Protecting network devices from suspicious communications

US 10,721,257 B2
Filed: 02/06/2019
Issued: 07/21/2020
Est. Priority Date: 02/11/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

one or more processors; and

memory storing computer executable instructions that, when executed by the one or more processors, cause the apparatus to;

determine, based on monitored communication between a first device and a second device via a network, information associated with expected communication behavior for the first device;

determine, based on the expected communication behavior and based on monitored subsequent communication associated with the first device, a degree of communication deviation;

compare the degree of communication deviation with a first deviation range of a plurality of different deviation ranges, wherein each of the deviation ranges is associated with one or more corresponding communication parameters;

cause, based on the comparing, application of one or more communication parameters to communication of the first device; and

control, based on the application, network access associated with the first device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to some aspects, disclosed methods and systems may comprise generating a profile that is based on monitoring a communication pattern associated with a device. Subsequent communications associated with the device may be monitored. Based on the profile and the subsequent communication, a security status may be associated with the device.

12 Citations

20 Claims

1. An apparatus comprising:
- one or more processors; and
  
  memory storing computer executable instructions that, when executed by the one or more processors, cause the apparatus to;
  
  determine, based on monitored communication between a first device and a second device via a network, information associated with expected communication behavior for the first device;
  
  determine, based on the expected communication behavior and based on monitored subsequent communication associated with the first device, a degree of communication deviation;
  
  compare the degree of communication deviation with a first deviation range of a plurality of different deviation ranges, wherein each of the deviation ranges is associated with one or more corresponding communication parameters;
  
  cause, based on the comparing, application of one or more communication parameters to communication of the first device; and
  
  control, based on the application, network access associated with the first device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the applied one or more communication parameters comprises one or more of:
    - a restriction on a packet size transmitted from the first device;
      
      a restriction on a communication time for the first device;
      
      a restriction on a communication attempt from the first device to another device;
      
      ora restriction on a communication attempt from another device to the first device.
  - 3. The apparatus of claim 1, wherein the instructions, when executed by the one or more processors, cause the apparatus to compare the degree of communication deviation with the first deviation range by comparing the degree of communication deviation with a threshold.
  - 4. The apparatus of claim 1, wherein the instructions, when executed by the one or more processors, cause the apparatus to compare the degree of communication deviation with the first deviation range by comparing an expected size of data packets communicated by the first device with a current size of data packets communicated by the first device.
  - 5. The apparatus of claim 1, wherein the instructions, when executed by the one or more processors, cause the apparatus to compare the degree of communication deviation with the first deviation range by comparing an expected frequency of communications of the first device with a current frequency of communications of the first device.
  - 6. The apparatus of claim 1, wherein the instructions, when executed by the one or more processors, cause the apparatus to compare the degree of communication deviation with the first deviation range by comparing an expected type of communication protocol used by the first device with a current type of communication protocol used by the first device.

7. An apparatus comprising:
- one or more processors; and
  
  memory storing computer executable instructions that, when executed by the one or more processors, cause the apparatus to;
  
  generate, based on detected communication associated with a first device, a historical communication pattern for the first device, wherein the first device is associated with a first network;
  
  determine, based on detected communication associated with the first device, a current communication pattern associated with the first device; and
  
  cause, based on whether the current communication pattern differs from the historical communication pattern by a threshold level, application of one or more communication parameters to communication of the first device.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The apparatus of claim 7, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - determine, from a plurality of communication parameters and based on a degree of deviation between the current communication pattern and the historical communication pattern being within a first deviation range, a first communication parameter,wherein the first communication parameter has fewer restrictions than a second communication parameter associated with a second deviation range.
  - 9. The apparatus of claim 7, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - determine, from a plurality of communication parameters and based on a degree of deviation between the current communication pattern and the historical communication pattern being within a first deviation range, a first communication parameter having fewer restrictions than a second communication parameter associated with a second deviation range;
      
      determine, based on another detected communication associated with the first device, a second degree of deviation between another current communication pattern and the historical communication pattern within the second deviation range; and
      
      cause, based on the second degree of deviation, application of the second communication parameter to further communication of the first device.
  - 10. The apparatus of claim 7, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - determine, from a plurality of parameters and based on a degree of deviation between the current communication pattern and the historical communication pattern being within a first deviation range, a first communication parameter having fewer restrictions than a second communication parameter associated with a second deviation range;
      
      determine, based on a second degree of deviation between the historical communication pattern and another detected communication associated with the first device, a different security status of the first device; and
      
      cause, based on the different security status, application of one or more different communication parameters to communication of the first device, blocking communication to or from the first device, or allowing communication to or from the first device.
  - 11. The apparatus of claim 7, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - determine a communication attempt from a second device to the first device;
      
      determine a security status associated with the second device; and
      
      restrict, based on the security status and on the applied one or more communication parameters, communication associated with the communication attempt.
  - 12. The apparatus of claim 7, wherein the instructions, when executed by the one or more processors, cause the apparatus to cause application of one or more communication parameters to communication of the first device by causing application of the one or more parameters based on whether:
    - a packet size associated with the current communication pattern differs from the historical communication pattern by a first threshold level;
      
      ora frequency of communication associated with the current communication pattern differs from the historical communication pattern by a second threshold level.
  - 13. The apparatus of claim 7, wherein the instructions, when executed by the one or more processors, cause the apparatus to determine a degree of communication deviation based on different weights for a plurality of communication deviation types associated with the first device.
  - 14. The apparatus of claim 7, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - set, based on determining that a sensor type of a second device corresponds to a sensor type of the first device, a security status of the second device by using expected communication behavior for the first device.
  - 15. The apparatus of claim 7, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - update, based on another detected communication associated with the first device, an expected communication behavior of the first device.

16. An apparatus comprising:
- one or more processors; and
  
  memory storing computer executable instructions that, when executed by the one or more processors, cause the apparatus to;
  
  determine, based on monitored communication of a first device and monitored communication of a second device, expected communication behavior of the first device and expected communication behavior of the second device;
  
  determine, based on the expected communication behavior of the first device and expected communication behavior of the second device, a first degree of communication deviation for the first device and a second degree of communication deviation for the second device;
  
  compare the first degree of communication deviation with a first deviation range of a plurality of different deviation ranges and compare the second degree of communication deviation with a second deviation range of the plurality of different deviation ranges, wherein each of the deviation ranges is associated with one or more corresponding communication parameters; and
  
  cause, based on the comparing, application of one or more communication parameters to communication of the first device and application of one or more communication parameters to communication of the second device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein a degree of communication deviation within the second deviation range is greater than a degree of communication deviation within the first deviation range.
  - 18. The apparatus of claim 16, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - determine, based on another monitored communication associated with the second device, a third degree of communication deviation within the first deviation range; and
      
      cause, based on the third degree of communication deviation within the first deviation range, application of one or more different communication parameters to communication between the first device and the second device.
  - 19. The apparatus of claim 16, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - determine a first communication attempt from the second device to the first device;
      
      block communication associated with the first communication attempt;
      
      determine, based on another monitored communication associated with the second device, a third degree of communication deviation within the first deviation range;
      
      determine a second communication attempt from the second device to the first device; and
      
      allow, based on a combination of the first degree of communication deviation and the third degree of communication deviation, communication associated with the second communication attempt.
  - 20. The apparatus of claim 16, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
    - determine the first degree of communication deviation by causing application of a first weight to a communication deviation type; and
      
      determine the second degree of communication deviation by causing application of a second weight, different from the first weight, to the communication deviation type, and wherein the communication deviation type comprises one or more of;
      
      a deviation of a communication packet size;
      
      a deviation of a communication time;
      
      a deviation of a communication frequency; and
      
      a deviation of a communication target device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Comcast Cable Communications LLC (Comcast Corporation)
Original Assignee
Comcast Cable Communications LLC (Comcast Corporation)
Inventors
Poder, James, Francisco, Mark D.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gyorfi, Thomas A

Application Number

US16/269,233
Publication Number

US 20200014715A1
Time in Patent Office

531 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Protecting network devices from suspicious communications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting network devices from suspicious communications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links