Methods and systems for transmitting performance beacons from an embedded device

US 10,270,793 B2
Filed: 05/08/2017
Issued: 04/23/2019
Est. Priority Date: 10/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring an execution path of an embedded device, the embedded device including a processor, a network interface, and a data storage device storing firmware of the embedded device, the method comprising:

for each of a plurality of functions that are part of the firmware of the embedded device,(i) executing the function by the processor of the embedded device, wherein prior to the execution of the function, code is inserted into the function, the code configured to initiate a process during which a performance beacon is wirelessly transmitted from the embedded device, and(ii) in response to the function being executed, wirelessly transmitting, by the network interface, the performance beacon from the embedded device, wherein the performance beacon includes an identifier of the embedded device, an identifier of the function, and a time stamp recording a time at which the function was executed;

wirelessly transmitting a plurality of performance beacons from the embedded device to a server;

reconstructing, by the server, an execution path of the embedded device from the plurality of performance beacons;

learning, by a machine learning module hosted on the server, a typical execution path of the embedded device;

comparing, by the server, the reconstructed execution path to the typical execution path of the embedded device; and

if the reconstructed execution path deviates from the typical execution path, notifying, by a notification module hosted on the server, a user that the reconstructed execution path of the embedded device deviates from the typical execution path of the embedded device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network sensor, inserted into a mirror port of a network switch or router, may be configured to monitor the network traffic originating from an embedded device. Metadata in the network traffic may be passively extracted by the network sensor and transmitted to a server in order to monitor and analyze the behavior of the embedded device. The server may employ machine learning to distinguish typical behavior of the embedded device from atypical behavior. Further, code may be injected into the firmware of the embedded device, and the code may be programmed to broadcast a performance beacon whenever certain firmware functions are executed. A collection of the performance beacons may be analyzed at the server to reconstruct an execution path of the embedded device, and machine learning may be applied to determine whether the execution path is typical or atypical.

15 Citations

View as Search Results

14 Claims

1. A method for monitoring an execution path of an embedded device, the embedded device including a processor, a network interface, and a data storage device storing firmware of the embedded device, the method comprising:
- for each of a plurality of functions that are part of the firmware of the embedded device,(i) executing the function by the processor of the embedded device, wherein prior to the execution of the function, code is inserted into the function, the code configured to initiate a process during which a performance beacon is wirelessly transmitted from the embedded device, and(ii) in response to the function being executed, wirelessly transmitting, by the network interface, the performance beacon from the embedded device, wherein the performance beacon includes an identifier of the embedded device, an identifier of the function, and a time stamp recording a time at which the function was executed;
  
  wirelessly transmitting a plurality of performance beacons from the embedded device to a server;
  
  reconstructing, by the server, an execution path of the embedded device from the plurality of performance beacons;
  
  learning, by a machine learning module hosted on the server, a typical execution path of the embedded device;
  
  comparing, by the server, the reconstructed execution path to the typical execution path of the embedded device; and
  
  if the reconstructed execution path deviates from the typical execution path, notifying, by a notification module hosted on the server, a user that the reconstructed execution path of the embedded device deviates from the typical execution path of the embedded device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the inserted code comprises a code snippet, and execution of the inserted code causes a routine that is stored in a library to be invoked, the routine causing the performance beacon to be wirelessly transmitted.
  - 3. The method of claim 1, wherein the identifier of the embedded device includes a media access control (MAC) address of the embedded device.
  - 4. The method of claim 1, wherein the performance beacon further comprises a program counter value of the processor when the performance beacon was generated.
  - 5. The method of claim 1, wherein the performance beacon further comprises a stack value of the processor when the performance beacon was generated.
  - 6. The method of claim 1, wherein wirelessly transmitting the plurality of performance beacons from the embedded device comprises transmitting the performance beacons in an unencrypted form to a broadcast address of a network using a user datagram protocol (UDP).
  - 7. The method of claim 1, wherein the plurality of functions includes a function that is only executed during a boot process of the embedded device.

8. A system for monitoring an execution path of an embedded device, the system comprising:
- the embedded device including a processor, a network interface, and a data storage device configured to store firmware of the embedded device, the firmware including instructions which when executed by the processor causes the processor to;
  
  for each of a plurality of functions that are part of the firmware of the embedded device,(i) execute the function, wherein prior to the execution of the function, code is inserted into the function, the code configured to initiate a process during which a performance beacon is wirelessly transmitted from the embedded device, and(ii) in response to the function being executed, instruct the network interface to wirelessly transmit the performance beacon from the embedded device, wherein the performance beacon includes an identifier of the embedded device, an identifier of the function, and a time stamp recording a time at which the function was executed; and
  
  transmit a plurality of performance beacons from the embedded device to a server; and
  
  the server configured to;
  
  reconstruct an execution path of the embedded device from the plurality of performance beacons;
  
  learn a typical execution path of the embedded device;
  
  compare the reconstructed execution path to the typical execution path of the embedded device; and
  
  if the reconstructed execution path deviates from the typical execution path, notify a user that the reconstructed execution path of the embedded device deviates from the typical execution path of the embedded device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the inserted code comprises a code snippet, and the execution of the inserted code causes a routine that is stored in a library to be invoked, the routine causing the performance beacon to be wirelessly transmitted.
  - 10. The system of claim 8, wherein the identifier of the embedded device includes a media access control (MAC) address of the embedded device.
  - 11. The system of claim 8, wherein the performance beacon further comprises a program counter value of the processor when the performance beacon was generated.
  - 12. The system of claim 8, wherein the performance beacon further comprises a stack value of the processor when the performance beacon was generated.
  - 13. The system of claim 8, wherein wirelessly transmitting the plurality of performance beacons from the embedded device comprises transmitting the performance beacons in an unencrypted form to a broadcast address of a network using a user datagram protocol (UDP).
  - 14. The system of claim 8, wherein the plurality of functions includes a function that is only executed during a boot process of the embedded device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Senrio Inc.
Original Assignee
Senrio Inc.
Inventors
Ridley, Stephen A.
Primary Examiner(s)
To, Baotran N

Application Number

US15/588,957
Publication Number

US 20180115576A1
Time in Patent Office

715 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06N 20/00   Machine learning

G06N 7/01   Probabilistic graphical mod...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 41/16   using machine learning or a...

H04L 43/062   related to network traffic

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/106   using time related informat...

H04L 43/50   Testing arrangements

H04L 61/35   involving non-standard use ...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 69/16   Implementation or adaptatio...

H04W 12/12   Detection or prevention of ...

Methods and systems for transmitting performance beacons from an embedded device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for transmitting performance beacons from an embedded device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others