Pattern match-based detection in IoT security

The invention claimed is: 1. A method of detecting undesirable behavior of an Internet-of-Things (IoT) device, the method comprising: associating a first subset of patterns of a superset of patterns with a first IoT device profile of a plurality of IoT device profiles; attributing the first IoT device profile to a first IoT device; detecting first IoT device events, the first IoT device events including one or more network sessions of the first IoT device; generating an activity data structure from the first IoT device events and from other events, including by abstracting at least one of the first IoT device events or the other events, wherein the abstracting of the at least one of the first IoT device events or the other events entails a loss of data associated with events in favor of a more useful characterization of activities associated with IoT devices, wherein the generated activity data structure comprises a labeled collection of events, and wherein at least one of the other events comprises a non-network event; determining an activity of the first IoT device based on the activity data structure; applying the first subset of patterns to the activity of the first IoT device; and generating an alert when an application of the first subset of patterns to the activity of the first IoT device is indicative of undesirable behavior for a device to which the first IoT device profile is attributed. 2. The method of claim 1 , wherein the first IoT device profile is attributed to the first IoT device prior to deployment of the first IoT device. 3. The method of claim 1 , wherein the first IoT device profile is attributed to the first IoT device after deployment of the first IoT device. 4. The method of claim 1 , wherein the first IoT device profile is attributed to the first IoT device after deployment of the first IoT device, and the first IoT device profile is a default IoT device profile that is dynamically modified using available data. 5. The method of claim 1 , wherein the first IoT device events are detected using passive monitoring. 6. The method of claim 1 , wherein the first IoT device events are detected using packet headers in messages sent to or from the first IoT device. 7. The method of claim 1 , wherein the first IoT device events are aggregated to form one or more composite first IoT device events using machine learning. 8. The method of claim 1 , wherein the first IoT device events are aggregated to form one or more composite first IoT device events using a device implemented as part of a local area network (LAN) that includes the first IoT device. 9. The method of claim 1 , wherein the first IoT device does not have a history of previously exhibited undesirable behavior, and the undesirable behavior includes anomalous behavior of the first IoT device. 10. The method of claim 1 , wherein the first IoT device has a history of previously exhibited undesirable behavior, and the undesirable behavior includes normal behavior of the first IoT device. 11. A system comprising: a processor configured to: associate a first subset of patterns of a superset of patterns with a first IoT device profile of a plurality of IoT device profiles; attribute the first IoT device profile to a first IoT device; detect first IoT device events, the first IoT device events including one or more network sessions of the first IoT device; generate an activity data structure from the first IoT device events and from other events, including by abstracting at least one of the first IoT device events or the other events, wherein the abstracting of the at least one of the first IoT device events or the other events entails a loss of data associated with events in favor of a more useful characterization of activities associated with IoT devices, wherein the generated activity data structure comprises a labeled collection of events, and wherein at least one of the other events comprises a non-network event; determine an activity of the first IoT device based on the activity data structure; apply the first subset of patterns to the activity of the first IoT device; and generate an alert when an application of the first subset of patterns to the activity of the first IoT device is indicative of undesirable behavior for a device to which the first IoT device profile is attributed; and a memory coupled to the processor and configured to provide the processor with instructions. 12. The system of claim 11 , wherein the first IoT device profile is attributed to the first IoT device prior to deployment of the first IoT device. 13. The system of claim 11 , wherein the first IoT device profile is attributed to the first IoT device after deployment of the first IoT device. 14. The system of claim 11 , wherein the first IoT device profile is attributed to the first IoT device after deployment of the first IoT device, and the first IoT device profile is a default IoT device profile that is dynamically modified using available data. 15. The system of claim 11 , wherein the first IoT device events are detected using passive monitoring. 16. The system of claim 11 , wherein the first IoT device events are detected using packet headers in messages sent to or from the first IoT device. 17. The system of claim 11 , wherein the processor is further configured to aggregate the first IoT device events to form one or more composite first IoT device events using machine learning. 18. The system of claim 11 , wherein the processor is further configured to aggregate the first IoT device events to form one or more composite first IoT device events using a device implemented as part of a local area network (LAN) that includes the first IoT device. 19. The system of claim 11 , wherein the first IoT device does not have a history of previously exhibited undesirable behavior, and the undesirable behavior includes anomalous behavior of the first IoT device. 20. The system of claim 11 , wherein the first IoT device has a history of previously exhibited undesirable behavior, and the undesirable behavior includes normal behavior of the first IoT device. 21. The method of claim 1 , wherein a plurality of discrete events are aggregated to form one or more composite events using machine learning. 22. The method of claim 21 , wherein the one or more composite events are formed using common factor aggregation. 23. The method of claim 22 , wherein a common factor used in the common factor aggregation includes a device profile common to a plurality of devices. 24. The method of claim 22 , wherein a common factor used in the common factor aggregation includes an operating system vendor common to a plurality of devices. 25. The method of claim 22 , wherein a common factor used in the common factor aggregation includes an operating system version common to a plurality of devices. 26. The method of claim 22 , wherein a common factor used in the common factor aggregation includes use of an application common to a plurality of devices. 27. The method of claim 22 , wherein a common factor used in the common factor aggregation includes communication via a particular subnetwork common to a plurality of devices. 28. The method of claim 1 , wherein the abstracting includes enriching at least one event. 29. The method of claim 28 , wherein the enriching includes associating data with an event.