Coordinated and device-distributed detection of abnormal network device operation

US 9,384,075 B2
Filed: 04/02/2015
Issued: 07/05/2016
Est. Priority Date: 09/09/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting suspicious network device activity, the method comprising:

identifying, at an evaluating network device, a suspicious activity condition;

defining an initial ad hoc network to include an initial subset of a set of network devices, wherein each network device in the set of network devices is part of a network;

receiving, at the evaluating network device and from each network device in the initial subset, a communication that includes data characterizing a detection made by the network device, wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;

determining, at the evaluating network device and for each of one or more network devices in the initial subset, that the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and

identifying a characteristic of each network device in the one or more network devices, wherein the characteristics relates to a location, device type or connection of the network device;

defining a new ad hoc network to include a new subset of the set of network device based on the characteristic of the each network device in the one or more network devices and based on the determination that the suspicious activity condition was satisfied for each network device in the one or more network devices, wherein the new ad hoc network includes a newly included network device that is part of the network, and wherein the initial ad hoc network did not include the newly included network device;

receiving, at the evaluating network device and from each network device in the new subset, a communication that includes data characterizing a detection made by the network device;

identifying a source device as being a source associated with suspicious activity based on the data included in the communication received from each network device in the new subset; and

transmitting an alert communication that corresponds to an indication that the source device is associated with suspicious activity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.

Citations

20 Claims

1. A computer-implemented method for detecting suspicious network device activity, the method comprising:
- identifying, at an evaluating network device, a suspicious activity condition;
  
  defining an initial ad hoc network to include an initial subset of a set of network devices, wherein each network device in the set of network devices is part of a network;
  
  receiving, at the evaluating network device and from each network device in the initial subset, a communication that includes data characterizing a detection made by the network device, wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;
  
  determining, at the evaluating network device and for each of one or more network devices in the initial subset, that the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and
  
  identifying a characteristic of each network device in the one or more network devices, wherein the characteristics relates to a location, device type or connection of the network device;
  
  defining a new ad hoc network to include a new subset of the set of network device based on the characteristic of the each network device in the one or more network devices and based on the determination that the suspicious activity condition was satisfied for each network device in the one or more network devices, wherein the new ad hoc network includes a newly included network device that is part of the network, and wherein the initial ad hoc network did not include the newly included network device;
  
  receiving, at the evaluating network device and from each network device in the new subset, a communication that includes data characterizing a detection made by the network device;
  
  identifying a source device as being a source associated with suspicious activity based on the data included in the communication received from each network device in the new subset; and
  
  transmitting an alert communication that corresponds to an indication that the source device is associated with suspicious activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method as recited in claim 1, further comprising:
    - determining, at the evaluating network device and for each network device in the initial subset, whether the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and
      
      identifying a characteristic of each network device in the initial subset, wherein the characteristics relates to a location, device type or connection of the network device;
      
      wherein the new ad hoc network is defined by comparing the characteristic of network devices in the initial subset for which it was determined that the suspicious activity condition was satisfied to the characteristic of network devices in the initial subset for which it was determined that the suspicious activity condition was not satisfied.
  - 3. The computer-implemented method as recited in claim 1, further comprising:
    - identifying a characteristic of the source device based on the identified characteristics of each network device in the initial subset, whether the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and
      
      defining the new ad hoc network based on the characteristic of the source device.
  - 4. The computer-implemented method as recited in claim 1, further comprising:
    - identifying a common characteristic of each network device in the one or more network devices for which the suspicious activity condition was determined to be satisfied, wherein the new ad hoc network is defined based on the common characteristic.
  - 5. The computer-implemented method as recited in claim 1, wherein the data in the communication received from each of at least one network device in the initial subset and used to determine whether the suspicious activity condition was satisfied includes a locally detected sensor measurement or resource usage.
  - 6. The computer-implemented method as recited in claim 1, wherein the data in the communication received from each of at least one network device in the initial subset and used to determine whether the suspicious activity condition was satisfied includes a detection of activity of another network device.
  - 7. The computer-implemented method as recited in claim 1, wherein the initial subset includes an incomplete subset of the set of network devices.
  - 8. The computer-implemented method as recited in claim 1, wherein the each network device in the set of network devices located in a same building.
  - 9. The computer-implemented method as recited in claim 1, wherein the evaluating network device and the source network device are different devices.
  - 10. The computer-implemented method as recited in claim 1, wherein the alert communication facilitates a change in operation at a receiving network device that receives the alert communication.

11. A system, comprising:
- one or more data processors; and
  
  a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including;
  
  identifying a suspicious activity condition;
  
  defining an initial ad hoc network to include an initial subset of a set of network devices, wherein each network device in the set of network devices is part of a network;
  
  receiving, from each network device in the initial subset, a communication that includes data characterizing a detection made by the network device, wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;
  
  determining, for each of one or more network devices in the initial subset, that the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and
  
  identifying a characteristic of each network device in the one or more network devices, wherein the characteristics relates to a location, device type or connection of the network device;
  
  defining a new ad hoc network to include a new subset of the set of network device based on the characteristic of the each network device in the one or more network devices and based on the determination that the suspicious activity condition was satisfied for each network device in the one or more network devices, wherein the new ad hoc network includes a newly included network device that is part of the network, and wherein the initial ad hoc network did not include the newly included network device;
  
  receiving, from each network device in the new subset, a communication that includes data characterizing a detection made by the network device;
  
  identifying a source device as being a source associated with suspicious activity based on the data included in the communication received from each network device in the new subset; and
  
  transmitting an alert communication that corresponds to an indication that the source device is associated with suspicious activity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system as recited in claim 11, wherein the actions further include:
    - determining, for each network device in the initial subset, whether the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and
      
      identifying a characteristic of each network device in the initial subset, wherein the characteristics relates to a location, device type or connection of the network device;
      
      wherein the new ad hoc network is defined by comparing the characteristic of network devices in the initial subset for which it was determined that the suspicious activity condition was satisfied to the characteristic of network devices in the initial subset for which it was determined that the suspicious activity condition was not satisfied.
  - 13. The system as recited in claim 11, wherein the actions further include:
    - identifying a characteristic of the source device based on the identified characteristics of each network device in the initial subset, whether the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and
      
      defining the new ad hoc network based on the characteristic of the source device.
  - 14. The system as recited in claim 11, wherein the actions further include:
    - identifying a common characteristic of each network device in the one or more network devices for which the suspicious activity condition was determined to be satisfied, wherein the new ad hoc network is defined based on the common characteristic.
  - 15. The system as recited in claim 11, wherein the data in the communication received from each of at least one network device in the initial subset and used to determine whether the suspicious activity condition was satisfied includes a locally detected sensor measurement or resource usage.
  - 16. The system as recited in claim 11, wherein the data in the communication received from each of at least one network device in the initial subset and used to determine whether the suspicious activity condition was satisfied includes a detection of activity of another network device.
  - 17. The system as recited in claim 11, wherein the initial subset includes an incomplete subset of the set of network devices.
  - 18. The system as recited in claim 11, wherein the each network device in the set of network devices located in a same building.
  - 19. The system as recited in claim 11, wherein the alert communication facilitates a change in operation at a receiving network device that receives the alert communication.

20. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
- identifying a suspicious activity condition;
  
  defining an initial ad hoc network to include an initial subset of a set of network devices, wherein each network device in the set of network devices is part of a network;
  
  receiving, from each network device in the initial subset, a communication that includes data characterizing a detection made by the network device, wherein the network is configured to facilitate reciprocal monitoring of network-device activity amongst network devices in the network;
  
  determining, for each of one or more network devices in the initial subset, that the suspicious activity condition is satisfied based on the data included in the communication received from the network device; and
  
  identifying a characteristic of each network device in the one or more network devices, wherein the characteristics relates to a location, device type or connection of the network device;
  
  defining a new ad hoc network to include a new subset of the set of network device based on the characteristic of the each network device in the one or more network devices and based on the determination that the suspicious activity condition was satisfied for each network device in the one or more network devices, wherein the new ad hoc network includes a newly included network device that is part of the network, and wherein the initial ad hoc network did not include the newly included network device;
  
  receiving, from each network device in the new subset, a communication that includes data characterizing a detection made by the network device;
  
  identifying a source device as being a source associated with suspicious activity based on the data included in the communication received from each network device in the new subset; and
  
  transmitting an alert communication that corresponds to an indication that the source device is associated with suspicious activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Belkin International Incorporated (Hon Hai Precision Industry Co., Ltd.)
Original Assignee
Belkin International Incorporated (Hon Hai Precision Industry Co., Ltd.)
Inventors
Kim, Ryan Yong
Primary Examiner(s)
MASKULINSKI, MICHAEL C

Application Number

US14/677,733
Publication Number

US 20160070611A1
Time in Patent Office

460 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 1/26   Power supply means, e.g. re...

G06F 11/0709   in a distributed system con...

G06F 11/0784   Routing of error reports, e...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/30   Monitoring

G06F 11/3006   where the computing system ...

G06F 11/3055   Monitoring arrangements for...

G06F 21/552   involving long-term monitor...

H04L 12/2803   Home automation networks

H04L 2012/2841   Wireless

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/128   Anti-malware arrangements, ...

Coordinated and device-distributed detection of abnormal network device operation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Coordinated and device-distributed detection of abnormal network device operation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links