Coordinated and device-distributed detection of abnormal network device operation

US 9,342,391 B2
Filed: 04/02/2015
Issued: 05/17/2016
Est. Priority Date: 09/09/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting suspicious network device activity, the method comprising:

identifying, at an evaluating network device, a suspicious activity condition, wherein the suspicious activity condition relates to a normal activity parameter identified based on monitored activity of a monitored network device, and wherein evaluation of the condition includes evaluating network-device activity data;

receiving, at the evaluating network device and from each of one or more other network devices, a communication that includes data corresponding to activity of a suspect network device, wherein;

the network device and each of the one or more other network devices are part of a same network;

the monitored network device and the suspect network device are different devices; and

the same network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the same network;

determining, at the evaluating network device, that the suspicious activity condition is satisfied based on the data received from the one or more other network devices, wherein the determination indicates that a suspect network device in the same network is operating in a manner that does not conform with the normal activity parameter; and

in response to the determination that the suspicious activity condition is satisfied, facilitating a change in operation of at least one network device in the same network, wherein the change in operation includes triggering each network device of the at least one network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.

Citations

29 Claims

1. A computer-implemented method for detecting suspicious network device activity, the method comprising:
- identifying, at an evaluating network device, a suspicious activity condition, wherein the suspicious activity condition relates to a normal activity parameter identified based on monitored activity of a monitored network device, and wherein evaluation of the condition includes evaluating network-device activity data;
  
  receiving, at the evaluating network device and from each of one or more other network devices, a communication that includes data corresponding to activity of a suspect network device, wherein;
  
  the network device and each of the one or more other network devices are part of a same network;
  
  the monitored network device and the suspect network device are different devices; and
  
  the same network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the same network;
  
  determining, at the evaluating network device, that the suspicious activity condition is satisfied based on the data received from the one or more other network devices, wherein the determination indicates that a suspect network device in the same network is operating in a manner that does not conform with the normal activity parameter; and
  
  in response to the determination that the suspicious activity condition is satisfied, facilitating a change in operation of at least one network device in the same network, wherein the change in operation includes triggering each network device of the at least one network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method as recited in claim 1, wherein the normal activity parameter corresponds to a transmission frequency or resource usage.
  - 3. The computer-implemented method as recited in claim 1, further comprising:
    - detecting, at the network device, activity of the network device, wherein the determining that the suspicious activity condition is satisfied is further based on the detected activity of the network device.
  - 4. The computer-implemented method as recited in claim 1, wherein the evaluating device is the suspect network device.
  - 5. The computer-implemented method as recited in claim 1, wherein the normal activity parameter relates to a device setting at the monitored network device, a communication received at the monitored network device or a sensor reading collected at the monitored device.
  - 6. The computer-implemented method as recited in claim 1, wherein the facilitating a change in operation of the at least one network device includes transmitting an alert communication.
  - 7. The computer-implemented method as recited in claim 1, wherein each the monitored activity and the data included in the received communications is of a same type of data.
  - 8. The computer-implemented method as recited in claim 1, wherein the normal activity parameter includes a threshold, and the determining that the suspicious activity condition is satisfied includes determining that a value in the data exceeds the threshold.
  - 9. The computer-implemented method as recited in claim 1, wherein changing the operation includes implementing a new operation, ceasing implementation of an existing operation or inhibiting transmission from the network device to another network device on the same network.
  - 10. The computer-implemented method as recited in claim 1, further comprising:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.

11. A system, comprising:
- one or more data processors; and
  
  a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including;
  
  identifying a suspicious activity condition, wherein the suspicious activity condition relates to a normal activity parameter identified based on monitored activity of a monitored network device, and wherein evaluation of the condition includes evaluating network-device activity data;
  
  receiving, from each of one or more other network devices, a communication that includes data corresponding to activity of a suspect network device, wherein;
  
  the network device and each of the one or more other network devices are part of a same network;
  
  the monitored network device and the suspect network device are different devices; and
  
  the same network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the same network;
  
  determining that the suspicious activity condition is satisfied based on the data received from the one or more other network devices, wherein the determination indicates that a suspect network device in the same network is operating in a manner that does not conform with the normal activity parameter; and
  
  in response to the determination that the suspicious activity condition is satisfied, facilitating a change in operation of at least one network device in the same network, wherein the change in operation includes triggering each network device of the at least one network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system as recited in claim 11, wherein the normal activity parameter corresponds to a transmission frequency or resource usage.
  - 13. The system as recited in claim 11, wherein the actions further include:
    - detecting, at the network device, activity of the network device, wherein the determining that the suspicious activity condition is satisfied is further based on the detected activity of the network device.
  - 14. The system as recited in claim 11, wherein the system includes the suspect network device.
  - 15. The system as recited in claim 11, wherein the normal activity parameter relates to a device setting at the monitored network device, a communication received at the monitored network device or a sensor reading collected at the monitored device.
  - 16. The system as recited in claim 11, wherein the facilitating a change in operation of the at least one network device includes transmitting an alert communication.
  - 17. The system as recited in claim 11, wherein each the monitored activity and the data included in the received communications is of a same type of data.
  - 18. The system as recited in claim 11, wherein the normal activity parameter includes a threshold, and the determining that the suspicious activity condition is satisfied includes determining that a value in the data exceeds the threshold.
  - 19. The system as recited in claim 11, wherein changing the operation includes implementing a new operation, ceasing implementation of an existing operation or inhibiting transmission from the network device to another network device on the same network.
  - 20. The system as recited in claim 11, wherein the actions further include:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.

21. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
- identifying a suspicious activity condition, wherein the suspicious activity condition relates to a normal activity parameter identified based on monitored activity of a monitored network device, and wherein evaluation of the condition includes evaluating network-device activity data;
  
  receiving, from each of one or more other network devices, a communication that includes data corresponding to activity of a suspect network device, wherein;
  
  the network device and each of the one or more other network devices are part of a same network;
  
  the monitored network device and the suspect network device are different devices; and
  
  the same network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the same network;
  
  determining that the suspicious activity condition is satisfied based on the data received from the one or more other network devices, wherein the determination indicates that a suspect network device in the same network is operating in a manner that does not conform with the normal activity parameter; and
  
  in response to the determination that the suspicious activity condition is satisfied, facilitating a change in operation of at least one network device in the same network, wherein the change in operation includes triggering each network device of the at least one network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The computer-program product as recited in claim 21, wherein the normal activity parameter corresponds to a transmission frequency or resource usage.
  - 23. The computer-program product as recited in claim 21, wherein the actions further include:
    - detecting activity of the network device, wherein the determining that the suspicious activity condition is satisfied is further based on the detected activity of the network device.
  - 24. The computer-program product as recited in claim 21, wherein the normal activity parameter relates to a device setting at the monitored network device, a communication received at the monitored network device or a sensor reading collected at the monitored device.
  - 25. The computer-program product as recited in claim 21, wherein the facilitating a change in operation of the at least one network device includes transmitting an alert communication.
  - 26. The computer-program product as recited in claim 21, wherein each the monitored activity and the data included in the received communications is of a same type of data.
  - 27. The computer-program product as recited in claim 21, wherein the normal activity parameter includes a threshold, and the determining that the suspicious activity condition is satisfied includes determining that a value in the data exceeds the threshold.
  - 28. The computer-program product as recited in claim 21, wherein changing the operation includes implementing a new operation, ceasing implementation of an existing operation or inhibiting transmission from the network device to another network device on the same network.
  - 29. The computer-program product as recited in claim 21, further comprising:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Belkin International Incorporated (Hon Hai Precision Industry Co., Ltd.)
Original Assignee
Belkin International Incorporated (Hon Hai Precision Industry Co., Ltd.)
Inventors
Kim, Ryan Yong
Primary Examiner(s)
MASKULINSKI, MICHAEL C

Application Number

US14/677,744
Publication Number

US 20160072832A1
Time in Patent Office

411 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 1/26   Power supply means, e.g. re...

G06F 11/0709   in a distributed system con...

G06F 11/0784   Routing of error reports, e...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/30   Monitoring

G06F 11/3006   where the computing system ...

G06F 11/3055   Monitoring arrangements for...

G06F 21/552   involving long-term monitor...

H04L 12/2803   Home automation networks

H04L 2012/2841   Wireless

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/128   Anti-malware arrangements, ...

Coordinated and device-distributed detection of abnormal network device operation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Coordinated and device-distributed detection of abnormal network device operation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links