Network flow control of internet of things (IoT) devices

US 10,673,882 B2
Filed: 01/15/2018
Issued: 06/02/2020
Est. Priority Date: 01/15/2018
Status: Active Grant

First Claim

Patent Images

1. A method of controlling network behavior of an Internet of Things (IoT) device, comprising:

receiving a first data set defining a set of one or more network characteristics associated with the IoT device;

associating to each of the one or more of the network characteristics a second data set, wherein the second data set is a set of one or more risk values specified for a particular network characteristic, wherein at least one risk value represents a degree to which a variation from the network characteristic is considered a deviation from an anticipated behavior of the IoT device;

during a given time period, monitoring the IoT device based on the first and second data sets to learn a normal behavior of the IoT device with respect to a given operating environment;

responsive to the monitoring, generating a fingerprint that defines the normal behavior of the IoT device with respect to the given operating environment, wherein the fingerprint is based at least in part on the set of network characteristics and their associated risk values;

converting the fingerprint into a set of one or more network flow rules; and

instantiating the one or more network flow rules in a network boundary control system (NBCS) to thereafter monitor for anomalous behavior associated with the IoT device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and computer program product for use in monitoring and controlling network behavior of Internet of Things (IoT) devices connected to a network. According to this approach, a set of network characteristics of an IoT device (e.g., as published by the device manufacturer) are assigned various risk values and then monitored over an initial time period to generate a “fingerprint” of the device'"'"'s network flow. This flow is then transformed into one or more flow control rules representing “normal” or abnormal behavior of the IoT device. Preferably, the rules are instantiated into a network boundary control system (NBCS), such as an enterprise router, gateway, or the like, and then enforced, e.g., to generate alerts or others actions when the rules are triggered. The approach enables dynamic and automated threat detection and prevention based on anomalous and/or known-bad behavior.

17 Citations

20 Claims

1. A method of controlling network behavior of an Internet of Things (IoT) device, comprising:
- receiving a first data set defining a set of one or more network characteristics associated with the IoT device;
  
  associating to each of the one or more of the network characteristics a second data set, wherein the second data set is a set of one or more risk values specified for a particular network characteristic, wherein at least one risk value represents a degree to which a variation from the network characteristic is considered a deviation from an anticipated behavior of the IoT device;
  
  during a given time period, monitoring the IoT device based on the first and second data sets to learn a normal behavior of the IoT device with respect to a given operating environment;
  
  responsive to the monitoring, generating a fingerprint that defines the normal behavior of the IoT device with respect to the given operating environment, wherein the fingerprint is based at least in part on the set of network characteristics and their associated risk values;
  
  converting the fingerprint into a set of one or more network flow rules; and
  
  instantiating the one or more network flow rules in a network boundary control system (NBCS) to thereafter monitor for anomalous behavior associated with the IoT device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the fingerprint is generated by monitoring network flows associated with the IoT device against the set of network characteristics and their associated risk values.
  - 3. The method as described in claim 1 further including:
    - following instantiation in the NBCS system, monitoring network flows associated with the IoT device using the one or more network flow rules; and
      
      taking a given reporting or mitigation action upon triggering of a network flow rule.
  - 4. The method as described in claim 1 wherein the given time period is a period of time starting from an initial connection of the IoT device.
  - 5. The method as described in claim 1 wherein a given network characteristic is a communication pattern, and wherein the risk values for the communication pattern increase as a percentage deviation from a specified communication pattern increases.
  - 6. The method as described in claim 1 wherein the first data set is received from a source associated with the IoT device, and wherein the risk values in the second data set are specified by an entity associated with a network.
  - 7. The method as described in claim 1 further including publishing the one or more network flow rules.

8. An apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to control network behavior of an Internet of Things (IoT) device, the computer program instructions operative to;
  
  receive a first data set defining a set of one or more network characteristics associated with the IoT device;
  
  associate to each of the one or more of the network characteristics a second data set, wherein the second data set is a set of one or more risk values specified for a particular network characteristic, wherein at least one risk value quantifies a degree to which a variation from the network characteristic deviates from an anticipated behavior of the IoT device;
  
  during a given time period, monitor the IoT device based on the first and second data sets to learn a normal behavior of the IoT device with respect to a given operating environment;
  
  responsive to the monitoring, generate a fingerprint that defines normal behavior of the IoT device with respect to the given operating environment, wherein the fingerprint is based at least in part on the set of network characteristics and their associated risk values;
  
  convert the fingerprint into a set of one or more network flow rules; and
  
  instantiate the one or more network flow rules in a network boundary control system (NBCS) to thereafter monitor for anomalous behavior associated with the IoT device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the fingerprint is generated by computer program instructions that monitor network flows associated with the IoT device against the set of network characteristics and their associated risk values.
  - 10. The apparatus as described in claim 8 wherein the computer program instructions are further operative:
    - following instantiation in the NBCS system, to monitor network flows associated with the IoT device using the one or more network flow rules; and
      
      to take a given reporting or mitigation action upon triggering of a network flow rule.
  - 11. The apparatus as described in claim 8 wherein the given time period is a period of time starting from an initial connection of the IoT device.
  - 12. The apparatus as described in claim 8 wherein a given network characteristic is a communication pattern, and wherein the risk values for the communication pattern increase as a percentage deviation from a specified communication pattern increases.
  - 13. The apparatus described in claim 8 wherein the first data set is received from a source associated with the IoT device, and wherein the risk values in the second data set are specified by an entity associated with a network.
  - 14. The apparatus as described in claim 8 wherein the computer program instructions are further operative to deliver the one or more network flow rules for consumption by another entity.

15. A computer program product in a non-transitory computer readable medium for use in a data processing system to control network behavior of an Internet of Things (IoT) device, the computer program product holding computer program instructions that, when executed by the data processing system, are operative to:
- receive a first data set defining a set of one or more network characteristics associated with the IoT device;
  
  associate to each of the one or more of the network characteristics a second data set, wherein the second data set is a set of one or more risk values specified for a particular network characteristic, wherein at least one risk value represents a degree to which a variation from the network characteristic is considered a deviation from an anticipated behavior of the IoT device;
  
  during a given time period, monitor the IoT device based on the first and second data sets to learn a normal behavior of the IoT device with respect to a given operating environment;
  
  responsive to the monitoring, generate a fingerprint that defines the normal behavior of the IoT device with respect to the given operating environment, wherein the fingerprint is based at least in part on the set of network characteristics and their associated risk values;
  
  convert the fingerprint into a set of one or more network flow rules; and
  
  instantiate the one or more network flow rules in a network boundary control system (NBCS) to thereafter monitor for anomalous behavior associated with the IoT device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product as described in claim 15 wherein the fingerprint is generated by computer program instructions that monitor network flows associated with the IoT device against the set of network characteristics and their associated risk values.
  - 17. The computer program product as described in claim 15 wherein the computer program instructions are further operative:
    - following instantiation in the NBCS system, to monitor network flows associated with the IoT device using the one or more network flow rules; and
      
      to take a given reporting or mitigation action upon triggering of a network flow rule.
  - 18. The computer program product as described in claim 15 wherein the given time period is a period of time starting from an initial connection of the IoT device.
  - 19. The computer program product as described in claim 15 wherein a given network characteristic is a communication pattern, and wherein the risk values for the communication pattern increase as a percentage deviation from a specified communication pattern increases.
  - 20. The computer program product described in claim 15 wherein the first data set is received from a source associated with the IoT device, and wherein the risk values in the second data set are specified by an entity associated with a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Davis, III, Charles K., Dotson, Chris, Lingafelt, Steven
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Shams, Mohammad S

Application Number

US15/871,351
Publication Number

US 20190222594A1
Time in Patent Office

869 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 3/088   Non-supervised learning, e....

G06N 5/025   Extracting rules from data

H04L 41/0681   Configuration of triggering...

H04L 41/0816   the condition being an adap...

H04L 41/14   Network analysis or design

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/08   Monitoring or testing based...

H04L 47/10   Flow control; Congestion co...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/12   specially adapted for propr...

Y02D 30/50   in wire-line communication ...

Network flow control of internet of things (IoT) devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Network flow control of internet of things (IoT) devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others