Coordinated and device-distributed detection of abnormal network device operation

US 9,026,841 B1
Filed: 09/09/2014
Issued: 05/05/2015
Est. Priority Date: 09/09/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting suspicious network device activity, comprising:

identifying, at a network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device;

detecting, at the network device, activity of the network device, wherein detecting the activity includes detecting a power spike or above-threshold stimulus;

receiving, at the network device and from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device that indicates that the other network device did not detect the power spike or above-threshold stimulus, wherein the network device and the one or more other network devices are part of a same network;

determining, at the network device, that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and

in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.

11 Citations

View as Search Results

70 Claims

1. A computer-implemented method for detecting suspicious network device activity, comprising:
- identifying, at a network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device;
  
  detecting, at the network device, activity of the network device, wherein detecting the activity includes detecting a power spike or above-threshold stimulus;
  
  receiving, at the network device and from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device that indicates that the other network device did not detect the power spike or above-threshold stimulus, wherein the network device and the one or more other network devices are part of a same network;
  
  determining, at the network device, that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method as recited in claim 1, wherein changing the local operation includes implementing a new operation or ceasing implementation of an existing operation.
  - 3. The computer-implemented method as recited in claim 1, wherein:
    - detecting the activity of the network device includes detecting a sensor reading;
      
      the data corresponding to the network device includes a corresponding sensor reading detected at the other network device of the one or more other network devices; and
      
      determining that the suspicious activity condition is satisfied includes determining that the detected sensor reading is inconsistent with the sensor reading detected at the other network device.
  - 4. The computer-implemented method as recited in claim 1, wherein satisfaction of the suspicious activity condition is indicative of actual or potential malfunctioning of the network device.
  - 5. The computer-implemented method as recited in claim 1, wherein changing the local operation includes inhibiting transmission from the network device to another network device on the same network.
  - 6. The computer-implemented method as recited in claim 1, wherein changing the local operation includes causing the network device to store data from a location at the network device to a different location at the network device or at another network device on the same network.
  - 7. The computer-implemented method as recited in claim 1, wherein changing the local operation causes the network device to power off.
  - 8. The computer-implemented method as recited in claim 1, wherein changing the local operation includes transmitting a notification from the network device to another network device that is indicative that the suspicious activity condition has been satisfied.
  - 9. The computer-implemented method as recited in claim 1, further comprising:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.
  - 10. The computer-implemented method as recited in claim 1, wherein the communication that includes data corresponding to the network device is received at the network device from at least one of the other network devices.
  - 11. The computer-implemented method as recited in claim 1, further comprising:
    - identifying, at the network device, a local suspicious activity condition;
      
      determining, at the network device, that the local suspicious activity condition is satisfied based on the detected activity; and
      
      transmitting, in response to determining that the local suspicious activity condition is satisfied, a data-request communication to each of the one or more other network devices, wherein the communication identifies the network device and corresponds to a request for data corresponding to the network device.
  - 12. The computer-implemented method as recited in claim 1, wherein detecting the activity of the network device includes identifying a value corresponding to a transmission frequency or resource usage, and wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold.

13. A system, comprising:
- one or more data processors; and
  
  a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including;
  
  identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to a network device of the system;
  
  detecting activity of the network device of the system, wherein detecting the activity includes detecting a power spike or above-threshold stimulus;
  
  receiving, from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device that indicates that each of the one or more other network devices of the system did not detect the power spike or above-threshold stimulus, wherein the network device of the system and the one or more other network devices of the system are part of the same network;
  
  determining that the suspicious activity condition is satisfied based on the data corresponding to the network device of the system received from each of the one or more network devices and the detected activity; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device of the system.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein changing the local operation includes inhibiting transmission from the system to another network device on the same network.
  - 15. The system of claim 13, wherein the communication that includes data corresponding to the network device is received at the network device from at least one of the other network devices.

16. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
- identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device;
  
  detecting activity of the network device, wherein detecting the activity includes detecting a power spike or above-threshold stimulus;
  
  receiving, from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device that indicates that each of the one or more other network devices did not detect the power spike or above-threshold stimulus, wherein the network device and the one or more other network devices are part of the same network;
  
  determining that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device.
- View Dependent Claims (17, 18, 19)
- - 17. The computer-program product of claim 16, wherein changing the local operation includes transmitting a notification from the network device to another network device that is indicative that the suspicious activity condition has been satisfied.
  - 18. The computer-program product of claim 16, wherein changing the local operation includes implementing a new operation or ceasing implementation of an existing operation.
  - 19. The computer-program product of claim 16, wherein to the actions further include:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.

20. A computer-implemented method for detecting suspicious network device activity, comprising:
- identifying, at a network device, a suspicious activity condition, wherein evaluation of the suspicious activity condition includes evaluating data corresponding to the network device;
  
  detecting, at the network device, activity of the network device, wherein detecting the activity includes detecting a sensor reading;
  
  receiving, at the network device and from each of one or more other network devices, a communication that includes a sensor reading detected at the other network device and corresponding to the activity of the network device, wherein the network device and the one or more other network devices are part of a same network;
  
  determining, at the network device, that the suspicious activity condition is satisfied based on the sensor reading detected at each of the one or more other network devices and the detected activity of the network device; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 21. The computer-implemented method as recited in claim 20, wherein changing the local operation includes implementing a new operation or ceasing implementation of an existing operation.
  - 22. The computer-implemented method as recited in claim 20, wherein satisfaction of the suspicious activity condition is indicative of actual or potential malfunctioning of the network device.
  - 23. The computer-implemented method as recited in claim 20, wherein changing the local operation includes inhibiting transmission from the network device to another network device on the same network.
  - 24. The computer-implemented method as recited in claim 20, wherein changing the local operation includes causing the network device to store data from a location at the network device to a different location at the network device or at another network device on the same network.
  - 25. The computer-implemented method as recited in claim 20, wherein changing the local operation causes the network device to power off.
  - 26. The computer-implemented method as recited in claim 20, wherein changing the local operation includes transmitting a notification from the network device to another network device that is indicative that the suspicious activity condition has been satisfied.
  - 27. The computer-implemented method as recited in claim 20, further comprising:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.
  - 28. The computer-implemented method as recited in claim 20, wherein the communication that includes data corresponding to the network device is received at the network device from at least one of the other network devices.
  - 29. The computer-implemented method as recited in claim 20, further comprising:
    - identifying, at the network device, a local suspicious activity condition;
      
      determining, at the network device, that the local suspicious activity condition is satisfied based on the detected activity; and
      
      transmitting, in response to determining that the local suspicious activity condition is satisfied, a data-request communication to each of the one or more other network devices, wherein the communication identifies the network device and corresponds to a request for data corresponding to the network device.
  - 30. The computer-implemented method as recited in claim 20, wherein detecting the activity of the network device includes identifying a value corresponding to a transmission frequency or resource usage, and wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold.

31. A system, comprising:
- one or more data processors; and
  
  a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including;
  
  identifying a suspicious activity condition, wherein evaluation of the suspicious activity condition includes evaluating data corresponding to a network device of the system;
  
  detecting activity of the network device of the system, wherein detecting the activity includes detecting a sensor reading;
  
  receiving from each of one or more network devices, a communication that includes a sensor reading detected at the other network devices corresponding to the activity of the network device, wherein the network device of the system and the one or more other network devices of the system are part of a same network;
  
  determining that the suspicious activity condition is satisfied based on the sensor reading detected at each of the one or more network devices and the detected activity; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device of the system.
- View Dependent Claims (32, 33)
- - 32. The system of claim 31, wherein changing the local operation includes inhibiting transmission from the system to another network device on the same network.
  - 33. The system of claim 31, wherein the communication that includes data corresponding to the network device is received at the network device from at least one of the other network devices.

34. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
- identifying a suspicious activity condition, wherein evaluation of the suspicious activity condition includes evaluating data corresponding to the network device;
  
  detecting activity of the network device, wherein detecting the activity includes detecting a sensor reading;
  
  receiving, from each of one or more other network devices, a communication that includes a sensor reading detected at the other network devices and corresponding to the activity of the network device, wherein the network device and the one or more other network devices are part of a same network;
  
  determining that the suspicious activity condition is satisfied based on the sensor reading detected at each of the one or more other network devices and the detected activity of the network device; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device.
- View Dependent Claims (35, 36, 37)
- - 35. The computer-program product of claim 34, wherein changing the local operation includes transmitting a notification from the network device to another network device that is indicative that the suspicious activity condition has been satisfied.
  - 36. The computer-program product of claim 34, wherein changing the local operation includes implementing a new operation or ceasing implementation of an existing operation.
  - 37. The computer-program product of claim 34, wherein to the actions further include:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.

38. A computer-implemented method for detecting suspicious network device activity, comprising:
- identifying, at a network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device;
  
  detecting, at the network device, activity of the network device;
  
  receiving, at the network device and from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device, wherein the network device and the one or more other network devices are part of a same network;
  
  determining, at the network device, that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and
  
  in response to the determining that the suspicious activity condition is satisfied, triggering the network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 39. The computer-implemented method as recited in claim 38, further comprising:
    - implementing a new operation or ceasing implementation of an existing operation.
  - 40. The computer-implemented method as recited in claim 38, wherein satisfaction of the suspicious activity condition is indicative of actual or potential malfunctioning of the network device.
  - 41. The computer-implemented method as recited in claim 38, further comprising:
    - changing a local operation at the network device including inhibiting transmission from the network device to another network device on the same network.
  - 42. The computer-implemented method as recited in claim 38, wherein in response to the determining that the suspicious activity condition is satisfied, changing a local operation at the network device causing the network device to power off.
  - 43. The computer-implemented method as recited in claim 38, further comprising:
    - transmitting a notification from the network device to another network device that is indicative that the suspicious activity condition has been satisfied.
  - 44. The computer-implemented method as recited in claim 38, further comprising:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.
  - 45. The computer-implemented method as recited in claim 38, wherein the communication that includes data corresponding to the network device is received at the network device from at least one of the other network devices.
  - 46. The computer-implemented method as recited in claim 38, further comprising:
    - identifying, at the network device, a local suspicious activity condition;
      
      determining, at the network device, that the local suspicious activity condition is satisfied based on the detected activity; and
      
      transmitting, in response to determining that the local suspicious activity condition is satisfied, a data-request communication to each of the one or more other network devices, wherein the communication identifies the network device and corresponds to a request for data corresponding to the network device.
  - 47. The computer-implemented method as recited in claim 38, wherein detecting the activity of the network device includes identifying a value corresponding to a transmission frequency or resource usage, and wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold.

48. A system, comprising:
- one or more data processors; and
  
  a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including;
  
  identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to a network device of the system;
  
  detecting activity of the network device of the system;
  
  receiving from each of one or more network devices, a communication that includes data corresponding to the activity of the network device, wherein the network device of the system and the one or more other network devices of the system are part of a same network;
  
  determining that the suspicious activity condition is satisfied based on the data corresponding to the network device of the system received from each of the one or more network devices and the detected activity; and
  
  in response to the determining that the suspicious activity condition is satisfied, triggering the network device of the system to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network.
- View Dependent Claims (49, 50)
- - 49. The system of claim 48, wherein in response to the determining that the suspicious activity condition is satisfied, changing a local operation at the network device including inhibiting transmission from the system to another network device on the same network.
  - 50. The system of claim 48, wherein the communication that includes data corresponding to the network device is received at the network device from at least one of the other network devices.

51. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
- identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device;
  
  detecting activity of the network device;
  
  receiving from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device, wherein the network device and the one or more other network devices are part of a same network;
  
  determining that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and
  
  in response to the determining that the suspicious activity condition is satisfied, triggering the network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network.
- View Dependent Claims (52, 53, 54)
- - 52. The computer-program product of claim 51, wherein the actions further include:
    - transmitting a notification from the network device to another network device that is indicative that the suspicious activity condition has been satisfied.
  - 53. The computer-program product of claim 51, wherein the actions further include:
    - implementing a new operation or ceasing implementation of an existing operation.
  - 54. The computer-program product of claim 51, wherein the actions further include:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.

55. A computer-implemented method for detecting suspicious network device activity, comprising:
- identifying, at a network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device;
  
  identifying a value corresponding to a transmission frequency or resource usage;
  
  receiving, at the network device and from each of one or more other network devices, a communication that includes data corresponding to activity of the network device, wherein the network device and the one or more other network devices are part of a same network;
  
  determining, at the network device, that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the identified value, wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device.
- View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63)
- - 56. The computer-implemented method as recited in claim 55, wherein changing the local operation includes implementing a new operation or ceasing implementation of an existing operation.
  - 57. The computer-implemented method as recited in claim 55, wherein satisfaction of the suspicious activity condition is indicative of actual or potential malfunctioning of the network device.
  - 58. The computer-implemented method as recited in claim 55, wherein changing the local operation includes inhibiting transmission from the network device to another network device on the same network.
  - 59. The computer-implemented method as recited in claim 55, wherein changing the local operation causes the network device to power off.
  - 60. The computer-implemented method as recited in claim 55, wherein changing the local operation includes transmitting a notification from the network device to another network device that is indicative that the suspicious activity condition has been satisfied.
  - 61. The computer-implemented method as recited in claim 55, further comprising:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.
  - 62. The computer-implemented method as recited in claim 55, wherein the communication that includes data corresponding to the network device is received at the network device from at least one of the other network devices.
  - 63. The computer-implemented method as recited in claim 55, further comprising:
    - identifying, at the network device, a local suspicious activity condition;
      
      determining, at the network device, that the local suspicious activity condition is satisfied based on the detected activity; and
      
      transmitting, in response to determining that the local suspicious activity condition is satisfied, a data-request communication to each of the one or more other network devices, wherein the communication identifies the network device and corresponds to a request for data corresponding to the network device.

64. A system, comprising:
- one or more data processors; and
  
  a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including;
  
  identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to a network device of the system;
  
  identifying a value corresponding to a transmission frequency or resource usage;
  
  receiving, from each of one or more network devices, a communication that includes data corresponding to activity of network device, wherein the network device of the system and the one or more other network devices of the system are part of a same network;
  
  determining that the suspicious activity condition is satisfied based on the data corresponding to the network device of the system received from each of the one or more network devices and the identified value, wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device of the system.
- View Dependent Claims (65, 66)
- - 65. The system of claim 64, wherein changing the local operation includes inhibiting transmission from the system to another network device on the same network.
  - 66. The system of claim 64, wherein the communication that includes data corresponding to the network device is received at the network device from at least one of the other network devices.

67. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
- identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device;
  
  identifying a value corresponding to a transmission frequency or resource usage;
  
  receiving, from each of one or more other network devices, a communication that includes data corresponding to activity of the network device, wherein the network device and the one or more other network devices are part of a same network;
  
  determining that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the identified value, wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold; and
  
  in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device.
- View Dependent Claims (68, 69, 70)
- - 68. The computer-program product of claim 67, wherein changing the local operation includes transmitting a notification from the network device to another network device that is indicative that the suspicious activity condition has been satisfied.
  - 69. The computer-program product of claim 67, wherein changing the local operation includes implementing a new operation or ceasing implementation of an existing operation.
  - 70. The computer-program product of claim 67, wherein to the actions further include:
    - localizing a source part of the same network having operated in a manner to have caused the suspicious activity condition to have been determined to be satisfied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Belkin International Incorporated (Hon Hai Precision Industry Co., Ltd.)
Original Assignee
Belkin International Incorporated (Hon Hai Precision Industry Co., Ltd.)
Inventors
Kim, Ryan Yong
Primary Examiner(s)
MASKULINSKI, MICHAEL C

Application Number

US14/481,617
Time in Patent Office

238 Days
Field of Search
US Class Current

714/4.3
CPC Class Codes

G06F 1/26   Power supply means, e.g. re...

G06F 11/0709   in a distributed system con...

G06F 11/0784   Routing of error reports, e...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/30   Monitoring

G06F 11/3006   where the computing system ...

G06F 11/3055   Monitoring arrangements for...

G06F 21/552   involving long-term monitor...

H04L 12/2803   Home automation networks

H04L 2012/2841   Wireless

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/128   Anti-malware arrangements, ...

Coordinated and device-distributed detection of abnormal network device operation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

Coordinated and device-distributed detection of abnormal network device operation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links