Coordinated and device-distributed detection of abnormal network device operation
First Claim
1. A computer-implemented method for detecting suspicious network device activity, the method comprising:
- identifying, at an evaluating network device, a suspicious activity condition;
defining an initial ad hoc network to include an initial subset of a set of network devices, wherein each network device in the set of network devices is part of a network;
receiving, at the evaluating network device and from each network device in the initial subset, a communication that includes data characterizing a detection made by the network device, wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;
determining, at the evaluating network device and for each of one or more network devices in the initial subset, that the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and
identifying a characteristic of each network device in the one or more network devices, wherein the characteristics relates to a location, device type or connection of the network device;
defining a new ad hoc network to include a new subset of the set of network device based on the characteristic of the each network device in the one or more network devices and based on the determination that the suspicious activity condition was satisfied for each network device in the one or more network devices, wherein the new ad hoc network includes a newly included network device that is part of the network, and wherein the initial ad hoc network did not include the newly included network device;
receiving, at the evaluating network device and from each network device in the new subset, a communication that includes data characterizing a detection made by the network device;
identifying a source device as being a source associated with suspicious activity based on the data included in the communication received from each network device in the new subset; and
transmitting an alert communication that corresponds to an indication that the source device is associated with suspicious activity.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.
-
Citations
20 Claims
-
1. A computer-implemented method for detecting suspicious network device activity, the method comprising:
-
identifying, at an evaluating network device, a suspicious activity condition; defining an initial ad hoc network to include an initial subset of a set of network devices, wherein each network device in the set of network devices is part of a network; receiving, at the evaluating network device and from each network device in the initial subset, a communication that includes data characterizing a detection made by the network device, wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network; determining, at the evaluating network device and for each of one or more network devices in the initial subset, that the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and identifying a characteristic of each network device in the one or more network devices, wherein the characteristics relates to a location, device type or connection of the network device; defining a new ad hoc network to include a new subset of the set of network device based on the characteristic of the each network device in the one or more network devices and based on the determination that the suspicious activity condition was satisfied for each network device in the one or more network devices, wherein the new ad hoc network includes a newly included network device that is part of the network, and wherein the initial ad hoc network did not include the newly included network device; receiving, at the evaluating network device and from each network device in the new subset, a communication that includes data characterizing a detection made by the network device; identifying a source device as being a source associated with suspicious activity based on the data included in the communication received from each network device in the new subset; and transmitting an alert communication that corresponds to an indication that the source device is associated with suspicious activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including; identifying a suspicious activity condition; defining an initial ad hoc network to include an initial subset of a set of network devices, wherein each network device in the set of network devices is part of a network; receiving, from each network device in the initial subset, a communication that includes data characterizing a detection made by the network device, wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network; determining, for each of one or more network devices in the initial subset, that the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and identifying a characteristic of each network device in the one or more network devices, wherein the characteristics relates to a location, device type or connection of the network device; defining a new ad hoc network to include a new subset of the set of network device based on the characteristic of the each network device in the one or more network devices and based on the determination that the suspicious activity condition was satisfied for each network device in the one or more network devices, wherein the new ad hoc network includes a newly included network device that is part of the network, and wherein the initial ad hoc network did not include the newly included network device; receiving, from each network device in the new subset, a communication that includes data characterizing a detection made by the network device; identifying a source device as being a source associated with suspicious activity based on the data included in the communication received from each network device in the new subset; and transmitting an alert communication that corresponds to an indication that the source device is associated with suspicious activity. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
-
identifying a suspicious activity condition; defining an initial ad hoc network to include an initial subset of a set of network devices, wherein each network device in the set of network devices is part of a network; receiving, from each network device in the initial subset, a communication that includes data characterizing a detection made by the network device, wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network; determining, for each of one or more network devices in the initial subset, that the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and identifying a characteristic of each network device in the one or more network devices, wherein the characteristics relates to a location, device type or connection of the network device; defining a new ad hoc network to include a new subset of the set of network device based on the characteristic of the each network device in the one or more network devices and based on the determination that the suspicious activity condition was satisfied for each network device in the one or more network devices, wherein the new ad hoc network includes a newly included network device that is part of the network, and wherein the initial ad hoc network did not include the newly included network device; receiving, from each network device in the new subset, a communication that includes data characterizing a detection made by the network device; identifying a source device as being a source associated with suspicious activity based on the data included in the communication received from each network device in the new subset; and transmitting an alert communication that corresponds to an indication that the source device is associated with suspicious activity.
-
Specification