WO2007096286A1 - A theft detection component - Google Patents

A theft detection component Download PDF

Info

Publication number
WO2007096286A1
WO2007096286A1 PCT/EP2007/051447 EP2007051447W WO2007096286A1 WO 2007096286 A1 WO2007096286 A1 WO 2007096286A1 EP 2007051447 W EP2007051447 W EP 2007051447W WO 2007096286 A1 WO2007096286 A1 WO 2007096286A1
Authority
WO
WIPO (PCT)
Prior art keywords
component
computer system
monitoring
theft
message
Prior art date
Application number
PCT/EP2007/051447
Other languages
French (fr)
Inventor
David William Shave-Wall
Original Assignee
International Business Machines Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corporation filed Critical International Business Machines Corporation
Publication of WO2007096286A1 publication Critical patent/WO2007096286A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M11/00Telephonic communication systems specially adapted for combination with other electrical systems
    • H04M11/04Telephonic communication systems specially adapted for combination with other electrical systems with alarm systems, e.g. fire, police or burglar alarm systems
    • H04M11/045Telephonic communication systems specially adapted for combination with other electrical systems with alarm systems, e.g. fire, police or burglar alarm systems using recorded signals, e.g. speech
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/88Detecting or preventing theft or loss
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B13/00Burglar, theft or intruder alarms
    • G08B13/02Mechanical actuation
    • G08B13/14Mechanical actuation by lifting or attempted removal of hand-portable articles
    • G08B13/1409Mechanical actuation by lifting or attempted removal of hand-portable articles for removal detection of electrical appliances by detecting their physical disconnection from an electrical system, e.g. using a switch incorporated in the plug connector
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B13/00Burglar, theft or intruder alarms
    • G08B13/02Mechanical actuation
    • G08B13/14Mechanical actuation by lifting or attempted removal of hand-portable articles
    • G08B13/1445Mechanical actuation by lifting or attempted removal of hand-portable articles with detection of interference with a cable tethering an article, e.g. alarm activated by detecting detachment of article, breaking or stretching of cable

Definitions

  • the invention relates to the field of the detection of theft of computer systems.
  • the invention relates to a method and system for detecting the theft of a computer system by an unauthorised entity and notifying an authorised entity about the theft even if the unauthorised entity has not connected to a network using the stolen computer system.
  • a conventional way for preventing the theft of portable computers has been to use a device, such as a Kensington lock system.
  • the Kensington lock system comprises a six foot cable with a lock at one end and a loop at the other end. By threading the lock-end through the loop, the cable can be secured to a desk leg, bed frame or other immovable object. The lock-end of the cable is then attached to the portable computer by a special slot built into the portable computer.
  • a drawback with the Kensington lock system is that it has been known for thieves to cut the cable with cable cutters and thus escape with the portable computer. It is also known for the immovable object to not be so immovable and so that the desk leg being elevated enough to release the cable loop from the desk leg and thus, allows escape with the portable computer.
  • Computer Sentry Software provides a software application called Cyber Angel, which provides both monitoring and retrieval capabilities. Should any unauthorised person attempt to access the Internet using the personal computer, Cyber Angel will immediately alert the owner via fax or email.
  • Computer Sentry Software also provides an operations centre in which alerts to the owner are used to trace the portable computer's location. After the alert, the software locks the modem port to prevent access to a Corporate LAN and/ or the Internet etc.
  • the present invention provides a theft detection component for detecting the theft of a computer system by an unauthorized entity, the theft detection component comprising: a monitoring component for monitoring at least one component of the computer system in order to identify an operating characteristic; a rules engine for determining whether a change has been detected in the operating characteristic and the detected change falling within a monitoring level; and a communication component for communicating with a server to send a message to an entity informing of the theft of the computer system, in response to the detected change falling within the monitoring level.
  • the present invention provides a theft detection component for a computer system which provides for the active monitoring of hardware and software components to determine operating characteristics which in combination indicate the theft of the computer system.
  • the theft detection component allows users to set up monitoring levels.
  • a monitoring level specifies the type of hardware and software component to be monitored and the type of operating characteristics to be detected, for example, the operating system shutting down because the computer's lid is being shut or an accelerometer detecting motion the combination of these events indicting that the computer is being stolen.
  • the theft detection component operates in either a passive mode or an active mode. In active mode the theft detection component monitors the hardware and software components specified in the monitoring level. The user places the theft detection component into active mode when the user is away from the computer by for example, selecting CTRL, ALT DEL from the computer system's keypad.
  • the theft detection component transmits a message to a server, requesting the server to send a message to an authorised entity informing of the theft of the computer.
  • the advantageously allows for the locating the thief before they leave the building, for example - providing a much better chance of getting the computer system back.
  • the authorised entity may be security personnel, for example.
  • the computer system is combined with an image processing device, such as a camera, the camera is configurable to take a picture or a frame of video footage when the rules engine detects that all the characteristics of the selected monitoring level have been met. The photo or video footage is appended to the message and transmitted to the server for sending to the authorised entity. This provides an advantage in that it will be possible to identify the thief.
  • the theft detection component can either send messages to the server via a LAN connection or preferably, the computer system comprises a wireless LAN connection in which the computer system can communicate with a server.
  • a message can either be an SMS message of another type of multimedia message format .
  • the theft detection component also comprises software operable on a server.
  • the server side software receives messages from the client side theft detection component, informing the server to a) start receiving messages from theft detection component and b) to start monitoring the presence of the client computer system on the network.
  • the server detects the computer system not present of the network, the server automatically generates an alert and transits a message to the authorised entity, informing of the theft of the computer system, hence, providing an advantage of overcoming a total loss of network connectivity.
  • the present invention provides a theft detection component for sending a notification of the theft of a computer system
  • the theft detection component comprising: a receiving component receiving a message from a monitored computer system, the message being received in response to a change being detected in one or more operating characteristics, wherein the detected changes falls within a monitoring level, and the message comprising a unique identifier of the computer system; and a lookup component identifying an address associated with the unique identifier in which to communicate a message to, the authorised entity informing an entity of the theft of the computer system.
  • the present invention provides a method for detecting the theft of a computer system by an unauthorized entity, the method comprising the steps of: monitoring at least one component of the computer system in order to identify an operating characteristic- determining whether the identified operating characteristic falls within a monitoring level; and communicating with a server to send a message to an entity informing of the theft of the computer system, in response to the detected change falling within the monitoring level.
  • the present invention provides a computer program product loadable into the internal memory of a digital computer, comprising software code portions for performing, when said product is run on a computer, to carry out the invention as described above.
  • Figure 1 is a computer system in which the present invention may be embodied
  • Figure 2 is a client/server environment in which the present invention may be embodied
  • FIG. 3 is a block diagram showing a theft detection component of the present invention as residing on a client computer
  • Figure 4 illustrates the categorization of data as stored in the data store
  • FIG. 5 is a block diagram showing a server theft detection component of the present invention.
  • Figure 6 is a flow chart detailing the operational steps of the present invention
  • Figure 7 is a flow chart detailing the operational steps of the theft detection receiving component operable of a server.
  • the computer system 100 may be a lap-top computer, PDA or other personal computing system.
  • a computer system 100 has a central processing unit 101 with primary storage in the form of memory 102 (RAM and ROM) .
  • the memory 102 stores program information and data acted on or created by applications.
  • the program information includes the operating system code 115 for the computer system 100 and application code 116 for applications running on the computer system 100.
  • Secondary storage includes optical disk storage 103 and magnetic disk storage 104. Data and program information can also be stored and accessed from the secondary storage.
  • the computer system 100 includes a network connection means 105 for interfacing the computer system 100 to a network such as a local area network (LAN) or the Internet.
  • the computer system 100 also has a wireless network connection means 117.
  • the computer system 100 may also have other external source communication means such as a fax modem or telephone connection.
  • the central processing unit 101 comprises inputs in the form of, as examples, a keyboard 106, a mouse 107, voice input 108, and a scanner 109 for inputting text, images, graphics or the like.
  • Outputs from the central processing unit 101 may include a display means 110, a printer 111, sound output 112 and video output 113, etc.
  • the computer system 100 also comprises a display 110 for displaying outputs from the central processing unit 101.
  • Other types of hardware located within or connected to the computer system 100 comprise a printer 111, a sound card 112 or a video card 113 etc.
  • a computer system 100 may also comprise an accelerometer 118.
  • An accelerometer 118 or a motion detector continually senses system orientation and movement of the computer system 100.
  • One such accelerometer 118 is included in IBM's Active Protection System.
  • the Active Protection System also comprises software for receiving and interpreting data from the accelerometer .
  • the software differentiates between potentially harmful movements and repetitive motion, and signals to the hard drive to stop when a potentially damaging event is predicted, for example, a computer system 100 being dropped from a desk.
  • a computer system 100 as shown in Figure 2 may be connected via a network connection 105, 117 to a server 215 on which applications 116 may be run remotely from the central processing unit 101 which is known in the art as a client/server system 200.
  • the client server system 200 allows client computers 100 to interact with servers 215 across a network 105,117.
  • a server 215 may be a file server or a web server.
  • the client 100 requests resources from a server 215 and in return the server 215 fetches the requested resource and transmits the requested resource back to the client 100.
  • FIG. 3 shows the theft detection component 300 of the present invention.
  • the theft detection component 300 monitors particular characteristics of the computer system 100. Characteristics of a personal computing device 100 may include, a lid - which when shut places the operating system 115 into suspend mode, a network cable that when pulled out of the network socket stops the computer system from communicating with a server 215, an accelerometer 118 which, on detecting motion based movement, suspends hard drive disk 104 access until a stable situation is detected, in which the hard drive 104 can safely continue its operation, or an on/off switch that when placed in a off position shuts down the operating system 115 etc. It will be appreciated by a person skilled in the art that many other operational characteristics may be monitored by the theft detection component and these characteristics are not limited to those described above.
  • the theft detection component 300 continually monitors the above and other characteristics of the computer system 100 in order to determine whether the computer system 100 is being stolen. Once certain characteristics have been detected, for example, the lid being closed and the operating system 115 being instructed to enter shut down mode, a notification is sent to a server 215 and the server 215 sends an authorized entity an SMS message informing the authorized entity of the theft of the computer system 100. It will be appreciated by a person skilled in the art that other types of messages may be sent to an authorised person from the server 215, for example, MMS, email or fax etc.
  • the theft detection component 300 is a module which may be premstalled on a computer system 100 or can be installed as an add-on component. An additional software component is installed on a server 215 and communicates with the theft detection component 300 installed on the computer system 100.
  • the theft detection component 300 comprises a number of components which interface and interact with each other in order to detect the theft of a computer system 100 and to notify an authorized entity of its theft.
  • the theft detection component 300 comprises the following sub-components, namely, a user interface component 310, a monitoring component 305, a receiving component 315, a communication component 320 and a data store. Each of these components will now be explained in turn.
  • the user interface component 310 allows a user to view and select monitoring levels of the theft detection component 300.
  • a monitoring level 310 specifies one or more hardware 110, 103, 104, 105 or software components 116, 115 to be monitored. There may be many monitoring levels, for example, level 1, level 2, level 3 etc - however only one monitoring level is operable at any one time.
  • Each monitoring level specifies at least one hardware component 110, 103, 104, 105 or software component 116, 115 to be monitored.
  • hardware component 110 103, 104, 105 or software component 116, 115 to be monitored.
  • software component 116, 115 One example is shown below:
  • Level 1 monitoring the accelerometer 118 for movement
  • Level 2 monitoring the accelerometer 118 and the operating system 115 for a shut down operation.
  • Level 3 monitoring the accelerometer 118, the operating system 115 and the LAN port for the network cable being unplugged.
  • Each monitoring level may be configured to meet a user's individual requirements or the monitoring levels may be preset.
  • a monitoring level details which components are to be monitored for certain characteristic before the server 215 is alerted to the theft of the computer system 100.
  • the fewer components monitored the higher the security level.
  • the monitored level can be selected depending on the type of environment the computer system 100 is operable within. For example, in a secure environment, the monitoring level would be set at a lower level of monitoring as opposed to in an insecure environment where the monitoring level would be set at a higher level.
  • the user interface component 310 also requests information from the user (or this may be preset) concerning the TCP/IP address of the server 215 that the information regarding the theft of the computer system 100 should be sent to.
  • the user interface 310 component interfaces with the computer system's operating system 115 to obtain information about the type of computer system 100 that it is operating on and the hardware 110, 103, 104, 105 and software 116, 115 installed on the computer system 100. This allows the user interface component 310 to build a list of hardware 110, 103, 104, 105 and software components 115, 116 suitable for monitoring.
  • the user interface component 310 displays the list such that components from the list are selected to configure a monitoring level.
  • the theft detection component 300 can either be placed in a passive mode of operation or an active mode of operation. In a passive mode the theft detection component 300 does not monitor any of the components, but waits for further instructions.
  • the user interface component 310 transmits a message to the monitoring component 305 to request the monitoring of the components detailed in the selected monitoring level. For example, monitoring the accelerometer, the operating system and the LAN port etc.
  • the monitoring component 305 interfaces with the user interface component 310 and the communication component 320.
  • the monitoring component 305 receives instructions from the user interface component 310 and transmits instructions to a server via the communication component 320.
  • the monitoring component 305 on receipt of an instruction from the user interface component 310 monitors the components detailed in the instruction.
  • the monitoring component 305 is operable with each component's API in order retrieve information about a component's current status. For example, if the monitoring component 305 is monitoring for a shut down or suspend operation - the monitoring component 305 will send requests to the operating system 115 requesting access to this data.
  • the monitoring component 305 on receipt of an instruction from the user interface component 310 also notifies the server 215 to start receiving messages from the theft detection component 300 i.e. messages requesting the sending of an SMS message to an authorized entity.
  • the monitoring component 305 also requests the server 215 to periodically v ping' the computer system 100 to detect its presence on the network 105. Detecting of the computer system's 100 presence on the network 115 allows the server 215 to send an SMS to an authorized entity even if a network connection no long exists.
  • the server 215 initially receives a message from the monitoring component 305 stating that a) it is operating in active mode and thus monitoring for the theft of the computer system 100 will now commence, b) the server 215 should expect one or more messages and c) to start periodically checking whether the computer system 100 is connected to the network 115. Given this information, if the server 215 detects that the computer system 100 is not connected to the network 215, while the computer system 200 is in active mode - the server 215 will generate a level 1 alert and automatically send an SMS to an authorized entity.
  • the monitoring component 305 monitors the hardware devices 110, 103, 104, 105 and/or software application 115, 116 detailed in the received instruction every N number of seconds. On detecting a characteristic has occurred with regard to the monitored components, the detected characteristic is notified to a receiving component 315.
  • the receiving component 315 stores the detected characteristic in a data store 325.
  • the data store 325 stores the data in a tree-like structure.
  • the structure is categorized by the date and time.
  • the monitoring component 310 will send a request to the receiving component to add a date stamp to the data store 325.
  • the monitoring component 305 continues monitoring the selected hardware 110, 103, 104, 105 and software 115, 116 in order to detect further operational characteristic i.e. monitoring the operating system to detect a lid closure event. Once a characteristic 410, 425 is detected the characteristic 410, 425 is recorded in the data store 325 along with a time stamp 405, 420. The monitoring component 305 continues to monitor and record the detected events 405,420 in the data store 325 via the receiving component. For example, it monitors the accelerometer detecting motion 415, or the operating system moving into shutdown mode because the lid is being shut 430 of no connection to the network 435.
  • a rules engine 330 is triggered on an event being recorded in the data store 325.
  • the rules engine 330 comprises a number of rules which are able to determine whether the combination of recorded events in the data store 325 is within a time frame which would indicate theft of the computer system 100. For example, if the combination of detected events were all recorded within a time frame of 60 seconds this may indicate the theft of the computer system 100.
  • the monitoring component 305 detects the accelerometer 118 has sensed movement and this event is written to the data store 325.
  • the monitoring component 305 detects the closure of the lid (because the closure of the lid has prompted the operating system 115 to enter 'shutdown mode'), and again this event is written to the date store 325.
  • the rules engine 330 knows which monitoring level the user has set and thus which hardware devices and applications are being monitored for certain characteristics.
  • the monitoring level is a level 2 monitoring level wherein it is the accelerometer and the operating system being monitored.
  • the rules engine 330 detects that the criteria have been met for a level 2 and it is within a sixty second time limit, for example.
  • the rules engine 330 proceeds to generate a message to the communication component 320 for sending to the server 215.
  • the computer system comprises a wireless connection and is not connected to the network via a LAN connection.
  • the user interface component 310 instructs the monitoring component 305 to monitor the accelerometer 118 for any significant movement, to monitor the operating system 115 for the computer system 100 shutting down because of the lid being shut and the power supply being disconnected.
  • the monitoring component 305 at 12:00:02 determines from the accelerometer 118 that movement has been detected.
  • the monitoring component 305 detects from the operating system 115 that the lid has been shut and the operating system 115 has been instructed to shut down.
  • the monitoring component 305 determines that the computer system has lost its main power supply. Each of these events is written to the data store 325 with the time the events were detected.
  • the rules engine 330 parses the data store 325 and determines that each of the events satisfies the requested monitoring level and also occurred within N number of second. Hence, the rules engine 330 proceeds to transmit a message to the communication component 320 for sending to the server 215, via a wireless connection 105 on the computer system 100.
  • Example 3
  • the user interface component 310 instructs the monitoring component 305 to monitor the accelerometer 118 for any significant movement, to monitor the operating system 115 for the computer system 100 shutting down because of the lid being shut and the LAN cable being disconnected from the LAN socket .
  • the monitoring component 305 at 12:00:02 determines from the accelerometer 118 that movement has been detected.
  • the monitoring component 305 detects from the operating system 115 the lid has been shut and the operating system 115 has been instructed to shut down.
  • the monitoring component 305 determines that the computer system 100 is no longer connected to the network 105.
  • Each of these events is written to the data store 325 with the time the events were detected.
  • the rules engine 330 parses the data store 325 and determines that the network connection 105 was disconnected at 12:10:05 and thus this parameter is outside N number of seconds and therefore the rules engine 330 continues to monitoring for recorded events .
  • the user interface component 310 instructs the monitoring component 305 to monitor the accelerometer 118 for any significant movement, to monitor the operating system 115 for the computer system 100 shutting down because of the lid being shut and the LAN cable being disconnected from the LAN socket .
  • the monitoring component 305 instructs the server 215 to start receiving messages from the computer system 100 and to start detecting the computer system's 100 presence on the network 105.
  • the monitoring component 305 at 13:00:02 determines from the accelerometer 118 that movement has been detected and the hard drive 104 has been placed in a parked position. The event is recorded in the data store 325. At 12:00:05, the monitoring component 305 detects from the operating system 115 that the lid has been shut and the operating system 115 has been instructed to shut down. Again, the event is recorded in the data store 325. At 12:00:06, the monitoring component 305 determines the computer system 100 is no longer connected to the network 105. The event is once again written to the data store 325. The rules engine 330 parses the data store 325 and determines that the criteria for the monitoring level have been met.
  • the computer system 100 does not have a wireless connection 117 in which to transmit a message to the server 215.
  • the server 215 has also been monitoring the computer system 100, the server 215 has detected that the computer system 100 is no longer connected to the network 105, 117. Thus, the server 215 continues to send an SMS to an authorized entity.
  • the rules engine 330 takes evasive action when detecting particular events occurring. For example, if the monitoring component 305, via the operating system 115, detects the portable computer's lid being closed, the rules engine 330 transmits a message back to the operating system 115 to instruct the operating system 115 to not move into suspend mode or shut down completely -thus enabling communication to occur between the computer system 100 and the server 215. At this point, via a wireless network connection 117, the receiving component 315 transmits a message to the communication component 320 for sending a message to the server 215 informing the theft of the computer 100.
  • the message comprises a unique identifier of the computer system 100, for example, the serial number of the computer system 100.
  • the server component 500 comprises a receiving component 505, a look-up component 510, a data store 525, communication component 515 and a messaging component 520.
  • Each of these components interface and interact with each other in order to receive messages from one or more computer systems 100 and to send an SMS or other form of communication in which to notify an authorized entity of the theft of a computer system 100.
  • Each of these components will now be explained.
  • the receiving component 505 receives notifications from the communication component 320 (on the computer system 100) and interfaces with a look-up component 505 in order to determine, from a unique identifier contained within in the notification, the number of the authorized person 530 to send an SMS to.
  • the lookup component 510 parses the notification to extract the unique identifier and using the unique identifier performs a look-up operation in a data store 525 to locate the number in which to send the SMS too i.e. the SMS number of the authorized person 530.
  • the number is sent to the communication component 515 for generating a notification and sending the notification via a messaging component 520 in the form of an SMS to the authorized entity 530.
  • the receiving component 505 also monitors the network 105 for the presence of one or more computer systems 100. Each computer system 100 registers with the server 215 on selection of active mode by the user.
  • the communication component 320 located on the computer system 100 sends the server 215 a message.
  • the message comprises a unique identifier of the computer system 100 and signifies to the receiving component 505 to start monitoring the computer system 100 for its presence on the network 105.
  • the receiving component 500 periodically 'pings' each registered computer system 100 to detect its presence. If the receiving component 505 'pings' a computer system 100 and no reply is received - the receiving component 505 assumes that the computer system 100 is no longer connected to the network 105. In response to this information the receiving component 505 sends a request to the look-up component.
  • the look-up component 510 using the computer system's 100 unique identifier locates the number to send an SMS message to. Once the authorized entity i.e. security staff, receives the message, the authorised entity can investigate the theft.
  • the computer system 100 comprises a camera 119.
  • the camera 119 takes a picture of the area within the camera's immediate viewpoint. The picture is appended to the message generated by the communication component 320. The message is transmitted to the server 215 for receiving by the receiving component 505.
  • the look-up component 510 performs a lookup in the data store 525 and locates the number to send an MMS message to.
  • the MMS message is generated by the messaging component 520 and the picture is appended to the message - thus providing visual identification of the person who stolen the computer system 100.
  • the camera may also take video footage and append the video footage to the MMS message etc.
  • the user interface component 310 receives input from a user, such as the hardware 110, 103, 104, 105 and software components 115, 116 to be monitored, the IP address of the server 215 i.e. the server 215 which will send a message to an authorised entity and whether the theft detection component 300 is to operate in active mode or passive mode. If the theft detection component 300 is to operate in active mode, the user interface component 310 transmits a monitoring request to the monitoring component 305.
  • the monitoring component 305 receives the information from the user interface component 310 and sends a request to the server 215 to begin monitoring the computer system 100 on the network 105.
  • the monitoring component 305 begins to monitor the requested hardware 110, 103, 104, 105 and software components 115,116 for certain specified characteristics. As each characteristic is detected, the event is written to a data store 325 by the rules engine 330.
  • the rules engine 330 monitors the data store 325 for further stored events and determines if the characteristics match the requirements of the monitoring level assigned by the user, at step 620. If the stored events do match the monitoring level (and within a specified time limit) , a wait action is performed by the rules engine 330, at step 625. Control moves to step 615 and the rules engine 330 waits for further events to be recorded in the data store 325.
  • the rules engine 330 determines that the events do match a monitoring level, the rules engine 330 sends a notification to the communication component 320 for sending to the server 215 at step 630.
  • Figure 7 shows the operational steps of the server 215 of the present invention.
  • the server 215 receives a message from the computer system 100, informing the server 215 that the computer system 100 is in active mode and to start receiving messages from the computer system 100 and to also start monitoring the computer system 100 for its presence on the network 105.
  • the server 215 begins to v ping' the computer system 100 for its presence on the network 105.
  • the server 215 performs this operation every N number of second.
  • the server 215 performs a loop operation until the server 215 no longer detects the computer system's 100 presence of the network 105.
  • control moves to step 710 and the lookup component 510 performs a lookup in the data store 525 and using the computer system's 100 unique id (contained in the message sent to the server 215 at step 700) locates the number in which to send a message to, informing about the theft of the computer system 100.
  • the receiving component 505 receives a message from the computer system's communication component 320.
  • the message requests the receiving component 505 to send a message to the authorised entity.
  • Control moves back to step 710 wherein the lookup component 510 performs a lookup in the data store 525 and using the computer system's unique id (contained in the message sent to the server 215 at step 700) locates the number in which to send a message to, informing about the theft of the computer system 100.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Alarm Systems (AREA)
  • Burglar Alarm Systems (AREA)

Abstract

A theft detection component for detecting the theft of a computer system by an unauthorized entity, the theft detection component comprising: a monitoring component for monitoring at least one component of the computer system in order to identify an operating characteristic; a rules engine for determining whether a change has been detected in the operating characteristic and the detected change falling within a monitoring level; and a communication component for communicating with a server to send a message to an entity informing of the theft of the computer system, in response to the detected change falling within the monitoring level.

Description

A THEFT DETECTION COMPONENT
Field of the Invention
The invention relates to the field of the detection of theft of computer systems. In particular, the invention relates to a method and system for detecting the theft of a computer system by an unauthorised entity and notifying an authorised entity about the theft even if the unauthorised entity has not connected to a network using the stolen computer system.
Background of the Invention
Thefts of computers, particularly portable lap-top computers are commonplace in many different environments. For example, theft occurs in industrial open plan λhot desk' environments, where no one works at the same desk for more than a few days and hence no one knows who is sitting next to them, or when the portable computer is left locked in a hotel room etc. It is often not until the owner of the portable computer arrives back at their desk or hotel room etc that the theft is noticed and reported.
A conventional way for preventing the theft of portable computers has been to use a device, such as a Kensington lock system. The Kensington lock system comprises a six foot cable with a lock at one end and a loop at the other end. By threading the lock-end through the loop, the cable can be secured to a desk leg, bed frame or other immovable object. The lock-end of the cable is then attached to the portable computer by a special slot built into the portable computer. A drawback with the Kensington lock system is that it has been known for thieves to cut the cable with cable cutters and thus escape with the portable computer. It is also known for the immovable object to not be so immovable and so that the desk leg being elevated enough to release the cable loop from the desk leg and thus, allows escape with the portable computer.
Another type of system is provided by some software vendors in which theft detection software is installed on the portable computer. The software is designed to protect the data stored on the hard drive. For example, one such software vendor, Computer Sentry Software, provides a software application called Cyber Angel, which provides both monitoring and retrieval capabilities. Should any unauthorised person attempt to access the Internet using the personal computer, Cyber Angel will immediately alert the owner via fax or email. Computer Sentry Software also provides an operations centre in which alerts to the owner are used to trace the portable computer's location. After the alert, the software locks the modem port to prevent access to a Corporate LAN and/ or the Internet etc.
A disadvantage with this approach is that if the thief does not connect to the internet or simply removes the hard drive the software can not detect unauthorised use.
Thus there is a need to detect and report the theft of a portable computer to the owner without the need for the thief to access the Internet.
Disclosure of the Invention
Viewed from a first aspect the present invention provides a theft detection component for detecting the theft of a computer system by an unauthorized entity, the theft detection component comprising: a monitoring component for monitoring at least one component of the computer system in order to identify an operating characteristic; a rules engine for determining whether a change has been detected in the operating characteristic and the detected change falling within a monitoring level; and a communication component for communicating with a server to send a message to an entity informing of the theft of the computer system, in response to the detected change falling within the monitoring level.
Advantageously, the present invention provides a theft detection component for a computer system which provides for the active monitoring of hardware and software components to determine operating characteristics which in combination indicate the theft of the computer system. The theft detection component allows users to set up monitoring levels. A monitoring level specifies the type of hardware and software component to be monitored and the type of operating characteristics to be detected, for example, the operating system shutting down because the computer's lid is being shut or an accelerometer detecting motion the combination of these events indicting that the computer is being stolen. The theft detection component operates in either a passive mode or an active mode. In active mode the theft detection component monitors the hardware and software components specified in the monitoring level. The user places the theft detection component into active mode when the user is away from the computer by for example, selecting CTRL, ALT DEL from the computer system's keypad. Thus, advantageously providing active monitoring of certain hardware and software components when the user is not located with their computer system.
On detection of certain characteristics, the theft detection component transmits a message to a server, requesting the server to send a message to an authorised entity informing of the theft of the computer. The advantageously, allows for the locating the thief before they leave the building, for example - providing a much better chance of getting the computer system back. The authorised entity may be security personnel, for example. If the computer system is combined with an image processing device, such as a camera, the camera is configurable to take a picture or a frame of video footage when the rules engine detects that all the characteristics of the selected monitoring level have been met. The photo or video footage is appended to the message and transmitted to the server for sending to the authorised entity. This provides an advantage in that it will be possible to identify the thief.
The theft detection component can either send messages to the server via a LAN connection or preferably, the computer system comprises a wireless LAN connection in which the computer system can communicate with a server. A message can either be an SMS message of another type of multimedia message format .
The theft detection component also comprises software operable on a server. The server side software receives messages from the client side theft detection component, informing the server to a) start receiving messages from theft detection component and b) to start monitoring the presence of the client computer system on the network. In the event the server detects the computer system not present of the network, the server automatically generates an alert and transits a message to the authorised entity, informing of the theft of the computer system, hence, providing an advantage of overcoming a total loss of network connectivity.
Viewed from a second aspect, the present invention provides a theft detection component for sending a notification of the theft of a computer system, the theft detection component comprising: a receiving component receiving a message from a monitored computer system, the message being received in response to a change being detected in one or more operating characteristics, wherein the detected changes falls within a monitoring level, and the message comprising a unique identifier of the computer system; and a lookup component identifying an address associated with the unique identifier in which to communicate a message to, the authorised entity informing an entity of the theft of the computer system.
Viewed from a third aspect the present invention provides a method for detecting the theft of a computer system by an unauthorized entity, the method comprising the steps of: monitoring at least one component of the computer system in order to identify an operating characteristic- determining whether the identified operating characteristic falls within a monitoring level; and communicating with a server to send a message to an entity informing of the theft of the computer system, in response to the detected change falling within the monitoring level.
Viewed from a fourth aspect the present invention provides a computer program product loadable into the internal memory of a digital computer, comprising software code portions for performing, when said product is run on a computer, to carry out the invention as described above.
Brief Description of the Drawings
Embodiments of the invention are described below in detail, by way of example only, with reference to the accompanying drawings in which:
Figure 1, is a computer system in which the present invention may be embodied;
Figure 2 is a client/server environment in which the present invention may be embodied;
Figure 3 is a block diagram showing a theft detection component of the present invention as residing on a client computer;
Figure 4 illustrates the categorization of data as stored in the data store;
Figure 5 is a block diagram showing a server theft detection component of the present invention;
Figure 6 is a flow chart detailing the operational steps of the present invention; and Figure 7 is a flow chart detailing the operational steps of the theft detection receiving component operable of a server.
Detailed Description of the Invention
Referring to Figure 1, a computer system 100 is shown in which a preferred embodiment of the present invention may be implemented. The computer system 100 may be a lap-top computer, PDA or other personal computing system.
A computer system 100 has a central processing unit 101 with primary storage in the form of memory 102 (RAM and ROM) . The memory 102 stores program information and data acted on or created by applications. The program information includes the operating system code 115 for the computer system 100 and application code 116 for applications running on the computer system 100. Secondary storage includes optical disk storage 103 and magnetic disk storage 104. Data and program information can also be stored and accessed from the secondary storage.
The computer system 100 includes a network connection means 105 for interfacing the computer system 100 to a network such as a local area network (LAN) or the Internet. The computer system 100 also has a wireless network connection means 117. The computer system 100 may also have other external source communication means such as a fax modem or telephone connection.
The central processing unit 101 comprises inputs in the form of, as examples, a keyboard 106, a mouse 107, voice input 108, and a scanner 109 for inputting text, images, graphics or the like. Outputs from the central processing unit 101 may include a display means 110, a printer 111, sound output 112 and video output 113, etc.
The computer system 100 also comprises a display 110 for displaying outputs from the central processing unit 101. Other types of hardware located within or connected to the computer system 100 comprise a printer 111, a sound card 112 or a video card 113 etc.
A computer system 100 may also comprise an accelerometer 118. An accelerometer 118 or a motion detector continually senses system orientation and movement of the computer system 100. One such accelerometer 118 is included in IBM's Active Protection System. The Active Protection System also comprises software for receiving and interpreting data from the accelerometer . The software differentiates between potentially harmful movements and repetitive motion, and signals to the hard drive to stop when a potentially damaging event is predicted, for example, a computer system 100 being dropped from a desk.
In a distributed system 200 a computer system 100 as shown in Figure 2 may be connected via a network connection 105, 117 to a server 215 on which applications 116 may be run remotely from the central processing unit 101 which is known in the art as a client/server system 200. The client server system 200 allows client computers 100 to interact with servers 215 across a network 105,117. A server 215 may be a file server or a web server. The client 100 requests resources from a server 215 and in return the server 215 fetches the requested resource and transmits the requested resource back to the client 100.
Figure 3 shows the theft detection component 300 of the present invention. The theft detection component 300 monitors particular characteristics of the computer system 100. Characteristics of a personal computing device 100 may include, a lid - which when shut places the operating system 115 into suspend mode, a network cable that when pulled out of the network socket stops the computer system from communicating with a server 215, an accelerometer 118 which, on detecting motion based movement, suspends hard drive disk 104 access until a stable situation is detected, in which the hard drive 104 can safely continue its operation, or an on/off switch that when placed in a off position shuts down the operating system 115 etc. It will be appreciated by a person skilled in the art that many other operational characteristics may be monitored by the theft detection component and these characteristics are not limited to those described above.
The theft detection component 300 continually monitors the above and other characteristics of the computer system 100 in order to determine whether the computer system 100 is being stolen. Once certain characteristics have been detected, for example, the lid being closed and the operating system 115 being instructed to enter shut down mode, a notification is sent to a server 215 and the server 215 sends an authorized entity an SMS message informing the authorized entity of the theft of the computer system 100. It will be appreciated by a person skilled in the art that other types of messages may be sent to an authorised person from the server 215, for example, MMS, email or fax etc. The theft detection component 300 is a module which may be premstalled on a computer system 100 or can be installed as an add-on component. An additional software component is installed on a server 215 and communicates with the theft detection component 300 installed on the computer system 100.
The theft detection component 300 comprises a number of components which interface and interact with each other in order to detect the theft of a computer system 100 and to notify an authorized entity of its theft.
The theft detection component 300 comprises the following sub-components, namely, a user interface component 310, a monitoring component 305, a receiving component 315, a communication component 320 and a data store. Each of these components will now be explained in turn.
The user interface component 310 allows a user to view and select monitoring levels of the theft detection component 300. A monitoring level 310 specifies one or more hardware 110, 103, 104, 105 or software components 116, 115 to be monitored. There may be many monitoring levels, for example, level 1, level 2, level 3 etc - however only one monitoring level is operable at any one time.
Each monitoring level specifies at least one hardware component 110, 103, 104, 105 or software component 116, 115 to be monitored. One example is shown below:
Level 1: monitoring the accelerometer 118 for movement
Level 2: monitoring the accelerometer 118 and the operating system 115 for a shut down operation.
Level 3: monitoring the accelerometer 118, the operating system 115 and the LAN port for the network cable being unplugged.
Each monitoring level may be configured to meet a user's individual requirements or the monitoring levels may be preset. A monitoring level details which components are to be monitored for certain characteristic before the server 215 is alerted to the theft of the computer system 100. Hence, the fewer components monitored, the higher the security level. Thus the monitored level can be selected depending on the type of environment the computer system 100 is operable within. For example, in a secure environment, the monitoring level would be set at a lower level of monitoring as opposed to in an insecure environment where the monitoring level would be set at a higher level.
The user interface component 310 also requests information from the user (or this may be preset) concerning the TCP/IP address of the server 215 that the information regarding the theft of the computer system 100 should be sent to.
The user interface 310 component interfaces with the computer system's operating system 115 to obtain information about the type of computer system 100 that it is operating on and the hardware 110, 103, 104, 105 and software 116, 115 installed on the computer system 100. This allows the user interface component 310 to build a list of hardware 110, 103, 104, 105 and software components 115, 116 suitable for monitoring.
The user interface component 310 displays the list such that components from the list are selected to configure a monitoring level.
On the configuration of a monitoring level, the theft detection component 300 can either be placed in a passive mode of operation or an active mode of operation. In a passive mode the theft detection component 300 does not monitor any of the components, but waits for further instructions.
In active mode, the user interface component 310 transmits a message to the monitoring component 305 to request the monitoring of the components detailed in the selected monitoring level. For example, monitoring the accelerometer, the operating system and the LAN port etc.
The monitoring component 305 interfaces with the user interface component 310 and the communication component 320. The monitoring component 305 receives instructions from the user interface component 310 and transmits instructions to a server via the communication component 320.
The monitoring component 305 on receipt of an instruction from the user interface component 310 monitors the components detailed in the instruction. The monitoring component 305 is operable with each component's API in order retrieve information about a component's current status. For example, if the monitoring component 305 is monitoring for a shut down or suspend operation - the monitoring component 305 will send requests to the operating system 115 requesting access to this data.
The monitoring component 305 on receipt of an instruction from the user interface component 310 also notifies the server 215 to start receiving messages from the theft detection component 300 i.e. messages requesting the sending of an SMS message to an authorized entity. The monitoring component 305 also requests the server 215 to periodically vping' the computer system 100 to detect its presence on the network 105. Detecting of the computer system's 100 presence on the network 115 allows the server 215 to send an SMS to an authorized entity even if a network connection no long exists. This is because the server 215 initially receives a message from the monitoring component 305 stating that a) it is operating in active mode and thus monitoring for the theft of the computer system 100 will now commence, b) the server 215 should expect one or more messages and c) to start periodically checking whether the computer system 100 is connected to the network 115. Given this information, if the server 215 detects that the computer system 100 is not connected to the network 215, while the computer system 200 is in active mode - the server 215 will generate a level 1 alert and automatically send an SMS to an authorized entity.
The monitoring component 305 monitors the hardware devices 110, 103, 104, 105 and/or software application 115, 116 detailed in the received instruction every N number of seconds. On detecting a characteristic has occurred with regard to the monitored components, the detected characteristic is notified to a receiving component 315. The receiving component 315 stores the detected characteristic in a data store 325. The data store 325 stores the data in a tree-like structure.
With reference to Figure 4, an example structure is shown. The structure is categorized by the date and time. When the theft detection component 300 is placed into active mode the monitoring component 310 will send a request to the receiving component to add a date stamp to the data store 325.
The monitoring component 305 continues monitoring the selected hardware 110, 103, 104, 105 and software 115, 116 in order to detect further operational characteristic i.e. monitoring the operating system to detect a lid closure event. Once a characteristic 410, 425 is detected the characteristic 410, 425 is recorded in the data store 325 along with a time stamp 405, 420. The monitoring component 305 continues to monitor and record the detected events 405,420 in the data store 325 via the receiving component. For example, it monitors the accelerometer detecting motion 415, or the operating system moving into shutdown mode because the lid is being shut 430 of no connection to the network 435.
A rules engine 330 is triggered on an event being recorded in the data store 325. The rules engine 330 comprises a number of rules which are able to determine whether the combination of recorded events in the data store 325 is within a time frame which would indicate theft of the computer system 100. For example, if the combination of detected events were all recorded within a time frame of 60 seconds this may indicate the theft of the computer system 100. Some example scenarios are as follows:
Example 1
At 12:00 hours the monitoring component 305 detects the accelerometer 118 has sensed movement and this event is written to the data store 325. At 12:00:10, the monitoring component 305 detects the closure of the lid (because the closure of the lid has prompted the operating system 115 to enter 'shutdown mode'), and again this event is written to the date store 325. The rules engine 330 knows which monitoring level the user has set and thus which hardware devices and applications are being monitored for certain characteristics. In this example, the monitoring level is a level 2 monitoring level wherein it is the accelerometer and the operating system being monitored. Hence the rules engine 330 detects that the criteria have been met for a level 2 and it is within a sixty second time limit, for example. The rules engine 330 proceeds to generate a message to the communication component 320 for sending to the server 215.
Example 2
In this example, the computer system comprises a wireless connection and is not connected to the network via a LAN connection.
The user interface component 310 instructs the monitoring component 305 to monitor the accelerometer 118 for any significant movement, to monitor the operating system 115 for the computer system 100 shutting down because of the lid being shut and the power supply being disconnected. The monitoring component 305 at 12:00:02 determines from the accelerometer 118 that movement has been detected. At 12:00:05, the monitoring component 305 detects from the operating system 115 that the lid has been shut and the operating system 115 has been instructed to shut down. At 12:00:10, the monitoring component 305 determines that the computer system has lost its main power supply. Each of these events is written to the data store 325 with the time the events were detected. The rules engine 330 parses the data store 325 and determines that each of the events satisfies the requested monitoring level and also occurred within N number of second. Hence, the rules engine 330 proceeds to transmit a message to the communication component 320 for sending to the server 215, via a wireless connection 105 on the computer system 100. Example 3
The user interface component 310 instructs the monitoring component 305 to monitor the accelerometer 118 for any significant movement, to monitor the operating system 115 for the computer system 100 shutting down because of the lid being shut and the LAN cable being disconnected from the LAN socket .
The monitoring component 305 at 12:00:02 determines from the accelerometer 118 that movement has been detected. At 12:00:05, the monitoring component 305 detects from the operating system 115 the lid has been shut and the operating system 115 has been instructed to shut down. At 12:10:05, the monitoring component 305 determines that the computer system 100 is no longer connected to the network 105. Each of these events is written to the data store 325 with the time the events were detected. The rules engine 330 parses the data store 325 and determines that the network connection 105 was disconnected at 12:10:05 and thus this parameter is outside N number of seconds and therefore the rules engine 330 continues to monitoring for recorded events .
Example 4
The user interface component 310 instructs the monitoring component 305 to monitor the accelerometer 118 for any significant movement, to monitor the operating system 115 for the computer system 100 shutting down because of the lid being shut and the LAN cable being disconnected from the LAN socket . The monitoring component 305 instructs the server 215 to start receiving messages from the computer system 100 and to start detecting the computer system's 100 presence on the network 105.
The monitoring component 305 at 13:00:02 determines from the accelerometer 118 that movement has been detected and the hard drive 104 has been placed in a parked position. The event is recorded in the data store 325. At 12:00:05, the monitoring component 305 detects from the operating system 115 that the lid has been shut and the operating system 115 has been instructed to shut down. Again, the event is recorded in the data store 325. At 12:00:06, the monitoring component 305 determines the computer system 100 is no longer connected to the network 105. The event is once again written to the data store 325. The rules engine 330 parses the data store 325 and determines that the criteria for the monitoring level have been met. However, in this instance, the computer system 100 does not have a wireless connection 117 in which to transmit a message to the server 215. However, because the server 215 has also been monitoring the computer system 100, the server 215 has detected that the computer system 100 is no longer connected to the network 105, 117. Thus, the server 215 continues to send an SMS to an authorized entity.
The rules engine 330 takes evasive action when detecting particular events occurring. For example, if the monitoring component 305, via the operating system 115, detects the portable computer's lid being closed, the rules engine 330 transmits a message back to the operating system 115 to instruct the operating system 115 to not move into suspend mode or shut down completely -thus enabling communication to occur between the computer system 100 and the server 215. At this point, via a wireless network connection 117, the receiving component 315 transmits a message to the communication component 320 for sending a message to the server 215 informing the theft of the computer 100. The message comprises a unique identifier of the computer system 100, for example, the serial number of the computer system 100.
Moving on to Figure 5, the server component of the invention is shown.
The server component 500 comprises a receiving component 505, a look-up component 510, a data store 525, communication component 515 and a messaging component 520. Each of these components interface and interact with each other in order to receive messages from one or more computer systems 100 and to send an SMS or other form of communication in which to notify an authorized entity of the theft of a computer system 100. Each of these components will now be explained.
The receiving component 505 receives notifications from the communication component 320 (on the computer system 100) and interfaces with a look-up component 505 in order to determine, from a unique identifier contained within in the notification, the number of the authorized person 530 to send an SMS to.
The lookup component 510 parses the notification to extract the unique identifier and using the unique identifier performs a look-up operation in a data store 525 to locate the number in which to send the SMS too i.e. the SMS number of the authorized person 530. The number is sent to the communication component 515 for generating a notification and sending the notification via a messaging component 520 in the form of an SMS to the authorized entity 530.
The receiving component 505 also monitors the network 105 for the presence of one or more computer systems 100. Each computer system 100 registers with the server 215 on selection of active mode by the user. The communication component 320 located on the computer system 100 sends the server 215 a message. The message comprises a unique identifier of the computer system 100 and signifies to the receiving component 505 to start monitoring the computer system 100 for its presence on the network 105. The receiving component 500 periodically 'pings' each registered computer system 100 to detect its presence. If the receiving component 505 'pings' a computer system 100 and no reply is received - the receiving component 505 assumes that the computer system 100 is no longer connected to the network 105. In response to this information the receiving component 505 sends a request to the look-up component. The look-up component 510, using the computer system's 100 unique identifier locates the number to send an SMS message to. Once the authorized entity i.e. security staff, receives the message, the authorised entity can investigate the theft.
In another embodiment the computer system 100 comprises a camera 119. When the theft detection component 300 operates in active mode, and the rules engine 330 detects characteristics as stipulated by a monitoring level, the camera 119 takes a picture of the area within the camera's immediate viewpoint. The picture is appended to the message generated by the communication component 320. The message is transmitted to the server 215 for receiving by the receiving component 505. The look-up component 510 performs a lookup in the data store 525 and locates the number to send an MMS message to. The MMS message is generated by the messaging component 520 and the picture is appended to the message - thus providing visual identification of the person who stole the computer system 100. The camera may also take video footage and append the video footage to the MMS message etc.
Referring to Figure 6, the operational steps of the invention are shown. At step 600, the user interface component 310 receives input from a user, such as the hardware 110, 103, 104, 105 and software components 115, 116 to be monitored, the IP address of the server 215 i.e. the server 215 which will send a message to an authorised entity and whether the theft detection component 300 is to operate in active mode or passive mode. If the theft detection component 300 is to operate in active mode, the user interface component 310 transmits a monitoring request to the monitoring component 305. At step 605, the monitoring component 305 receives the information from the user interface component 310 and sends a request to the server 215 to begin monitoring the computer system 100 on the network 105. At step 610, the monitoring component 305 begins to monitor the requested hardware 110, 103, 104, 105 and software components 115,116 for certain specified characteristics. As each characteristic is detected, the event is written to a data store 325 by the rules engine 330. The rules engine 330 monitors the data store 325 for further stored events and determines if the characteristics match the requirements of the monitoring level assigned by the user, at step 620. If the stored events do match the monitoring level (and within a specified time limit) , a wait action is performed by the rules engine 330, at step 625. Control moves to step 615 and the rules engine 330 waits for further events to be recorded in the data store 325. When the rules engine 330 determines that the events do match a monitoring level, the rules engine 330 sends a notification to the communication component 320 for sending to the server 215 at step 630.
Figure 7 shows the operational steps of the server 215 of the present invention. At step 700, the server 215 receives a message from the computer system 100, informing the server 215 that the computer system 100 is in active mode and to start receiving messages from the computer system 100 and to also start monitoring the computer system 100 for its presence on the network 105.
At step 705, the server 215 begins to vping' the computer system 100 for its presence on the network 105. The server 215 performs this operation every N number of second. The server 215 performs a loop operation until the server 215 no longer detects the computer system's 100 presence of the network 105. At this point, control moves to step 710 and the lookup component 510 performs a lookup in the data store 525 and using the computer system's 100 unique id (contained in the message sent to the server 215 at step 700) locates the number in which to send a message to, informing about the theft of the computer system 100.
At step 715 the receiving component 505 receives a message from the computer system's communication component 320. The message requests the receiving component 505 to send a message to the authorised entity. Control moves back to step 710 wherein the lookup component 510 performs a lookup in the data store 525 and using the computer system's unique id (contained in the message sent to the server 215 at step 700) locates the number in which to send a message to, informing about the theft of the computer system 100.

Claims

1. A theft detection component for detecting the theft of a computer system by an unauthorized entity, the theft detection component comprising:
a monitoring component for monitoring at least one component of the computer system in order to identify an operating characteristic;
a rules engine for determining whether a change has been detected in the operating characteristic and the detected change falling within a monitoring level; and
a communication component for communicating with a server to send a message to an entity informing of the theft of the computer system, in response to the detected change falling within the monitoring level.
2. A theft detection component as claimed in claim 1 wherein the monitoring of the at least one component comprises monitoring a hardware component.
3. A theft detection component as claimed in claim 1 or claim 2 wherein the monitoring of the at least one component comprises monitoring a software application.
4. A theft detection component as claimed in claim 1 wherein the rules engine determines whether the identified operational characteristic of the at least one monitored components occurred within a predetermined time period.
5. A theft detection component as claimed in claim 1 wherein the monitoring component interfaces with the computer system' s operating system to determine if an operational characteristic has occurred.
6. A theft detection component as claimed in claim 2 wherein the hardware component is a camera and the camera is operable for taking a picture of the camera's immediate viewpoint on detection by the rules engine of the computer system being stolen.
7. A theft detection component as claimed in claim 6, wherein the picture is appended to the message and sent to the server for transmitting to an authorised entity.
8. A theft detection component as claimed in any preceding claim wherein the message is a SMS message.
9. A theft detection component as claimed in any preceding claim wherein the message is of a multimedia type message.
10. A theft detection component for sending a notification of the theft of a computer system, the theft detection component comprising:
a receiving component receiving a message from a monitored computer system, the message being received in response to a change being detected in one or more operating characteristics, wherein the detected changes falls within a monitoring level, and the message comprising a unique identifier of the computer system; and
a lookup component identifying an address associated with the unique identifier in which to communicate a message to, the authorised entity informing an entity of the theft of the computer system.
11. A theft detection component as claimed in claim 10 wherein the receiving component monitors a computer system in order to detect network connectivity.
12. A theft detection component as claimed in claim 10 wherein the receiving component on detection on no network connectivity by the computer system sends a notification to a messaging component for generating a message for sending to an authorised entity.
13. A method for detecting the theft of a computer system by an unauthorized entity, the method comprising the steps of:
monitoring at least one component of the computer system in order to identify an operating characteristic-
determining whether a change has been detected in the operating characteristic and the detected change falling within a monitoring level; and communicating with a server to send a message to an entity informing of the theft of the computer system, in response to the detected change falling within the monitoring level.
14. A method as claimed in claim 13 wherein the monitoring step further comprises monitoring a hardware component.
15. A method as claimed in claim 13 or claim 14 wherein the monitoring step further comprises monitoring a software application.
16. A method as claimed in claim 13 wherein the determining step further comprises determining whether the operational characteristic of the at least one monitored components occurred within a predetermined time period.
17. A method as claimed in claim 13 wherein the monitoring step is operable with the computer system's operating system to determine if an operational characteristic has occurred.
18. A method as claimed in claim 13 wherein the hardware component is a camera and the camera is operable for taking a picture of the camera's immediate viewpoint on detection by the rules engine of the computer system is being stolen.
19. A method as claimed in claim 18, wherein the picture is appended to the message and sent to the server for transmitting to an authorised entity.
20. A computer program product loadable into the internal memory of a digital computer, comprising software code portions for performing, when said product is run on a computer, to carry out the invention as claimed in claims 13 to 19.
PCT/EP2007/051447 2006-02-25 2007-02-14 A theft detection component WO2007096286A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0603836.8 2006-02-25
GB0603836A GB0603836D0 (en) 2006-02-25 2006-02-25 A theft detection component

Publications (1)

Publication Number Publication Date
WO2007096286A1 true WO2007096286A1 (en) 2007-08-30

Family

ID=36178794

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2007/051447 WO2007096286A1 (en) 2006-02-25 2007-02-14 A theft detection component

Country Status (2)

Country Link
GB (1) GB0603836D0 (en)
WO (1) WO2007096286A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100064379A1 (en) * 2008-09-10 2010-03-11 Tia Manning Cassett Remote Diagnosis of Unauthorized Hardware Change
WO2011063559A1 (en) * 2009-11-24 2011-06-03 华为技术有限公司 Method, apparatus and system for controlling behaviors of machine type communication terminals
EP2340523A1 (en) * 2008-09-10 2011-07-06 Absolute Software Corporation Management of communications from stolen devices
CN102779248A (en) * 2012-06-27 2012-11-14 联想(北京)有限公司 Electronic device and detection method
CN102932151A (en) * 2012-11-01 2013-02-13 华为技术有限公司 Digital communication device and anti-theft method thereof
WO2014063240A1 (en) * 2012-10-26 2014-05-01 Absolute Software Corporation Device monitoring using multiple servers optimized for different types of communications
EP3819834A1 (en) * 2019-11-05 2021-05-12 Ratiotec GmbH & Co. KG Service area interaction device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998043151A1 (en) * 1997-03-24 1998-10-01 Absolute Software Corporation Method and apparatus to monitor and locate an electronic device using a secured intelligent agent via a global network
WO2000075756A1 (en) * 1999-06-02 2000-12-14 Gretech Co., Ltd. Antitheft apparatus and method for portable electronic device
WO2001037236A1 (en) * 1999-11-11 2001-05-25 Caveo Technology, Llc Theft detection system and method
WO2004042586A1 (en) * 2002-11-06 2004-05-21 Creative Software Solutions Pty Ltd A computer network monitoring method and device
DE10344276A1 (en) * 2003-09-24 2005-05-12 Siemens Ag Telecommunication terminal with room monitoring function e.g. for telecommunications network, has monitoring control unit for controlling MMS-generating unit

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998043151A1 (en) * 1997-03-24 1998-10-01 Absolute Software Corporation Method and apparatus to monitor and locate an electronic device using a secured intelligent agent via a global network
WO2000075756A1 (en) * 1999-06-02 2000-12-14 Gretech Co., Ltd. Antitheft apparatus and method for portable electronic device
WO2001037236A1 (en) * 1999-11-11 2001-05-25 Caveo Technology, Llc Theft detection system and method
WO2004042586A1 (en) * 2002-11-06 2004-05-21 Creative Software Solutions Pty Ltd A computer network monitoring method and device
DE10344276A1 (en) * 2003-09-24 2005-05-12 Siemens Ag Telecommunication terminal with room monitoring function e.g. for telecommunications network, has monitoring control unit for controlling MMS-generating unit

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100064379A1 (en) * 2008-09-10 2010-03-11 Tia Manning Cassett Remote Diagnosis of Unauthorized Hardware Change
EP2340523A1 (en) * 2008-09-10 2011-07-06 Absolute Software Corporation Management of communications from stolen devices
EP2340523A4 (en) * 2008-09-10 2012-02-15 Absolute Software Corp Management of communications from stolen devices
US8245315B2 (en) * 2008-09-10 2012-08-14 Qualcomm Incorporated Remote diagnosis of unauthorized hardware change
WO2011063559A1 (en) * 2009-11-24 2011-06-03 华为技术有限公司 Method, apparatus and system for controlling behaviors of machine type communication terminals
CN102449955A (en) * 2009-11-24 2012-05-09 华为技术有限公司 Method, apparatus and system for controlling behaviors of machine type communication MTC terminals
CN102779248A (en) * 2012-06-27 2012-11-14 联想(北京)有限公司 Electronic device and detection method
CN102779248B (en) * 2012-06-27 2015-03-25 联想(北京)有限公司 Electronic device and detection method
WO2014063240A1 (en) * 2012-10-26 2014-05-01 Absolute Software Corporation Device monitoring using multiple servers optimized for different types of communications
CN102932151A (en) * 2012-11-01 2013-02-13 华为技术有限公司 Digital communication device and anti-theft method thereof
EP2728919A1 (en) * 2012-11-01 2014-05-07 Huawei Technologies Co., Ltd. Digital communication device and anti-theft method thereof
EP3819834A1 (en) * 2019-11-05 2021-05-12 Ratiotec GmbH & Co. KG Service area interaction device

Also Published As

Publication number Publication date
GB0603836D0 (en) 2006-04-05

Similar Documents

Publication Publication Date Title
US9786141B2 (en) Package delivery notification and protection device, system and method
WO2007096286A1 (en) A theft detection component
US9208665B2 (en) Automated, remotely-verified alarm system with intrusion and video surveillance and digital video recording
TWI516977B (en) A platform including an always-available theft protection system and a method of protecting a platform using an always-available security system
TW561744B (en) Distributed software controlled theft detection
JP4819721B2 (en) Wireless LAN terminal anti-theft system and method
US20070143857A1 (en) Method and System for Enabling Computer Systems to Be Responsive to Environmental Changes
JP6922522B2 (en) Information processing system, information processing device and program
US9711034B2 (en) Security system and method
US9286026B2 (en) System and method for recording and monitoring user interactions with a server
JP2011139278A (en) Supervising system
US9269250B2 (en) Immediate response security system
US20170175419A1 (en) Smart Door Lock System And Method Thereof
US20080062132A1 (en) Kvm switch capable of detecting keyword input and method thereof
WO2014012186A1 (en) System and method for managing video analytics results
KR100853039B1 (en) System for notebook computer burglary prevention
US9633533B2 (en) System and method for interacting with digital video recorders through networking applications
JP2010527091A (en) Security service provision method using the Internet
KR200434039Y1 (en) Centralized Surveillance System
JP4788636B2 (en) Information management apparatus and method
US10607472B1 (en) Smart lock system
Yang et al. A Pervasive Mobile Device Protection System
US20220284781A1 (en) Multi-alarm monitoring of electronic merchandise
JP2010222833A (en) Door opening/closing control system, door opening/closing control device, and door opening/closing control program
KR100469539B1 (en) System and Method for monitoring a computer using sensor files

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07704582

Country of ref document: EP

Kind code of ref document: A1