Coordinated and device-distributed detection of abnormal network device operation
First Claim
1. A computer-implemented method for detecting suspicious network device activity, the method comprising:
- identifying, at an evaluating network device, a suspicious activity condition, wherein the suspicious activity condition relates to a normal activity parameter identified based on monitored activity of a monitored network device, and wherein evaluation of the condition includes evaluating network-device activity data;
receiving, at the evaluating network device and from each of one or more other network devices, a communication that includes data corresponding to activity of a suspect network device, wherein;
the network device and each of the one or more other network devices are part of a same network;
the monitored network device and the suspect network device are different devices; and
the same network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the same network;
determining, at the evaluating network device, that the suspicious activity condition is satisfied based on the data received from the one or more other network devices, wherein the determination indicates that a suspect network device in the same network is operating in a manner that does not conform with the normal activity parameter; and
in response to the determination that the suspicious activity condition is satisfied, facilitating a change in operation of at least one network device in the same network, wherein the change in operation includes triggering each network device of the at least one network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.
-
Citations
29 Claims
-
1. A computer-implemented method for detecting suspicious network device activity, the method comprising:
-
identifying, at an evaluating network device, a suspicious activity condition, wherein the suspicious activity condition relates to a normal activity parameter identified based on monitored activity of a monitored network device, and wherein evaluation of the condition includes evaluating network-device activity data; receiving, at the evaluating network device and from each of one or more other network devices, a communication that includes data corresponding to activity of a suspect network device, wherein; the network device and each of the one or more other network devices are part of a same network; the monitored network device and the suspect network device are different devices; and the same network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the same network; determining, at the evaluating network device, that the suspicious activity condition is satisfied based on the data received from the one or more other network devices, wherein the determination indicates that a suspect network device in the same network is operating in a manner that does not conform with the normal activity parameter; and in response to the determination that the suspicious activity condition is satisfied, facilitating a change in operation of at least one network device in the same network, wherein the change in operation includes triggering each network device of the at least one network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including; identifying a suspicious activity condition, wherein the suspicious activity condition relates to a normal activity parameter identified based on monitored activity of a monitored network device, and wherein evaluation of the condition includes evaluating network-device activity data; receiving, from each of one or more other network devices, a communication that includes data corresponding to activity of a suspect network device, wherein; the network device and each of the one or more other network devices are part of a same network; the monitored network device and the suspect network device are different devices; and the same network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the same network; determining that the suspicious activity condition is satisfied based on the data received from the one or more other network devices, wherein the determination indicates that a suspect network device in the same network is operating in a manner that does not conform with the normal activity parameter; and in response to the determination that the suspicious activity condition is satisfied, facilitating a change in operation of at least one network device in the same network, wherein the change in operation includes triggering each network device of the at least one network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
-
identifying a suspicious activity condition, wherein the suspicious activity condition relates to a normal activity parameter identified based on monitored activity of a monitored network device, and wherein evaluation of the condition includes evaluating network-device activity data; receiving, from each of one or more other network devices, a communication that includes data corresponding to activity of a suspect network device, wherein; the network device and each of the one or more other network devices are part of a same network; the monitored network device and the suspect network device are different devices; and the same network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the same network; determining that the suspicious activity condition is satisfied based on the data received from the one or more other network devices, wherein the determination indicates that a suspect network device in the same network is operating in a manner that does not conform with the normal activity parameter; and in response to the determination that the suspicious activity condition is satisfied, facilitating a change in operation of at least one network device in the same network, wherein the change in operation includes triggering each network device of the at least one network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
Specification