Multi-dimensional periodicity detection of IOT device behavior

The invention claimed is: 1. A method comprising: capturing, by an event capture engine configured to listen for communications, a plurality of IoT events associated with a first IoT device, at least in part by analyzing at least one packet associated with a first communication that involves the first IoT device; generating a plurality of IoT signal features from the plurality of IoT events, wherein: at least some of the plurality of IoT signal features are associated, collectively, with a first activity of the first IoT device and a second activity of the first IoT device; the plurality IoT signal features include: a start time value, an end time value, an interval value, and an interval fluctuation; a set of the plurality of IoT signal features are usable as a signature of the first IoT device and a first IoT application; the first activity of the first IoT device comprises a plurality of events and wherein the second activity of the first IoT device comprises a single event; and at least some of the plurality of signal features are clustered, using machine learning, into a group that is labeled as the first activity of the first IoT device; extracting background event context from first and second IoT events; generating a set of periodic activity instance descriptors based on the plurality of IoT signal features and the background event context, wherein the set of periodic activity instance descriptors comprises data structures that describe an activity of the first IoT device using the start time value, the end time value, the interval value, and the interval fluctuation; identifying a respective different first and second periodic activity of the first IoT device based on the set of periodic activity instance descriptors and external context; determining that an expected periodicity of at least one of the first and second periodic activities of a second IoT device is an anomalous periodicity, at least in part by comparing an observed interval to a periodic activity instance descriptor included in the set of periodic activity instance descriptors of the first IoT device to a periodic activity instance descriptor included in a set of periodic activity instance descriptors of the second IoT device; and taking a remedial action in response to detecting the anomalous periodicity, including by concluding, based at least in part on the anomalous periodicity, that the second IoT device is at least one of: (1) erroneously misclassified as sharing classification of the first IoT device, (2) has been moved or repurposed to do something other than expected, and (3) has not responded to patch or version changes, and enforcing a policy against the second IoT device based on the conclusion. 2. The method of claim 1 , wherein taking the remedial action further includes generating an alert that indicates that a periodicity of a detected activity of the first IoT device cannot be matched to an expected periodicity. 3. The method of claim 1 , wherein taking the remedial action further includes generating an alert that indicates that a periodicity of a detected activity of the first IoT device matches an expected periodicity of a periodic activity known to be malicious. 4. The method of claim 1 , wherein taking the remedial action further includes generating an alert that indicates that an expected periodic activity of the first IoT device fails to occur. 5. The method of claim 1 , wherein the expected periodicity is determined using a Fourier transform algorithm, a p-score based algorithm, or an exponential distribution algorithm. 6. The method of claim 1 , wherein the expected periodicity is determined using time series correlation. 7. The method of claim 1 , wherein the set of periodic activity instance descriptors are generated using normalization techniques. 8. The method of claim 1 , wherein the set of periodic activity instance descriptors includes one or more of an activity ID, a periodic activity ID, multi-dimensional consolidated feature values, feature value ranges, device ID, application ID, user ID, sampling intervals, feature class, feature group, feature priorities, algorithm used to classify activity, timestamp, interval value, and interval fluctuation value. 9. A system comprising: a processor configured to: capture a plurality of IoT events associated with a first IoT device, at least in part by analyzing at least one packet associated with a first communication that involves the first IoT device; generate a plurality of IoT signal features from the plurality of IoT events, wherein: at least some of the plurality of IoT signal features are associated, collectively, with a first activity of the first IoT device and a second activity of the first IoT device; the plurality of IoT signal features include: a start time value, an end time value, an interval value, and an interval fluctuation; a set of the plurality of IoT signal features are usable as a signature of the first IoT device and a first IoT application; the first activity of the first IoT device comprises a plurality of events and wherein the second activity of the first IoT device comprises a single event; and at least some of the plurality of IoT signal features are clustered, using machine learning, into a group that is labeled as the first activity of the first IoT device;  extract background event context from first and second IoT events;  generate a set of periodic activity instance descriptors based on the plurality of IoT signal features and the background event context, wherein the set of periodic activity instance descriptors comprises data structures that describe an activity of the first IoT device using the start time value, the end time value, the interval value, and the interval fluctuation;  identify a respective different first and second periodic activity of the first IoT device based on the set of periodic activity instance descriptors and external context;  determine that an expected periodicity of at least one of the first and second periodic activities of a second IoT device is an anomalous periodicity, at least in part by comparing an observed interval to a periodic activity instance descriptor included in the set of periodic activity instance descriptors of the first IoT device to a periodic activity instance descriptor included in a set of periodic activity instance descriptors of the second IoT device; and  take a remedial action in response to detecting the anomalous periodicity, including by concluding, based at least in part on the anomalous periodicity, that the second IoT device is at least one of: (1) erroneously misclassified as sharing classification of the first IoT device, (2) has been moved or repurposed to do something other than expected, and (3) has not responded to patch or version changes, and enforcing a policy against the second device based on the conclusion; and  a memory coupled to the processor and configured to provide the processor with instructions. 10. The system of claim 9 , wherein taking the remedial action further includes generating an alert that indicates that a periodicity of a detected activity of the first IoT device cannot be matched to an expected periodicity. 11. The system of claim 9 , wherein taking the remedial action further includes generating an alert that indicates that a periodicity of a detected activity of the first IoT device matches an expected periodicity of a periodic activity known to be malicious. 12. The system of claim 9 , wherein taking the remedial action further includes generating an alert that indicates that an expected periodic activity of the first IoT device fails to occur. 13. The syste