Network flow control of internet of things (IoT) devices
First Claim
1. A method of controlling network behavior of an Internet of Things (IoT) device, comprising:
- receiving a first data set defining a set of one or more network characteristics associated with the IoT device;
associating to each of the one or more of the network characteristics a second data set, wherein the second data set is a set of one or more risk values specified for a particular network characteristic, wherein at least one risk value represents a degree to which a variation from the network characteristic is considered a deviation from an anticipated behavior of the IoT device;
during a given time period, monitoring the IoT device based on the first and second data sets to learn a normal behavior of the IoT device with respect to a given operating environment;
responsive to the monitoring, generating a fingerprint that defines the normal behavior of the IoT device with respect to the given operating environment, wherein the fingerprint is based at least in part on the set of network characteristics and their associated risk values;
converting the fingerprint into a set of one or more network flow rules; and
instantiating the one or more network flow rules in a network boundary control system (NBCS) to thereafter monitor for anomalous behavior associated with the IoT device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus and computer program product for use in monitoring and controlling network behavior of Internet of Things (IoT) devices connected to a network. According to this approach, a set of network characteristics of an IoT device (e.g., as published by the device manufacturer) are assigned various risk values and then monitored over an initial time period to generate a “fingerprint” of the device'"'"'s network flow. This flow is then transformed into one or more flow control rules representing “normal” or abnormal behavior of the IoT device. Preferably, the rules are instantiated into a network boundary control system (NBCS), such as an enterprise router, gateway, or the like, and then enforced, e.g., to generate alerts or others actions when the rules are triggered. The approach enables dynamic and automated threat detection and prevention based on anomalous and/or known-bad behavior.
17 Citations
20 Claims
-
1. A method of controlling network behavior of an Internet of Things (IoT) device, comprising:
-
receiving a first data set defining a set of one or more network characteristics associated with the IoT device; associating to each of the one or more of the network characteristics a second data set, wherein the second data set is a set of one or more risk values specified for a particular network characteristic, wherein at least one risk value represents a degree to which a variation from the network characteristic is considered a deviation from an anticipated behavior of the IoT device; during a given time period, monitoring the IoT device based on the first and second data sets to learn a normal behavior of the IoT device with respect to a given operating environment; responsive to the monitoring, generating a fingerprint that defines the normal behavior of the IoT device with respect to the given operating environment, wherein the fingerprint is based at least in part on the set of network characteristics and their associated risk values; converting the fingerprint into a set of one or more network flow rules; and instantiating the one or more network flow rules in a network boundary control system (NBCS) to thereafter monitor for anomalous behavior associated with the IoT device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to control network behavior of an Internet of Things (IoT) device, the computer program instructions operative to; receive a first data set defining a set of one or more network characteristics associated with the IoT device; associate to each of the one or more of the network characteristics a second data set, wherein the second data set is a set of one or more risk values specified for a particular network characteristic, wherein at least one risk value quantifies a degree to which a variation from the network characteristic deviates from an anticipated behavior of the IoT device; during a given time period, monitor the IoT device based on the first and second data sets to learn a normal behavior of the IoT device with respect to a given operating environment; responsive to the monitoring, generate a fingerprint that defines normal behavior of the IoT device with respect to the given operating environment, wherein the fingerprint is based at least in part on the set of network characteristics and their associated risk values; convert the fingerprint into a set of one or more network flow rules; and instantiate the one or more network flow rules in a network boundary control system (NBCS) to thereafter monitor for anomalous behavior associated with the IoT device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a non-transitory computer readable medium for use in a data processing system to control network behavior of an Internet of Things (IoT) device, the computer program product holding computer program instructions that, when executed by the data processing system, are operative to:
-
receive a first data set defining a set of one or more network characteristics associated with the IoT device; associate to each of the one or more of the network characteristics a second data set, wherein the second data set is a set of one or more risk values specified for a particular network characteristic, wherein at least one risk value represents a degree to which a variation from the network characteristic is considered a deviation from an anticipated behavior of the IoT device; during a given time period, monitor the IoT device based on the first and second data sets to learn a normal behavior of the IoT device with respect to a given operating environment; responsive to the monitoring, generate a fingerprint that defines the normal behavior of the IoT device with respect to the given operating environment, wherein the fingerprint is based at least in part on the set of network characteristics and their associated risk values; convert the fingerprint into a set of one or more network flow rules; and instantiate the one or more network flow rules in a network boundary control system (NBCS) to thereafter monitor for anomalous behavior associated with the IoT device. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification