Automated identification of anomalous devices
US-2023275918-A1 · Aug 31, 2023 · US
Device population anomaly detection
US12418554B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-12418554-B1 |
| Application number | US-202418604768-A |
| Country | US |
| Kind code | B1 |
| Filing date | Mar 14, 2024 |
| Priority date | Mar 14, 2024 |
| Publication date | Sep 16, 2025 |
| Grant date | Sep 16, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An embodiment establishes a network model based at least in part on network data received from a network, wherein the network data comprises device data and certificate data. The embodiment samples the network to receive a network data sample. The embodiment compares the network data sample to the network model to determine whether an anomalous amount of devices is present in the network. The embodiment compares the network data sample to the network model to determine whether an anomalous amount of certificates is present in the network. The embodiment identifies a device population anomaly upon a determination that an anomalous amount of devices and/or an anomalous amount of certificates is present in the network.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: establishing a network model based at least in part on network data received from a network, wherein the network data comprises device data and certificate data; sampling the network to receive a network data sample; comparing the network data sample to the network model to determine whether an anomalous amount of devices is present in the network; upon a determination that an anomalous amount of devices is present in the network, comparing the network data sample to the network model to determine whether an anomalous amount of certificates is present in the network; and upon a determination that an anomalous amount of certificates is present in the network, identifying a device population anomaly. 2. The computer-implemented method of claim 1 , wherein the method further comprises executing a responsive action upon identification of the device population anomaly. 3. The computer-implemented method of claim 1 , wherein the device data comprises at least one of a number of registered devices, a number of connected devices, a number of idle devices, a number of suspended devices, and a number of deprovisioned devices. 4. The computer-implemented method of claim 1 , wherein the certificate data comprises at least one of a number of validated certificates, a number of revoked certificates, a number of created certificates, and a number of renewed certificates. 5. The computer-implemented method of claim 2 , wherein the responsive action comprises generating and transmitting an alert related to the identification of the device population anomaly. 6. The computer-implemented method of claim 2 , wherein the responsive action comprises identifying a set of suspicious devices connected to the network and removing the set of suspicious devices from the network. 7. The computer-implemented method of claim 2 , wherein the responsive action comprises isolating a segment of the network. 8. A computer program product comprising one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions executable by a processor to cause the processor to perform operations comprising: establishing a network model based at least in part on network data received from a network, wherein the network data comprises device data and certificate data; sampling the network to receive a network data sample; comparing the network data sample to the network model to determine whether an anomalous amount of devices is present in the network; upon a determination that an anomalous amount of devices is present in the network, comparing the network data sample to the network model to determine whether an anomalous amount of certificates is present in the network; and upon a determination that an anomalous amount of certificates is present in the network, identifying a device population anomaly. 9. The computer program product of claim 8 , wherein the program instructions are stored in a computer readable storage device in a data processing system, and wherein the program instructions are transferred over the network from a remote data processing system. 10. The computer program product of claim 8 , wherein the program instructions are stored in a computer readable storage device in a server data processing system, and wherein the program instructions are downloaded in response to a request over the network to a remote data processing system for use in a computer readable storage device associated with the remote data processing system, the operations further comprising: metering a use of the program instructions associated with the request; and generating an invoice based on the metered use. 11. The computer program product of claim 8 further comprises executing a responsive action upon identification of the device population anomaly. 12. The computer program product of claim 11 , wherein the responsive action comprises generating and transmitting an alert related to the identification of the device population anomaly. 13. The computer program product of claim 11 , wherein the responsive action comprises identifying a set of suspicious devices connected to the network and removing the set of suspicious devices from the network. 14. The computer program product of claim 11 , wherein the responsive action comprises isolating a segment of the network. 15. The computer program product of claim 8 , wherein the certificate data comprises at least one of a number of validated certificates, a number of revoked certificates, a number of created certificates, and a number of renewed certificates. 16. The computer program product of claim 8 , wherein the device data comprises at least one of a number of registered devices, a number of connected devices, a number of idle devices, a number of suspended devices, and a number of deprovisioned devices. 17. A computer system comprising a processor and one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions executable by the processor to cause the processor to perform operations comprising: establishing a network model based at least in part on network data received from a network, wherein the network data comprises device data and certificate data; sampling the network to receive a network data sample; comparing the network data sample to the network model to determine whether an anomalous amount of devices is present in the network; upon a determination that an anomalous amount of devices is present in the network, comparing the network data sample to the network model to determine whether an anomalous amount of certificates is present in the network; and upon a determination that an anomalous amount of certificates is present in the network, identifying a device population anomaly. 18. The computer system of claim 17 , further comprises executing a responsive action upon identification of the device population anomaly. 19. The computer system of claim 18 , wherein the responsive action comprises isolating a segment of the network. 20. The computer system of claim 18 , wherein the responsive action comprises identifying a set of suspicious devices connected to the network and removing the set of suspicious devices from the network.
Assignees
Inventors
Classifications
involving simulating, designing, planning or modelling of a network · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12418554B1 cover?
- An embodiment establishes a network model based at least in part on network data received from a network, wherein the network data comprises device data and certificate data. The embodiment samples the network to receive a network data sample. The embodiment compares the network data sample to the network model to determine whether an anomalous amount of devices is present in the network. The e…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 16 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).