METHODS AND SYSTEMS FOR DETECTING ANOMALOUS BEHAVIOR OF NETWORK-CONNECTED EMBEDDED DEVICES

US 20180115574A1
Filed: 10/24/2016
Published: 04/26/2018
Est. Priority Date: 10/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring one or more embedded devices communicatively coupled to a first network, the method comprising:

monitoring, by a first network sensor, network traffic on the first network;

inspecting, by the first network sensor, the network traffic so as to distinguish network traffic that is associated with the embedded devices from network traffic that is associated with devices other than the embedded devices;

transmitting, by the first network sensor, metadata from the network traffic associated with the embedded devices to a server;

storing, at the server, the metadata in a first queue associated with the first network sensor; and

for each of the embedded devices communicatively coupled to the first network,(i) building, by a machine learning module hosted on the server, a behavioral profile of the embedded device;

(ii) monitoring, by a behavioral analysis module hosted on the server, a behavior of the embedded device;

(iii) comparing, by the behavioral analysis module, the monitored behavior of the embedded device with a typical behavior of the embedded device as captured in the behavioral profile of the embedded device so as to determine whether the monitored behavior deviated from the typical behavior; and

(iv) if the monitored behavior deviates from the typical behavior, notifying, by a notification module hosted on the server, a user that the monitored behavior of the embedded device deviated from the typical behavior of the embedded device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network sensor, inserted into a mirror port of a network switch or router, may be configured to monitor the network traffic originating from an embedded device. Metadata in the network traffic may be passively extracted by the network sensor and transmitted to a server in order to monitor and analyze the behavior of the embedded device. The server may employ machine learning to distinguish typical behavior of the embedded device from atypical behavior. Further, code may be injected into the firmware of the embedded device, and the code may be programmed to broadcast a performance beacon whenever certain firmware functions are executed. A collection of the performance beacons may be analyzed at the server to reconstruct an execution path of the embedded device, and machine learning may be applied to determine whether the execution path is typical or atypical.

42 Citations

View as Search Results

20 Claims

1. A method for monitoring one or more embedded devices communicatively coupled to a first network, the method comprising:
- monitoring, by a first network sensor, network traffic on the first network;
  
  inspecting, by the first network sensor, the network traffic so as to distinguish network traffic that is associated with the embedded devices from network traffic that is associated with devices other than the embedded devices;
  
  transmitting, by the first network sensor, metadata from the network traffic associated with the embedded devices to a server;
  
  storing, at the server, the metadata in a first queue associated with the first network sensor; and
  
  for each of the embedded devices communicatively coupled to the first network,(i) building, by a machine learning module hosted on the server, a behavioral profile of the embedded device;
  
  (ii) monitoring, by a behavioral analysis module hosted on the server, a behavior of the embedded device;
  
  (iii) comparing, by the behavioral analysis module, the monitored behavior of the embedded device with a typical behavior of the embedded device as captured in the behavioral profile of the embedded device so as to determine whether the monitored behavior deviated from the typical behavior; and
  
  (iv) if the monitored behavior deviates from the typical behavior, notifying, by a notification module hosted on the server, a user that the monitored behavior of the embedded device deviated from the typical behavior of the embedded device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the monitoring of the network traffic by the first network sensor comprises the first network sensor monitoring the network traffic on the first network without the first network sensor transmitting any data onto the first network.
  - 3. The method of claim 1, wherein the one or more embedded devices comprise one or more of a web-cam, point-of-sale devices, networked medical equipment, industrial control and supervisory control devices, networked embedded devices, or other Internet-of-Things (TOT) devices.
  - 4. The method of claim 1, wherein the devices other than the embedded devices comprise personal computers (PCs), laptops, and servers.
  - 5. The method of claim 1, wherein the network sensor is attached to a mirror port of a network switch or a router of the first network, wherein the mirror port comprises a switched port analyzer (SPAN) port, a remote switch port analyzer (RSPAN) or a roving analysis port (RAP).
  - 6. The method of claim 1, wherein the network sensor comprises software installed on a network switch or router of the first network.
  - 7. The method of claim 1, further comprising receiving feedback from the user that the monitored behavior that deviated from the typical behavior is actually normal, and retraining the behavioral profile based on the feedback from the user.
  - 8. The method of claim 1, wherein the network sensor distinguishes the network traffic associated with the one or more embedded devices from the network traffic associated with the devices other than the embedded devices based on one or more of Internet protocol (IP) addresses of the network traffic or media access control (MAC) addresses of the network traffic.
  - 9. The method of claim 1, wherein the network traffic comprises one or more transmission control protocol (TCP)/Internet protocol (IP) packets or user datagram protocol (UDP) packets, and wherein inspecting the network traffic comprises inspecting metadata of the TCP/IP data packets without inspecting a payload of the TCP/IP packets.
  - 10. The method of claim 9, wherein the metadata of the TCP/IP packets comprises one or more of IP addresses, TCP/IP packet length, time stamps, sequence numbers, flags, destination IP addresses, source IP addresses, or media access control (MAC) addresses.
  - 11. The method of claim 1, further comprising:
    - if the monitored behavior deviates from the typical behavior, reporting, by the notification module to the user, the monitored behavior that deviated from the typical behavior.
  - 12. The method of claim 1, wherein only metadata from the network traffic is transmitted from the network sensor to the server.
  - 13. The method of claim 1, further comprising:
    - transmitting performance beacons from a first one of the embedded devices to the server, wherein the transmission of the performance beacons is caused by an execution, by a processor of the first embedded device, of computer code that has been inserted into a plurality of functions that are present in firmware of the first embedded device.
  - 14. The method of claim 13, wherein the performance beacons are relayed from the first embedded device to the server via the first network sensor.
  - 15. The method of claim 13, wherein the performance beacons are transmitted from the first embedded device to the server without passing through the first network sensor.
  - 16. The method of claim 13, wherein the performance beacons are transmitted through a network interface of the first embedded device onto the first network via a first broadcast address of the first network.
  - 17. The method of claim 13, further comprising:
    - reconstructing, by the server, an execution path of the first embedded device based on the performance beacons transmitted by the first embedded device; and
      
      comparing the reconstructed execution path of the first embedded device with a typical execution path of the first embedded device, wherein the typical execution path of the first embedded device is learned over time by the machine learning module.
  - 18. The method of claim 13, wherein the performance beacons comprises one or more of a media access control (MAC) address of the first embedded device, a program counter value of the processor of the first embedded device, a tick count of the processor of the first embedded device, or a stack value of the processor of the first embedded device.

19. A system for monitoring one or more embedded devices communicatively coupled to a first network, the system comprising:
- a network switch;
  
  a network sensor communicatively coupled to the network switch, the network sensor configured to;
  
  monitor network traffic on the first network;
  
  inspect the network traffic so as to distinguish network traffic that is associated with the embedded devices from network traffic that is associated with devices other than the embedded devices; and
  
  transmit metadata from the network traffic associated with the embedded devices to a server; and
  
  a server communicatively coupled to the network sensor, the server configured to;
  
  store the metadata in a first queue associated with the first network sensor; and
  
  for each of the embedded devices communicatively coupled to the first network,(i) build a behavioral profile of the embedded device;
  
  (ii) monitor a behavior of the embedded device;
  
  (iii) compare the monitored behavior of the embedded device with a typical behavior of the embedded device as captured in the behavioral profile of the embedded device so as to determine whether the monitored behavior deviated from the typical behavior; and
  
  (iv) if the monitored behavior deviates from the typical behavior, notify a user that the monitored behavior of the embedded device deviated from the typical behavior of the embedded device.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the network sensor is inserted into a mirror port of the network switch, and wherein the mirror port comprises a switched port analyzer (SPAN) port, a remote switch port analyzer (RSPAN) or a roving analysis port (RAP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Senrio Inc.
Original Assignee
Senrio Inc.
Inventors
Ridley, Stephen A.

Granted Patent

US 10,122,743 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06N 20/00   Machine learning

G06N 7/01   Probabilistic graphical mod...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 41/16   using machine learning or a...

H04L 43/062   related to network traffic

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/106   using time related informat...

H04L 43/50   Testing arrangements

H04L 61/35   involving non-standard use ...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 69/16   Implementation or adaptatio...

H04W 12/12   Detection or prevention of ...

METHODS AND SYSTEMS FOR DETECTING ANOMALOUS BEHAVIOR OF NETWORK-CONNECTED EMBEDDED DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

METHODS AND SYSTEMS FOR DETECTING ANOMALOUS BEHAVIOR OF NETWORK-CONNECTED EMBEDDED DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others