Authenticating a device based on communication patterns in a group of devices

US 10,623,389 B2
Filed: 05/11/2017
Issued: 04/14/2020
Est. Priority Date: 05/11/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authentication, comprising operations for:

storing accepted communication patterns representing accepted modes of communication between devices in an internet of things network, wherein each of the accepted communication patterns includes one or more features, wherein each of the accepted communication patterns includes one or more features, and wherein each of the one or more features describes which of the devices are communicating, a type of a communication, when the devices are communicating, a duration of the communication, and a frequency of the communication;

in response to receiving a first communication from a requesting device of the devices,determining whether the first communication matches a communication pattern of the accepted communication patterns;

in response to determining that the first communication matches the communication pattern,generating an authentication score for the requesting device based on how closely the first communication matches with the communication pattern; and

responding to the first communication; and

in response to determining that the first communication does not match the communication pattern, flagging the first communication as an anomaly; and

in response to receiving a second communication from the requesting device,determining whether the authentication score of the requesting device exceeds a threshold; and

in response to determining that the requesting device has the authentication score that exceeds the threshold, responding to the second communication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are techniques for authenticating a device. Accepted communication patterns representing accepted modes of communication between devices in an internet of things network are stored. In response to receiving a new communication from a requesting device of the devices, it is determined whether the new communication matches at least one of the accepted communication patterns. In response to determining that the new communication matches, there is a response to the new communication. In response to determining that the new communication does not match, flagging the new communication as an anomaly and determining how to process the new communication based on the flagging.

Citations

20 Claims

1. A computer-implemented method for authentication, comprising operations for:
- storing accepted communication patterns representing accepted modes of communication between devices in an internet of things network, wherein each of the accepted communication patterns includes one or more features, wherein each of the accepted communication patterns includes one or more features, and wherein each of the one or more features describes which of the devices are communicating, a type of a communication, when the devices are communicating, a duration of the communication, and a frequency of the communication;
  
  in response to receiving a first communication from a requesting device of the devices,determining whether the first communication matches a communication pattern of the accepted communication patterns;
  
  in response to determining that the first communication matches the communication pattern,generating an authentication score for the requesting device based on how closely the first communication matches with the communication pattern; and
  
  responding to the first communication; and
  
  in response to determining that the first communication does not match the communication pattern, flagging the first communication as an anomaly; and
  
  in response to receiving a second communication from the requesting device,determining whether the authentication score of the requesting device exceeds a threshold; and
  
  in response to determining that the requesting device has the authentication score that exceeds the threshold, responding to the second communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising operations for:
    - creating a connected communication graph to represent communications between authenticated clusters with a time dimension.
  - 3. The computer-implemented method of claim 1, further comprising operations for:
    - storing anti-communication communication patterns that indicate which devices are blocked from communicating with each other.
  - 4. The computer-implemented method of claim 1, further comprising operations for:
    - determining that a selected device from the devices has been compromised based on at least one of the selected device has changed a kind, a volume, and a frequency of data that the selected device sends.
  - 5. The computer-implemented method of claim 1, further comprising operations for:
    - determining that a selected device from the devices has been compromised based on receiving a same security token from the selected device and from another device.
  - 6. The computer-implemented method of claim 1, further comprising operations for:
    - identifying a new communication pattern of a device from the devices trying to continuously reconnect over a period of time, wherein the new communication pattern indicates that the device has gone rogue.
  - 7. The computer-implemented method of claim 1, further comprising operations for:
    - identifying an infected device from the devices based on a signature of the infected device that comprises an abnormal communication pattern.
  - 8. The computer-implemented method of claim 1, wherein a Software as a Service (SaaS) is configured to perform the operations of the computer-implemented method.

9. A computer program product, the computer program product comprising a computer readable storage medium having program code embodied therewith, the program code executable by at least one processor to perform operations for:
- storing accepted communication patterns representing accepted modes of communication between devices in an internet of things network, wherein each of the accepted communication patterns includes one or more features, wherein each of the accepted communication patterns includes one or more features, and wherein each of the one or more features describes which of the devices are communicating, a type of a communication, when the devices are communicating, a duration of the communication, and a frequency of the communication;
  
  in response to receiving a first communication from a requesting device of the devices,determining whether the first communication matches a communication pattern of the accepted communication patterns;
  
  in response to determining that the first communication matches the communication pattern,generating an authentication score for the requesting device based on how closely the first communication matches with the communication pattern; and
  
  responding to the first communication; and
  
  in response to determining that the first communication does not match the communication pattern, flagging the first communication as an anomaly; and
  
  in response to receiving a second communication from the requesting device,determining whether the authentication score of the requesting device exceeds a threshold; and
  
  in response to determining that the requesting device has the authentication score that exceeds the threshold, responding to the second communication.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer program product of claim 9, wherein the program code is executable by at least one processor to perform further operations for:
    - creating a connected communication graph to represent communications between authenticated clusters with a time dimension.
  - 11. The computer program product of claim 9, wherein a Software as a Service (SaaS) is configured to perform the operations of the computer program product.
  - 12. The computer program product of claim 9, wherein the program code is executable by at least one processor to perform further operations for:
    - storing anti-communication communication patterns that indicate which devices are blocked from communicating with each other.
  - 13. The computer program product of claim 9, wherein the program code is executable by at least one processor to perform further operations for:
    - determining that a selected device from the devices has been compromised based on at least one of the selected device has changed a kind, a volume, and a frequency of data that the selected device sends.
  - 14. The computer program product of claim 9, wherein the program code is executable by at least one processor to perform further operations for:
    - determining that a selected device from the devices has been compromised based on receiving a same security token from the selected device and from another device.

15. A computer system, comprising:
- one or more processors, one or more computer-readable memories and one or more computer-readable, tangible storage devices; and
  
  program instructions, stored on at least one of the one or more computer-readable, tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to perform operations comprising;
  
  storing accepted communication patterns representing accepted modes of communication between devices in an internet of things network, wherein each of the accepted communication patterns includes one or more features, wherein each of the accepted communication patterns includes one or more features, and wherein each of the one or more features describes which of the devices are communicating, a type of a communication, when the devices are communicating, a duration of the communication, and a frequency of the communication;
  
  in response to receiving a first communication from a requesting device of the devices,determining whether the first communication matches a communication pattern of the accepted communication patterns;
  
  in response to determining that the first communication matches the communication pattern,generating an authentication score for the requesting device based on how closely the first communication matches with the communication pattern; and
  
  responding to the first communication; and
  
  in response to determining that the first communication does not match the communication pattern, flagging the first communication as an anomaly; and
  
  in response to receiving a second communication from the requesting device,determining whether the authentication score of the requesting device exceeds a threshold; and
  
  in response to determining that the requesting device has the authentication score that exceeds the threshold, responding to the second communication.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, wherein the operations further comprise:
    - creating a connected communication graph to represent communications between authenticated clusters with a time dimension.
  - 17. The computer system of claim 15, wherein a Software as a Service (SaaS) is configured to perform the operations of the computer system.
  - 18. The computer system of claim 15, wherein the operations further comprise:
    - storing anti-communication communication patterns that indicate which devices are blocked from communicating with each other.
  - 19. The computer system of claim 15, wherein the operations further comprise:
    - determining that a selected device from the devices has been compromised based on at least one of the selected device has changed a kind, a volume, and a frequency of data that the selected device sends.
  - 20. The computer system of claim 15, wherein the operations further comprise:
    - determining that a selected device from the devices has been compromised based on receiving a same security token from the selected device and from another device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Childress, Rhonda L., Gupta, Rahul, Madduri, Hari H., Mukherjee, Maharaj, Ng, Joanna W.
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/593,164
Publication Number

US 20180332017A1
Time in Patent Office

1,069 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/1425 Traffic logging, e.g. anoma...

Authenticating a device based on communication patterns in a group of devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticating a device based on communication patterns in a group of devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links