Joint anomaly detection across IOT devices
First Claim
1. A method, comprising:
- monitoring, at a gateway device, network communications between a plurality of computing devices connected to a network associated with the gateway device;
creating, at the gateway device, a graph, wherein each vertex of the graph represents one of the computing devices connected to the network and each edge of the graph represents network communication that has occurred between the computing devices connected by that edge during a time window;
receiving, from each of the computing devices, a collection of one or more performance metrics observed by that computing device during the time window;
determining, based on the graph and the collections of one or more performance metrics, a respective measure of risk for each of the computing devices for the time window;
determining, from the graph, a clique of computing devices that are linked by edges in the graph;
adjusting the respective measure of risk for the time window for one of the computing devices in the clique based on the measures of risk for the remaining computing devices in the clique; and
in response to determining that a given computing device in the clique is infected with malware based on the respective measure of risk exceeding a threshold, setting an alert flag at the gateway device indicating that the given computing device is infected.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods of the present disclosure provide technology to identify when network-connected devices are likely infected with malware. Network communications are be monitored during a specific time window and a graph is created for a conditional random field (CRF) model. Vertices of the graph represent devices connected to the network and an edge between two vertices indicates that one or more network communications occurred between two devices represented by the two vertices during the time window. Network devices can report observations about network behavior during the time window and the observations can be used as input for the CRF model. The CRF model can then be used to determine infection-status values for the network devices.
-
Citations
21 Claims
-
1. A method, comprising:
-
monitoring, at a gateway device, network communications between a plurality of computing devices connected to a network associated with the gateway device; creating, at the gateway device, a graph, wherein each vertex of the graph represents one of the computing devices connected to the network and each edge of the graph represents network communication that has occurred between the computing devices connected by that edge during a time window; receiving, from each of the computing devices, a collection of one or more performance metrics observed by that computing device during the time window; determining, based on the graph and the collections of one or more performance metrics, a respective measure of risk for each of the computing devices for the time window; determining, from the graph, a clique of computing devices that are linked by edges in the graph; adjusting the respective measure of risk for the time window for one of the computing devices in the clique based on the measures of risk for the remaining computing devices in the clique; and in response to determining that a given computing device in the clique is infected with malware based on the respective measure of risk exceeding a threshold, setting an alert flag at the gateway device indicating that the given computing device is infected. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
one or more processors; and a memory storing one or more applications that, when executed on the one or more processors, perform an operation, the operation comprising; monitoring, at a gateway device, network communications between a plurality of computing devices connected to a network associated with the gateway device, creating, at the gateway device, a graph, wherein each vertex of the graph represents one of the computing devices connected to the network and each edge of the graph represents network communication that has occurred during a time window between the computing devices connected by that edge, receiving, from each of the computing devices, a collection of one or more performance metrics observed by that computing device during the time window, determining, based on the graph and the collections of one or more performance metrics, a respective measure of risk for each of the computing devices for the time window; determining, from the graph, a clique of computing devices that are linked by edges in the graph; adjusting the respective measure of risk for the time window for one of the computing devices in the clique based on the measures of risk for remaining computing devices in the clique; and in response to determining that a given computing device in the clique is infected with malware based on the respective measure of risk exceeding a threshold, setting an alert flag at the gateway device that the given computing device is infected. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed is operable to:
-
monitor, at a gateway device, network communications between a plurality of computing devices connected to a network associated with the gateway device; create, at the gateway device, a graph, wherein each vertex of the graph represents one of the computing devices connected to the network and each edge of the graph represents network communication that has occurred during a time window between the computing devices connected by that edge; receive, from each of the computing devices, a collection of one or more performance metrics observed by that computing device during the time window; determine, based on the graph and the collections of one or more performance metrics, a respective measure of risk for each of the computing devices for the time window; determine, from the graph, a clique of computing devices that are linked by edges in the graph; adjust the respective measure of risk for the time window for one computing device in the clique based on measures of risk for remaining computing devices in the clique; and in response to determining that a given computing device of the clique is infected with malware based on the respective measure of risk exceeding a threshold, set an alert flag at the gateway device that the given computing device is infected. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification