Coordinated and device-distributed detection of abnormal network device operation

US 9,026,840 B1
Filed: 09/09/2014
Issued: 05/05/2015
Est. Priority Date: 09/09/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for using corresponding detection data from multiple distributed network devices to detect suspicious network device activity, the method comprising:

identifying, at an evaluating network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data from each of a plurality of network devices that corresponds to a suspect network device;

detecting, at the evaluating network device, activity of the suspect network device, wherein the evaluating network device and suspect network device are part of a same network;

receiving, at the evaluating network device and from each of one or more other network devices, a communication that includes data corresponding to the suspect network device, wherein the evaluating network device and the one or more other network devices are part of the same network, and wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;

determining, at the evaluating network device, that the suspicious activity condition is satisfied based on the data corresponding to the suspect network device from each of the one or more other network devices and the detected activity; and

transmitting, in response to the determining that the suspicious activity condition is satisfied, an alert communication that identifies the suspect network device and corresponds to an indication that the suspicious activity condition has been satisfied.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.

50 Citations

View as Search Results

21 Claims

1. A computer-implemented method for using corresponding detection data from multiple distributed network devices to detect suspicious network device activity, the method comprising:
- identifying, at an evaluating network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data from each of a plurality of network devices that corresponds to a suspect network device;
  
  detecting, at the evaluating network device, activity of the suspect network device, wherein the evaluating network device and suspect network device are part of a same network;
  
  receiving, at the evaluating network device and from each of one or more other network devices, a communication that includes data corresponding to the suspect network device, wherein the evaluating network device and the one or more other network devices are part of the same network, and wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;
  
  determining, at the evaluating network device, that the suspicious activity condition is satisfied based on the data corresponding to the suspect network device from each of the one or more other network devices and the detected activity; and
  
  transmitting, in response to the determining that the suspicious activity condition is satisfied, an alert communication that identifies the suspect network device and corresponds to an indication that the suspicious activity condition has been satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method as recited in claim 1, further comprising:
    - identifying, at the evaluating network device, a local suspicious activity condition;
      
      determining, at the evaluating network device, that the local suspicious activity condition is satisfied based on the detected activity;
      
      transmitting, in response to determining that the local suspicious activity condition is satisfied, a data-request communication to each of the one or more other network devices, wherein the communication identifies the suspect network device and corresponds to a request for data corresponding to the suspect network device.
  - 3. The computer-implemented method as recited in claim 1, wherein the evaluating data from each of the plurality of network devices identifies a suspicious activity of the suspect network device, wherein the suspicious activity involves one or more actions performed by the suspect network device during a time frame.
  - 4. The computer-implemented method as recited in claim 1, wherein the evaluating network device and the suspect network device are different devices.
  - 5. The computer-implemented method as recited in claim 1, wherein the alert communication is sent to an access device, wherein receipt of the alert communication causes the access device to present an indication that the suspicious activity condition has been satisfied.
  - 6. The computer-implemented method as recited in claim 1, wherein the alert communication is transmitted to the plurality of network devices that are part of the same network as the evaluating network device and the suspect network device.
  - 7. The computer-implemented method as recited in claim 1, further comprising:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.
  - 8. The computer-implemented method as recited in claim 1, wherein transmitting the alert communication includes transmitting the alert communication over a local area network or transmitting the alert communication using a short-range communication channel.
  - 9. The computer-implemented method as recited in claim 1, wherein the network includes a set of network devices located in a same building, and wherein the method further comprises:
    - identifying an incomplete subset of the set of network devices, wherein the incomplete subset includes a plurality of network devices, and wherein each network device in the incomplete subset is configured to also detect activity of the suspect network device.
  - 10. The computer-implemented method as recited in claim 1, wherein the determining that the suspicious activity condition is satisfied includes determining that the detected activity of the suspect network device differs from an activity template generated using a learning technique and previously detected activity of the suspect network device.
  - 11. The computer-implemented method as recited in claim 1, wherein the determining that the suspicious activity condition is satisfied includes determining that the data corresponding to the suspect network device differs from an activity template generated using a learning technique and data included in a communication previously received from at least one of one or more other network devices.
  - 12. The computer-implemented method for using corresponding detection data from multiple distributed network devices to detect suspicious network device activity as recited in claim 1, wherein the evaluating network device and the suspect network device each join the same network through an accountless authentication process.

13. A system, comprising:
- one or more data processors; and
  
  a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including;
  
  identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data from each of a plurality of network devices that corresponds to a suspect network device;
  
  detecting activity of the suspect network device, wherein the evaluating network device and suspect network device are part of a same network;
  
  receiving, from each of one or more other network devices, a communication that includes data corresponding to the suspect network device, wherein the system and the one or more other network devices are part of the same network, and wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;
  
  determining that the suspicious activity condition is satisfied based on the data corresponding to the suspect network device from each of the one or more other network devices and the detected activity; and
  
  transmitting, in response to the determining that the suspicious activity condition is satisfied, an alert communication that identifies the suspect network device and corresponds to an indication that the suspicious activity condition has been satisfied.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein the actions further include:
    - identifying a local suspicious activity condition;
      
      determining that the local suspicious activity condition is satisfied based on the detected activity;
      
      transmitting, in response to determining that the local suspicious activity condition is satisfied, a data-request communication to each of the one or more other network devices, wherein the communication identifies the suspect network device and corresponds to a request for data corresponding to the suspect network device.
  - 15. The system of claim 13, wherein the evaluating data from each of the plurality of network devices identifies a suspicious activity of the suspect network device, wherein the suspicious activity involves one or more actions performed by the suspect network device during a time frame.
  - 16. The system of claim 13, wherein the alert communication is sent to an access device, and wherein receipt of the alert communication causes the access device to present an indication that the suspicious activity condition has been satisfied.
  - 17. The system of claim 13, wherein the alert communication is transmitted to the plurality of network devices that are part of the same network as the evaluating network device and the suspect network device.

18. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of an evaluating network device to perform actions including:
- identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data from each of a plurality of network devices that corresponds to a suspect network device;
  
  detecting activity of the suspect network device, wherein the evaluating network device and suspect network device are part of a same network;
  
  receiving, from each of one or more other network devices, a communication that includes data corresponding to the suspect network device, wherein the evaluating network device and the one or more other network devices are part of the same network, and wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;
  
  determining that the suspicious activity condition is satisfied based on the data corresponding to the suspect network device from each of the one or more other network devices and the detected activity; and
  
  transmitting, in response to the determining that the suspicious activity condition is satisfied, an alert communication that identifies the suspect network device and corresponds to an indication that the suspicious activity condition has been satisfied.
- View Dependent Claims (19, 20, 21)
- - 19. The computer-program product of claim 18, wherein transmitting the alert communication includes transmitting the alert communication over a local area network or transmitting the alert communication using a short-range communication channel.
  - 20. The computer-program product of claim 18, wherein the determining that the suspicious activity condition is satisfied includes determining that the detected activity of the suspect network device differs from an activity template generated using a learning technique and previously detected activity of the suspect network device.
  - 21. The computer-program product of claim 18, wherein the actions further include:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Belkin International Incorporated (Hon Hai Precision Industry Co., Ltd.)
Original Assignee
Belkin International Incorporated (Hon Hai Precision Industry Co., Ltd.)
Inventors
Kim, Ryan Yong
Primary Examiner(s)
MASKULINSKI, MICHAEL C

Application Number

US14/480,878
Time in Patent Office

238 Days
Field of Search
US Class Current

714/4.3
CPC Class Codes

G06F 1/26   Power supply means, e.g. re...

G06F 11/0709   in a distributed system con...

G06F 11/0784   Routing of error reports, e...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/30   Monitoring

G06F 11/3006   where the computing system ...

G06F 11/3055   Monitoring arrangements for...

G06F 21/552   involving long-term monitor...

H04L 12/2803   Home automation networks

H04L 2012/2841   Wireless

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/128   Anti-malware arrangements, ...

Coordinated and device-distributed detection of abnormal network device operation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Coordinated and device-distributed detection of abnormal network device operation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links