Authenticating a device based on communication patterns in a group of devices

1 - 20 . (canceled) 21 . A computer-implemented method of a receiving device for authentication, comprising operations for: receiving a first communication from a requesting device of a plurality of devices in an internet of things network that includes the receiving device; determining whether the first communication matches an accepted communication pattern; in response to determining that the first communication matches the accepted communication pattern, generating an authentication score for the requesting device based on how closely the first communication matches with the accepted communication pattern; authenticating the receiving device and the requesting device as an authenticated cluster; and responding to the first communication; in response to determining that the first communication does not match the accepted communication pattern, flagging the first communication as an anomaly; receiving a second communication from the requesting device; based on whether the receiving device and the requesting device are in the authenticated cluster and based on the authentication score of the requesting device, determining whether to respond to the second communication. 22 . The computer-implemented method of claim 21 , further comprising operations for: creating a connected communication graph to represent communications between authenticated clusters with a time dimension. 23 . The computer-implemented method of claim 21 , further comprising operations for: determining that a selected device from the plurality of devices has been compromised based on at least one of the selected device has changed a kind, a volume, and a frequency of data that the selected device sends. 24 . The computer-implemented method of claim 21 , further comprising operations for: determining that a selected device from the plurality of devices has been compromised based on receiving a same security token from the selected device and from another device. 25 . The computer-implemented method of claim 21 , further comprising operations for: identifying a new communication pattern of a device from the plurality of devices trying to continuously reconnect over a period of time, wherein the new communication pattern indicates that the device has gone rogue. 26 . The computer-implemented method of claim 21 , further comprising operations for: identifying an infected device from the plurality of devices based on a signature of the infected device that comprises an abnormal communication pattern. 27 . The computer-implemented method of claim 21 , wherein a Software as a Service (SaaS) is configured to perform the operations of the computer-implemented method. 28 . A computer program product, the computer program product comprising a computer readable storage medium having program code embodied therewith, the program code executable by at least one processor of a receiving device, to perform operations for: receiving a first communication from a requesting device of a plurality of devices in an internet of things network that includes the receiving device; determining whether the first communication matches an accepted communication pattern; in response to determining that the first communication matches the accepted communication pattern, generating an authentication score for the requesting device based on how closely the first communication matches with the accepted communication pattern; authenticating the receiving device and the requesting device as an authenticated cluster; and responding to the first communication; in response to determining that the first communication does not match the accepted communication pattern, flagging the first communication as an anomaly; receiving a second communication from the requesting device; based on whether the receiving device and the requesting device are in the authenticated cluster and based on the authentication score of the requesting device, determining whether to respond to the second communication. 29 . The computer program product of claim 28 , wherein the program code is executable by at least one processor to perform further operations for: creating a connected communication graph to represent communications between authenticated clusters with a time dimension. 30 . The computer program product of claim 28 , wherein the program code is executable by at least one processor to perform further operations for: determining that a selected device from the plurality of devices has been compromised based on at least one of the selected device has changed a kind, a volume, and a frequency of data that the selected device sends. 31 . The computer program product of claim 28 , wherein the program code is executable by at least one processor to perform further operations for: determining that a selected device from the plurality of devices has been compromised based on receiving a same security token from the selected device and from another device. 32 . The computer program product of claim 28 , further comprising operations for: identifying a new communication pattern of a device from the plurality of devices trying to continuously reconnect over a period of time, wherein the new communication pattern indicates that the device has gone rogue. 33 . The computer program product of claim 28 , further comprising operations for: identifying an infected device from the plurality of devices based on a signature of the infected device that comprises an abnormal communication pattern. 34 . The computer program product of claim 28 , wherein a Software as a Service (SaaS) is configured to perform the operations of the computer program product. 35 . A receiving device, comprising: one or more processors, one or more computer-readable memories and one or more computer-readable, tangible storage devices; and program instructions, stored on at least one of the one or more computer-readable, tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories to perform operations comprising: receiving a first communication from a requesting device of a plurality of devices in an internet of things network that includes the receiving device; determining whether the first communication matches an accepted communication pattern; in response to determining that the first communication matches the accepted communication pattern, generating an authentication score for the requesting device based on how closely the first communication matches with the accepted communication pattern; authenticating the receiving device and the requesting device as an authenticated cluster; and responding to the first communication; in response to determining that the first communication does not match the accepted communication pattern, flagging the first communication as an anomaly; receiving a second communication from the requesting device; based on whether the receiving device and the requesting device are in the authenticated cluster and based on the authentication score of the requesting device, determining whether to respond to the second communication. 36 . The receiving device of claim 35 , wherein the operations further comprise: creating a connected communication graph to represent communications between authenticated clusters with a time dimension. 37 . The receiving device of claim 35 , wherein the operations further comprise: determining that a selected device from the plurality of devices has been compromised based on at le