through a switch or other data link network device.

As you can see in the figure, information about the physical address of the computer becomes unavailable after passing through the router and remains after the switch, which indicates the possibility of searching for a device in the local network by the MAC address of the device connecting to this network.

The prevalence of a product (application or device) adds another factor to its characterization - this is the use of community capabilities. Several million users, united by the product, can use the unlimited resources of the rest of the community, making a small contribution from themselves. This direction is developing along with the spread of the Internet and an increase in the number of services uniting people, and is used in cloud technologies, distributed computing.

There are still not so many specialized services using community resources. Community resources are understood as the computing capabilities of computers connected to the same network, subscribing to one service or having the installed software product of one company.

The architecture of such systems may have a client-server or client-client structure. In the first case, synchronization and management of client computers is carried out by a special server, which, depending on the complexity and tasks of the system, collects, analyzes information collected from clients and sets new tasks. The second example of architecture is a client-client communication system in which clients exchange data with each other without intermediaries. There are also examples of a combination of two structures when clients are synchronized and connected using a server and then interact directly or when the server assigns tasks and clients join and interact without server intervention.

Information is exchanged using standard data transfer protocols. Clients can maintain a constant connection between themselves or with the server, and can also organize a short-term session.

The development of online communities is currently limited to collecting data from client computers and, in rare cases, is expanding by distributed computing and remote task execution. An integral component of the systems under consideration is the presence of a software or hardware module installed in the user's computer. It can be a USB device, an operating system with special services, a separate application, or an addition to an already installed software product, such as a browser or antivirus. By agreeing to participate in the community, the user connects the module to the main work of the computer, which can perform tasks to achieve the goals of the community, for example, it can run part of the program on the computer or work as a proxy server for other clients.

The set of user computer parameters, the serial number of the software product, information about the license and its expiration dates make up the user profile. Depending on the implemented system functions, various client parameters are saved in the profile. This profile can be stored on a dedicated server. One of the options for implementing this server can be a web server that provides and stores the necessary information about the user's computer. The user profile in conjunction with the user authorization system constitutes a user account, which may contain additional information, for example, about the user's contacts.

This profile in various types of communities performs a certain function: on social networks it directly introduces members of the community to the user, in other services it is used to determine resources available for general access and how to download them, and thirdly it is used to optimize calculations and test applications.

Another use of a customer account is to store device identifiers in conjunction with the contacts of its owner. The central server reads and stores the necessary information about the hardware configuration of the computer in the client’s personal account, which also indicates the email address for sending notifications.

In relation to the system for detecting missing electronic devices, the account is used to store information about the hardware and software configuration of the computer, including all kinds of identifiers: the serial number of the antivirus, physical addresses of network interfaces, the hardware configuration of the computer (type and model of processor, motherboard, video card, operational memory, adapters, etc.). The data is necessary in order to later be able to calculate this computer when it is connected to local and corporate networks.

An account can store information about several computer devices. If one of them is stolen or lost, the user will need to go to the web page of his account and mark it as missing. After that, this computer will be wanted by the community.

There are many ways to detect, block, and recover lost or stolen mobile devices. Some solutions are based on remote device management systems when a remote administration module is installed on it, which allows you to connect to a lost device when it is turned on and connected to the Internet. After that, you can perform the necessary actions: copy and delete important information, block access to the computer, if you wish, you can even disable the computer.

Another method of remote control is based on communication via mobile networks. In the event of loss or theft, a signal can be sent to the mobile device (call it from a specific number or send a CMC code), which will activate the security tool installed on it and perform predefined actions.

The most popular services implement a system in which a mobile device is active. This is a big plus compared to competitive solutions, since in this case the device itself initiates a remote connection at any opportunity. Considering that in case of theft, the device is turned off in most cases, and the SIM card is removed from the mobile device, the ability to send a message or other control signal is excluded. This type of system implies a client-server architecture. The owner of the device registers the device on the server and starts the service, after which each time the device connects to the Internet via a mobile network (for example, GPRS), a wired (Ethernet) or wireless (Wi-Fi) network, it requests its status on the server. The status can be updated via email, for example, if the device receives an email with the specified subject or content, the corresponding status is automatically set. The email may contain an activation code, a secret word, or be sent from a specific address, which indicates that the device has disappeared. If the status is set to “lost”, the device performs predefined actions and, if possible, reports its location and connection parameters. This data is available to the rightful owner (copyright holder) through the web interface on the server or by e-mail.

The described location systems of electronic devices are tuned for control actions. If the device cannot connect to the server for a certain period of time or if a secret action (for example, re-entering the password) has not been performed, the device will automatically lock or execute the configured command. However, such a complication of the device’s functionality can make everyday use difficult.

Figure 3a shows a functional diagram of a system for locating missing electronic devices (prior art). Client 301, shown in the form of a circle with a dotted border, is an electronic device on which a software module is installed connected to the central server 310. Connection is made automatically when the device enters the Internet 320. This client 301 checks the lists of identifiers of missing devices and compares them with their parameters. If a match is found, the client collects information about the connection and location and sends data to the server or directly to the user's contact. The user's contacts are stored in account 312 in the database of accounts 311. The identifiers of registered devices belonging to the user are also collected there. In the event of a device loss, the client 301 marks the corresponding entry in the account 312 and the black list is replenished, after which the user waits for his device to go online and send a location message. The blacklist contains entries for device identifiers marked as lost / stolen.

Such a system architecture has significant drawbacks. On figa, the numbers 303 indicate the devices that were registered in the central server, but after the theft, access to the Internet 320 was blocked or limited, the software was removed or a partial replacement of technical components was made, making it impossible to identify the device. Thus, devices with no or limited software module are not able to send location data to the user.

The location process depends on the configuration of the device. The easiest way to determine your location is to launch a satellite navigation system (GLONASS or GPS). If there is no satellite navigation module on the device, you can determine the location with a higher error. If the device has a mobile communication module (GSM), then the location is determined by measuring the signal level received from the 3 nearest signal relay stations. Thus, it is possible to determine the location of the mobile device in space relative to these stations.

The third known way to trace the location of the device is the network address when connected to the Internet 320. Only the external gateway address is available for tracing, while the local address of the computer remains unknown. This restriction imposes a large error in determining the location of the computer, however, if you know the local address of the computer, you can calculate the place of connection to the network by contacting the provider to which the external network address is registered (the address is accessible from outside the network when the device is connected to the Internet).

There are also other well-known services that allow you to determine the location of the connected device. They work as follows. First, the coordinates of the access points are collected, for example, using user devices with navigation - during connection to the access point, coordinates obtained using GPS or GLONASS are recorded. This information is stored on the server, and the location of all devices connected to this access point will be determined by the stored coordinates. The accuracy of determination in this case is less than using navigation tools, but significantly more than tracing an external network address.

Figure 3b shows a functional diagram of a location system for missing electronic devices using community resources. The system consists of a central server 310 and clients 302 connected to it. Clients 302 are computer devices with installed software modules and the ability to connect to the server via wired and wireless data channels via the Internet. This example implementation uses the TCP / IP stack as the connection standard.

The central server 310 stores information about user devices in the database of accounts 311. Access to a personal account is obtained, for example, through the web interface:

the user logs in to the server and indicates the identifiers of his device, the description of which is given earlier. Thus, the device is registered in the system for detecting missing electronic devices. In addition to identifiers, the database of accounts 311 contains information 312 about the user's contacts, for example, an email address, phone number or number for quick messaging. This information is stored in conjunction with devices, thereby determining the affiliation of a computer or mobile device and a user who can be contacted in this way.

When a user detects the loss or theft of a device that has been registered in an account, he marks it by re-authorizing on the service from any computer connected to the Internet 320. Immediately after that, the system is activated and begins to perform its basic functions of finding a device. Prior to this stage, the system is a standard solution of this kind, described earlier. A distinctive feature of the present invention is the interaction of clients 302 connected to the server with each other and other electronic devices 303 located with clients in a common local area network (LAN) 330.

All previous technologies allowed detecting the device only if the memory was not formatted or programs were not deleted and the operating system was reinstalled.

Consider the principle of the system for determining the location of missing electronic devices, which allows you to find a stolen device, even when the installed software module on it has been removed or blocked.

On figb shows six devices with identifiers ID1 and ID2 302, ID5-8 303. In this case, the devices ID1 and ID2 302 have installed software module that connects to the server. Suppose that the user of ID5 303 has marked it as lost and needs to be found. In this case, information containing lists of identifiers of stolen (registered) devices is downloaded from server 310 to connected clients 302. In this example, physical addresses of network interfaces (MAC addresses) are used as identifiers. After the clients 302 received black lists of MAC addresses, they search for these devices in the local network 330 and in the history of their connections.

Consider the search process in more detail: active and passive device searches are possible. In order to detect devices 303 with the specified MAC address in the network, the condition (for the considered embodiment) must be met - these devices must be in the same segment of the local network. Further, several solutions are possible for determining the MAC addresses on the network. The first option is to send an ARP request, which returns the value of the physical address corresponding to the network address. This option involves actively scanning the subnet by sorting network addresses by the network mask and sending a request to each address. It is also possible to search for connected IP addresses by broadcast request and then find out its MAC address at each address. The disadvantage of this method is that the desired computer at the time of the search may be turned off or not connected to the network. The elimination of this drawback is implemented by periodically scanning the network, but then the load on the switching network increases. That is why, before starting an active scan, it is necessary to search for existing connections. During data transmission within one segment, network packets contain information about MAC addresses, which is stored in the ARP table (Windows OS). Figure 4 shows an example of an ARP table. It shows the physical addresses of 402 devices that were connected to the computer or with which it was connected (the connection involves the transmission of data packets) through the network interface 401. This table is an embedded resource of the operating system, so the program module may additionally contain a logging facility in which physical addresses of connected devices and connection time. This log may contain more information, given the possibility of connecting the device to several local networks at once. Verification of the identifier upon the fact of connection with the device, without sending a special request, is called passive scanning and to a lesser extent loads communication tools. The optimal operation of the client when searching for a device combines both active and passive modes.

Client 302, shown in FIG. 3b as a circle with two borders, indicates a device that is registered on the server and connected to the server. Other devices 303 (circles with one border) are computers or mobile devices that are in the same segment with the client.

Consider an example in which device ID1 302 is connected to a LAN 330, in which it is in the same segment as computers ID5 and ID6 303. By connecting to a central server 310, client 302 downloads a blacklist of MAC addresses. First of all, the client checks to see if there are any entries in the blacklist 312 with its identifier. If such a record is found, the program module performs predefined actions, if possible determines the location and sends the collected information to its full user. The likelihood of such an outcome is very small, since it is possible if the attacker went online to the Internet 320 without changing the software and hardware configuration of the computer 302.

Suppose the blacklist contains record 312 with ID ID5. This indicates that this device was stolen or found and not returned, while an attacker connected to the local network 330 from this device. Since the ID5 client did not provide location information, it seems that the software module installed on it has been deleted or blocked or access to the Internet is restricted. This means that the ID5 303 device is no longer a client, since it cannot connect to the central server 310. Using previous technologies would not yield search results for this device. This invention allows you to find the device ID5 303 using the client ID1 302. The software module installed on the client 302, after detecting the lost device in the network segment, collects all kinds of information about this device, including local address, discovery time, gateway address, external network address of the network and other Additional information. After the information is received, it is sent to the rightful owner by contact information. In various embodiments, information can be sent from clients 302 directly or through a central server 310, which can thereby keep contact information private from other members of the community.

An external network address allows you to determine the provider, since all real IP addresses are registered, and their issuance is clearly regulated. By contacting the provider and specifying the time and local network address, you can absolutely accurately determine the user of the local network. For this, it is necessary to register in the log all connections on the network and the user's identity, or at least the location of the connection, and, as a rule, providers carry out this activity.

Fig. 5a shows a method for detecting missing electronic devices. Steps 500 to 580 make up the complete system operation cycle, which is repeated until the user marks the device as found or the service license expires, after which it will be excluded from the black list. The number of repetitions can be clearly limited by some predefined number (10-100 alerts). The method for detecting missing electronic devices begins at step 500, where device identifiers are recorded in a central server. Registration involves specifying or automatically reading identifiers and storing data in a user account. In the event of the loss of an electronic device, the user registers the fact of loss / theft of the device or automatically triggers a security rule that records the fact of loss / theft, for example, in case of incorrect password entry, at step 510. The user can interact with the central server through the web -interface. Registration actions for the user can be performed by an operator who knows the data for authorization in the account. After the missing device is marked, the central server at step 520 compiles and downloads a blacklist of identifiers to clients connected to the server. Then clients search for the device in the local network using the identifiers indicated in the list. The search for the given identifiers from the list continues until the device is found or until the blacklist of devices is updated. This step is reflected in step 530. When the missing device is found, the detection time and information necessary to determine the location of this device in step 550 are recorded. An example of this data can be a local address, detection time, and an external network address. If the client contains a GPS module, he can also optionally send his coordinates. The information collected in step 580 is sent to the rightful owner. The message can be sent to a central server, where the user can read it by logging in and logging into his account. Also, the message can be delivered to the user at the specified contacts, for example, an email address or a mobile phone number.

The method can be complicated if local addresses to computers are issued dynamically. In this case, the method is supplemented by step 560 and 570, which are shown in Fig.5b. In case of changes to the device’s connection parameters at step 560 (local network address, computer name on the network, subnet mask, external network address), new data is recorded at step 570 and sent to the user in the same way.

After receiving the message, the user can contact the police or other administrative authorities to carry out search measures based on the received data, which are sufficient to identify the current position of the missing device. After finding the device, the user removes the mark of his loss, and the record is removed from the black list and is no longer involved in searches.

7 is an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented like any bus structure known in the art, which in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26, contains basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating ROM systems 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, " the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 through an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or several remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature personal computer 20 shown in Fig.7. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

7 shows a block diagram of a client with one of the possible system configurations. A client feature is the presence of the 701 detection module, which can be made in the form of a hardware add-in built-in or connected to the system board via USB, PCI, COM or another interface. The module can be implemented as a separate user application, software add-in, or system service installed on the client. This module, regardless of its type of implementation, can control communications (Ethernet 711, Wi-Fi 712, WiMAX 713, DSL modem, Bluetooth 721, GSM 722) and navigation modules 731 (GLONASS, GPS).

The detection module stores the local list 702 of identifiers of missing devices, downloaded from the central server 310, and checks whether the entries from list 702 match the network environment of the client (devices available for data transmission using the installed communication tools), client parameters 302 (if client 302 was stolen). In the case when a match is recorded, the detection time and parameters that directly or indirectly determine the geographical location of the found device are recorded. After that, the client 302 sends the data to the central server or the rightful owner by e-mail and continues to track the location of the detected device and search the rest of the blacklist 702. Regardless of the search, the detection module keeps a connection log 703, in which the time fields and the physical addresses of the connected at the appropriate time of the devices and other additional parameters, for example, the number of transmitted network packets, the active connection time received from the device Data Properties. After updating the blacklist 702, the search is carried out primarily in the connection log 703, and only then the active connections are analyzed and the connected networks are scanned.

With the development of technology, more and more data transfer technologies are appearing, which are reflected in public electronic devices, such as smartphones, laptops, communicators. The modern device allows you to connect to various computer networks of several standards at once, thanks to the existing wired and wireless communication modules. More and more laptops and smartphones are equipped with WiMAX (IEEE 802.16) modules, while maintaining the ability to connect via a standard Wi-Fi adapter (IEEE 802.11). Some smartphones, tablets, and most computers are equipped with network cards for connecting to an Ethernet network (IEEE 802.3). This type of connection appeared before the other of the listed standards and has the largest distribution and reliability of the connection.

Given the development trends described, a modern device can go online using several different connections / interfaces at once. Clients can use inactive wireless interfaces to create open networks, in order to lure intruders.

The number of free wireless Internet access points is constantly growing, but at the same time most of them are closed (encrypted), which certainly increases their security, but at the same time reduces their attractiveness and accessibility. An open access point created by the client to scan connected devices for missing items will increase the likelihood of detection and capture of the criminal. At the same time, in order to detect a missing device, it is necessary that it is within the range of the access point. It is not necessary to connect to an open network to identify the device over a wireless network. Thus, in one embodiment, the access point may be closed (secure). Devices on which the Wi-Fi module is installed and it is active (on) can be detected without connecting these devices to any network due to periodic scanning by the wireless module of the wireless connection points within the range of the module. A similar mode of operation is configured in most devices and allows you to quickly get a list of available networks using a broadcast request that is intercepted by the client and allows you to detect the device.

On Fig shows a functional diagram of the client 302 connected to an external network 801 using one of the network interfaces. This network can be a dedicated Internet connection line, home or corporate network, satellite or mobile Internet. This connection 302 may not be active during the considered period of time, but must be restored later for the client to communicate with the central server 310 if a device is blacklisted. If one of the wireless network adapters is inactive during client operation, an open access point is automatically created. An open access point is a network node that allows you to create an unencrypted connection with all devices from which a connection request is received (without specifying a password). It is possible to determine the identifier of the network adapter that has connected over the network already at the connection request and at subsequent moments when exchanging network packets.

By creating an open access point, the client monitors devices 303 that are trying to connect to its network. Due to the fact that clients create new open networks, the coverage area of network environments increases, thereby increasing the number of computers that pass the test, and increasing the detection rate of missing devices. Among the studied devices can be not only computers, but also mobile phones, smartphones, communicators and other portable devices with an adapter for connecting to wireless networks. After the device is discovered from the black list, the client fixes the time and location, which it sends to the central server or the legal owner of the device found. The client can fix the connection parameters of the detected device or its connection parameters, as well as its coordinates, if the client is equipped with a navigation system. In addition, the client can also indicate the type of connection and the signal level received from the device, so that it is possible to assess the distance between them. You can determine the user's location using the methods described earlier, using satellite navigation, tracing a mobile signal or through the provider's address when connecting via the Internet. Depending on the method used, the accuracy of determining the location will vary from half a meter to several hundred meters. The accuracy of the location will be increased if the device is fixed in one period of time by several clients at once.

To detect a device, a client can create a private access point. The system will work, since devices with enabled network interfaces periodically scan networks to determine the list of available access points or available devices, for example, using Bluetooth and Wi-Fi. The broadcast request contains the identifier of the device that makes it. As a result, a client located in the range of the network adapter of the detected device, having received a broadcast request, will be able to determine whether this device is missing.

If the client does not create an access point, then he can listen to the network broadcast himself. In the case of wireless networks, the air channel is the data transmission channel, which allows fixing network traffic. Secure networks encrypt the transmitted data, but device identifiers remain available, which allows you to find missing network devices without having to directly connect a client to it.

In addition to storing accounts, downloading blacklists and collecting data about devices found, the central server also analyzes the data received. In one implementation option, the analysis of the central server is:

in correlation of events in time;

in laying the routes of movement of the device;

in determining the schedule for connecting the device to networks, etc.

The central processor collects data from events related to device identifiers from clients. An event is characterized by the time and location of the device at a specified point in time. Theoretically, the MAC addresses can be the same for several devices (as a result of changing some of them), there is a possibility that the device will be detected by several clients. However, several clients, having discovered a device by the same identifier, can also point to the same device. In the latter case, location accuracy will also increase. It is possible to determine the fact of a false positive or the fact of detecting a missing device in the event of receiving several notifications in one period of time according to logical rules. These rules, for example, can set a valid detection area for multiple devices. The rule may look like “if the devices that discovered the identifier from the blacklist are located within a radius of S kilometers from each other, and the difference in detection time does not exceed S / V hours (at speed V), then combine the device data into an incident related to one device, otherwise consider each event as a separate incident. "

When several device locations are detected at different points in time, it is possible to compose the device path by connecting the points on the coordinate plane in chronological order. Additionally, you can determine and indicate the direction of movement and speed, which will predict the location of the device at the next time.

Like any person, an attacker has a daily routine and can go to a certain network with a given frequency. If the central server detects the frequency of access to a specific network, it is also possible with a certain degree of probability to declare that the device will go to the network according to the calculated schedule. In this case, the central server analyzes the change in the network address, the type of network and other data affecting the accuracy of the forecast.

In conclusion, it should be noted that the information provided in the description are only examples that do not limit the scope of the present invention described by the formula. One skilled in the art will recognize that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (16)

1. A method for determining the location of missing electronic devices, in which:
downloading at least one identifier of a missing device to at least one client from a remote computer;
search for the missing device in the network environment of the client by the loaded identifier of the missing device using at least one client;
determine the location parameters of at least one missing device that was detected by the search. 2. The method according to claim 1, in which the location parameters are at least the geographical coordinates of the missing device. 3. The method according to claim 1, wherein the location parameters are at least the network connection parameters of the missing device. 4. The method according to claim 1, in which the location parameters are at least the geographical coordinates of the client who discovered the missing device. 5. The method according to claim 1, in which the network environment contains at least a network device to which the client is connected. 6. The method according to claim 1, in which the network environment contains at least the network device that the client has created. 7. The method according to claim 1, in which the network environment contains at least devices, information about which is contained in network packets registered with the client. 8. The method according to claim 1, further comprising the step of determining the location parameters of the missing device if they were changed. 9. The method according to claim 1, additionally containing a stage in which the legal owner of the missing device is sent an electronic message containing information about the location of the missing device at the time of detection by the client. 10. The method according to claim 1, additionally containing a stage in which certain location parameters of the missing device are downloaded from the client to the central server. 11. The method according to claim 10, further comprising the step of using the central server to refine certain parameters of the location of the missing device downloaded from at least two clients. 12. The method of claim 10, further comprising the step of using a central server to route a missing device to the location parameters of the missing device as determined by clients. 13. The method according to claim 10, further comprising the step of using the central server to calculate the speed of movement of the missing device by dividing the amount of movement committed by the missing device over a period of time corresponding to the difference in the times the two clients detected this missing device by the value of this period of time. 14. The method according to claim 10, further comprising the step of using a central server to calculate the speed of movement of the missing device by dividing the amount of movement made by the missing device over a period of time corresponding to the difference in time moments of determining one location parameter by one client by the value of this period time. 15. The method of claim 10, further comprising the step of using the central server to evaluate the location parameters of the missing device at a specified point in time after the moment of detection. 16. The method according to claim 10, further comprising the step of sending an electronic message containing information about the location of the missing device at the time of detection using the central server to the rightful owner of the missing device.

Images