Coordinated and device-distributed detection of abnormal network device operation
First Claim
1. A computer-implemented method for detecting suspicious network device activity, comprising:
- identifying, at a network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device;
detecting, at the network device, activity of the network device, wherein detecting the activity includes detecting a power spike or above-threshold stimulus;
receiving, at the network device and from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device that indicates that the other network device did not detect the power spike or above-threshold stimulus, wherein the network device and the one or more other network devices are part of a same network;
determining, at the network device, that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and
in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.
11 Citations
70 Claims
-
1. A computer-implemented method for detecting suspicious network device activity, comprising:
-
identifying, at a network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device; detecting, at the network device, activity of the network device, wherein detecting the activity includes detecting a power spike or above-threshold stimulus; receiving, at the network device and from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device that indicates that the other network device did not detect the power spike or above-threshold stimulus, wherein the network device and the one or more other network devices are part of a same network; determining, at the network device, that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including; identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to a network device of the system; detecting activity of the network device of the system, wherein detecting the activity includes detecting a power spike or above-threshold stimulus; receiving, from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device that indicates that each of the one or more other network devices of the system did not detect the power spike or above-threshold stimulus, wherein the network device of the system and the one or more other network devices of the system are part of the same network; determining that the suspicious activity condition is satisfied based on the data corresponding to the network device of the system received from each of the one or more network devices and the detected activity; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device of the system. - View Dependent Claims (14, 15)
-
-
16. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
-
identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device; detecting activity of the network device, wherein detecting the activity includes detecting a power spike or above-threshold stimulus; receiving, from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device that indicates that each of the one or more other network devices did not detect the power spike or above-threshold stimulus, wherein the network device and the one or more other network devices are part of the same network; determining that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device. - View Dependent Claims (17, 18, 19)
-
-
20. A computer-implemented method for detecting suspicious network device activity, comprising:
-
identifying, at a network device, a suspicious activity condition, wherein evaluation of the suspicious activity condition includes evaluating data corresponding to the network device; detecting, at the network device, activity of the network device, wherein detecting the activity includes detecting a sensor reading; receiving, at the network device and from each of one or more other network devices, a communication that includes a sensor reading detected at the other network device and corresponding to the activity of the network device, wherein the network device and the one or more other network devices are part of a same network; determining, at the network device, that the suspicious activity condition is satisfied based on the sensor reading detected at each of the one or more other network devices and the detected activity of the network device; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including; identifying a suspicious activity condition, wherein evaluation of the suspicious activity condition includes evaluating data corresponding to a network device of the system; detecting activity of the network device of the system, wherein detecting the activity includes detecting a sensor reading; receiving from each of one or more network devices, a communication that includes a sensor reading detected at the other network devices corresponding to the activity of the network device, wherein the network device of the system and the one or more other network devices of the system are part of a same network; determining that the suspicious activity condition is satisfied based on the sensor reading detected at each of the one or more network devices and the detected activity; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device of the system. - View Dependent Claims (32, 33)
-
-
34. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
-
identifying a suspicious activity condition, wherein evaluation of the suspicious activity condition includes evaluating data corresponding to the network device; detecting activity of the network device, wherein detecting the activity includes detecting a sensor reading; receiving, from each of one or more other network devices, a communication that includes a sensor reading detected at the other network devices and corresponding to the activity of the network device, wherein the network device and the one or more other network devices are part of a same network; determining that the suspicious activity condition is satisfied based on the sensor reading detected at each of the one or more other network devices and the detected activity of the network device; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device. - View Dependent Claims (35, 36, 37)
-
-
38. A computer-implemented method for detecting suspicious network device activity, comprising:
-
identifying, at a network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device; detecting, at the network device, activity of the network device; receiving, at the network device and from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device, wherein the network device and the one or more other network devices are part of a same network; determining, at the network device, that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and in response to the determining that the suspicious activity condition is satisfied, triggering the network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including; identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to a network device of the system; detecting activity of the network device of the system; receiving from each of one or more network devices, a communication that includes data corresponding to the activity of the network device, wherein the network device of the system and the one or more other network devices of the system are part of a same network; determining that the suspicious activity condition is satisfied based on the data corresponding to the network device of the system received from each of the one or more network devices and the detected activity; and in response to the determining that the suspicious activity condition is satisfied, triggering the network device of the system to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network. - View Dependent Claims (49, 50)
-
-
51. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
-
identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device; detecting activity of the network device; receiving from each of one or more other network devices, a communication that includes data corresponding to the activity of the network device, wherein the network device and the one or more other network devices are part of a same network; determining that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the detected activity; and in response to the determining that the suspicious activity condition is satisfied, triggering the network device to backup data stored at a location at the network device to a different location at the network device or to another network device on the same network. - View Dependent Claims (52, 53, 54)
-
-
55. A computer-implemented method for detecting suspicious network device activity, comprising:
-
identifying, at a network device, a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device; identifying a value corresponding to a transmission frequency or resource usage; receiving, at the network device and from each of one or more other network devices, a communication that includes data corresponding to activity of the network device, wherein the network device and the one or more other network devices are part of a same network; determining, at the network device, that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the identified value, wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device. - View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63)
-
-
64. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform actions including; identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to a network device of the system; identifying a value corresponding to a transmission frequency or resource usage; receiving, from each of one or more network devices, a communication that includes data corresponding to activity of network device, wherein the network device of the system and the one or more other network devices of the system are part of a same network; determining that the suspicious activity condition is satisfied based on the data corresponding to the network device of the system received from each of the one or more network devices and the identified value, wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device of the system. - View Dependent Claims (65, 66)
-
-
67. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus of a network device to perform actions including:
-
identifying a suspicious activity condition, wherein evaluation of the condition includes evaluating data corresponding to the network device; identifying a value corresponding to a transmission frequency or resource usage; receiving, from each of one or more other network devices, a communication that includes data corresponding to activity of the network device, wherein the network device and the one or more other network devices are part of a same network; determining that the suspicious activity condition is satisfied based on the data corresponding to the network device received from each of the one or more other network devices and the identified value, wherein determining that the suspicious activity condition is satisfied includes determining that the value exceeds a threshold; and in response to the determining that the suspicious activity condition is satisfied, changing a local operation of the network device. - View Dependent Claims (68, 69, 70)
-
Specification