Coordinated and device-distributed detection of abnormal network device operation
First Claim
1. A computer-implemented method for using corresponding detection data from multiple distributed network devices to detect suspicious network device activity, the method comprising:
- identifying, at an evaluating network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data from each of a plurality of network devices that corresponds to a suspect network device;
detecting, at the evaluating network device, activity of the suspect network device, wherein the evaluating network device and suspect network device are part of a same network;
receiving, at the evaluating network device and from each of one or more other network devices, a communication that includes data corresponding to the suspect network device, wherein the evaluating network device and the one or more other network devices are part of the same network, and wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;
determining, at the evaluating network device, that the suspicious activity condition is satisfied based on the data corresponding to the suspect network device from each of the one or more other network devices and the detected activity; and
transmitting, in response to the determining that the suspicious activity condition is satisfied, an alert communication that identifies the suspect network device and corresponds to an indication that the suspicious activity condition has been satisfied.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.
50 Citations
21 Claims
-
1. A computer-implemented method for using corresponding detection data from multiple distributed network devices to detect suspicious network device activity, the method comprising:
-
identifying, at an evaluating network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data from each of a plurality of network devices that corresponds to a suspect network device; detecting, at the evaluating network device, activity of the suspect network device, wherein the evaluating network device and suspect network device are part of a same network; receiving, at the evaluating network device and from each of one or more other network devices, a communication that includes data corresponding to the suspect network device, wherein the evaluating network device and the one or more other network devices are part of the same network, and wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network; determining, at the evaluating network device, that the suspicious activity condition is satisfied based on the data corresponding to the suspect network device from each of the one or more other network devices and the detected activity; and transmitting, in response to the determining that the suspicious activity condition is satisfied, an alert communication that identifies the suspect network device and corresponds to an indication that the suspicious activity condition has been satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including; identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data from each of a plurality of network devices that corresponds to a suspect network device; detecting activity of the suspect network device, wherein the evaluating network device and suspect network device are part of a same network; receiving, from each of one or more other network devices, a communication that includes data corresponding to the suspect network device, wherein the system and the one or more other network devices are part of the same network, and wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network; determining that the suspicious activity condition is satisfied based on the data corresponding to the suspect network device from each of the one or more other network devices and the detected activity; and transmitting, in response to the determining that the suspicious activity condition is satisfied, an alert communication that identifies the suspect network device and corresponds to an indication that the suspicious activity condition has been satisfied. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of an evaluating network device to perform actions including:
-
identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data from each of a plurality of network devices that corresponds to a suspect network device; detecting activity of the suspect network device, wherein the evaluating network device and suspect network device are part of a same network; receiving, from each of one or more other network devices, a communication that includes data corresponding to the suspect network device, wherein the evaluating network device and the one or more other network devices are part of the same network, and wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network; determining that the suspicious activity condition is satisfied based on the data corresponding to the suspect network device from each of the one or more other network devices and the detected activity; and transmitting, in response to the determining that the suspicious activity condition is satisfied, an alert communication that identifies the suspect network device and corresponds to an indication that the suspicious activity condition has been satisfied. - View Dependent Claims (19, 20, 21)
-
Specification