Detection of malicious network activity

What is claimed is: 1. A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity, the method comprising: using a gateway sentinel module to receive network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network; and detecting malicious activity in the local distribution based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model, the global machine-learning model modelling network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes, the computing nodes respectively receiving network traffic from the plurality of local distributions; wherein said detecting malicious activity based on said combination of the local machine-learning model and the global machine-learning model comprises one of: (i) determining a first correlation score based on a correlation between received traffic and the local model, in an event that the first correlation score satisfies a first predefined criterion, determining a second correlation score, the second correlation score being based on a correlation between received traffic and at least the global model, and in an event that the second correlation score satisfies a second predefined criterion, deciding that the traffic is at least potentially malicious; and (ii) determining a first correlation score based on a correlation between received traffic and the local model, determining a second correlation score based on a correlation between received traffic the global model, combining the first correlation score and the second correlation score, and in an event that the combined correlation score satisfies a predefined criterion, deciding that the traffic is at least potentially malicious. 2. The method according to claim 1 , wherein the method further comprises training the local machine-learning model based on received network traffic directed through a gateway. 3. The method according to claim 2 , wherein training the local machine-learning model comprises at least one of: deriving the local machine-learning model based on training data extracted from network traffic directed through a gateway; and updating the local machine-learning model based on training data extracted from network traffic directed through a gateway. 4. The method according to claim 1 , wherein the local machine learning model models network traffic from the local distribution by mapping, for at least one type of device connected to the gateway, a characteristic of traffic from the device. 5. The method according to claim 1 , wherein the second correlation score is additionally based on a correlation between received traffic and the local model. 6. A method according to claim 1 , wherein the method comprises: receiving the global machine-learning model from a remote computing node connected a Wide Area Network, the remote computing node using a remote sentinel module to manage the global machine-learning, the remote computing node being outside the local distribution. 7. A method according to claim 6 , wherein the method comprises maintaining the global machine-learning model in the remote computing node, wherein maintaining the global machine-learning model comprises updating the machine learning-model based on the training data. 8. A method according to claim 6 , wherein the method comprises: receiving, at the remote computing node, network traffic from each of the plurality of computing nodes; based on the global machine-learning model, detect malicious activity of the received network traffic from any one of the local distributions. 9. A method according to claim 6 , wherein the method further comprises: based on at least the local machine-learning module, detecting unusual network activity in network traffic received by the gateway sentinel module; and instructing transmission of data relating to the unusual network activity to the remote computing node. 10. A method according to claim 1 , wherein the method comprises: extracting a parameter set from network traffic received by the gateway sentinel module; and based on a relationship between the parameter set and at least the local machine learning model, deciding whether the network traffic from which the parameters was extracted is malicious. 11. A method according to claim 10 , wherein the decision is based on an estimated probability of the parameter set occurring from non-malicious network activity. 12. A method according to claim 10 , wherein extracted parameter set comprises at least one of: packet-rate; data-rate; and a highest frequency component of a frequency spectrum of the received data. 13. A method according to claim 10 , wherein the parameter set consists of packet-rate. 14. A method according to claim 1 , wherein the training data for maintaining the local-machine learning model comprises data from at least one device communicating with an Internet-of-Things (IoT) service. 15. A method according to claim 1 , wherein the received network traffic is Internet-of-Things (IoT) traffic. 16. A communications device for monitoring network traffic in a communication network to detect malicious activity, the device comprising: a communications module for receiving network traffic between a core of the network and devices in a local distribution of the network; a memory for storing computer readable instructions; and a processor for executing the instructions, wherein upon executing the instructions, the processing is configured to: detect malicious activity in the local distribution based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model, the global machine-learning model modelling network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes, the computing nodes respectively receiving network traffic from the plurality of location distributions; wherein detecting said malicious activity based on said combination of the local machine-learning model and the global machine-learning model comprises one of: i) determining a first correlation score based on a correlation between received traffic and the local model, in an event that the first correlation score satisfies a first predefined criterion, determining a second correlation score, the second correlation score being based on a correlation between received traffic and at least the global model, and in an event that the second correlation score satisfies a second predefined criterion, deciding that the traffic is at least potentially malicious; and ii) determining a first correlation score based on a correlation between received traffic and the local model, determining a second correlation score based on a correlation between received traffic the global model, combining the first correlation score and the second correlation score, and in an event that the combined correlation score satisfies a predefined criterion, deciding that the traffic is at lea