Network threat detection and management system based on user behavior information
US-2016261621-A1 · Sep 8, 2016 · US
Behavioral analysis to automate direct and indirect local monitoring of internet of things device health
US9979606B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9979606-B2 |
| Application number | US-201514638602-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 4, 2015 |
| Priority date | Mar 4, 2015 |
| Publication date | May 22, 2018 |
| Grant date | May 22, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosure generally relates to behavioral analysis to automate monitoring Internet of Things (IoT) device health in a direct and/or indirect manner. In particular, normal behavior associated with an IoT device in a local IoT network may be modeled such that behaviors observed at the IoT device may be compared to the modeled normal behavior to determine whether the behaviors observed at the IoT device are normal or anomalous. Accordingly, in a distributed IoT environment, more powerful “analyzer” devices can collect behaviors locally observed at other (e.g., simpler) “observer” devices and conduct behavioral analysis across the distributed IoT environment to detect anomalies potentially indicating malicious attacks, malfunctions, or other issues that require customer service and/or further attention. Furthermore, devices with sufficient capabilities may conduct (local) on-device behavioral analysis to detect anomalous conditions without sending locally observed behaviors to another aggregator device and/or analyzer device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for monitoring Internet of Things (IoT) device health, comprising: modeling, at an analyzer node in a local IoT network, normal behavior associated with an IoT device in the local IoT network, wherein the modeled normal behavior defines one or more threshold values for one or more local behaviors at the IoT device; receiving, at the analyzer node over the local IoT network, behavioral information observed at the IoT device, the behavioral information including actual values for the one or more local behaviors as observed at the IoT device; performing, at the analyzer node, a first comparison between the actual values for the one or more local behaviors as observed at the IoT device and the threshold values for the one or more local behaviors as defined in the modeled normal behavior associated with the IoT device; determining, at the analyzer node, whether the behavioral information observed at the IoT device is normal or indicative of an anomalous condition requiring remedial action based on the first comparison in combination with a second comparison based on an overall state model defining a current state and a normal state associated with the local IoT network; and triggering, by the analyzer node, the remedial action in response to determining that the behavioral information observed at the IoT device is indicative of the anomalous condition based on the first comparison in combination with the second comparison. 2. The method recited in claim 1 , wherein analyzing the behavioral information related to the one or more local behaviors observed at the IoT device further comprises: extracting one or more behavior vectors from the behavioral information, wherein the behavioral information represents n behavioral features and the one or more behavior vectors map the n behavioral features into an n-dimensional space. 3. The method recited in claim 1 , further comprising: modeling the local IoT network that includes the IoT device; and updating at least the current state associated with the local IoT network based on the behavioral information observed at the IoT device. 4. The method recited in claim 3 , wherein modeling the local IoT network comprises: aggregating attributes associated with each IoT device in the local IoT network; constructing a topology associated with the local IoT network; obtaining behavioral models associated with each IoT device in the local IoT network from a manufacturer associated with each IoT device or one or more repositories configured to store the behavioral models; and combining the aggregated attributes associated with each IoT device in the local IoT network, the topology associated with the local IoT network, and the behavioral models associated with each IoT device in the local IoT network to model the local IoT network. 5. The method recited in claim 1 , further comprising: reporting the one or more local behaviors observed at the IoT device to a customer service entity in response to determining that the one or more local behaviors observed at the IoT device are anomalous. 6. The method recited in claim 5 , wherein the one or more anomalous behaviors indicate a potential malicious attack against the IoT device or the local IoT network that includes the IoT device. 7. The method recited in claim 5 , wherein the one or more anomalous behaviors indicate a potential malfunction or abnormal operating condition at the IoT device. 8. The method recited in claim 1 , wherein the IoT device comprises one or more components instrumented to observe the one or more local behaviors. 9. The method recited in claim 8 , wherein the IoT device further comprises a transmitter configured to send one or more behavioral features representing the one or more local behaviors observed at the IoT device to one or more of the analyzer node or an aggregator node configured to receive the one or more behavioral features from the IoT device and to relay the one or more behavioral features to the analyzer node. 10. The method recited in claim 1 , wherein the local IoT network that includes the IoT device further includes one or more nodes configured to monitor messages that the IoT device transmits over the local IoT network and to observe the behavioral information at the IoT device according to the monitored messages transmitted over the local IoT network. 11. An apparatus for monitoring Internet of Things (IoT) device health, comprising: at least one storage device configured to store information modeling normal behavior associated with an IoT device in a local IoT network, wherein the modeled normal behavior defines one or more threshold values for one or more local behaviors at the IoT device; a transceiver configured to receive behavioral information observed at the IoT device, the behavioral information including actual values for the one or more local behaviors as observed at the IoT device over the local IoT network; and one or more processors configured to: perform a first comparison between the actual values for the one or more local behaviors as observed at the IoT device and the threshold values for the one or more local behaviors as defined in the modeled normal behavior associated with the IoT device; determine whether the behavioral information observed at the IoT device is normal or indicative an anomalous condition requiring remedial action based on the first comparison in combination with a second comparison based on an overall state model defining a current state and a normal state associated with the local IoT network; and trigger the remedial action in response to the behavioral information observed at the IoT device being indicative of the anomalous condition based on the first comparison in combination with the second comparison. 12. The apparatus recited in claim 11 , wherein the one or more processors are further configured to extract one or more behavior vectors from the behavioral information, wherein the behavioral information represents n behavioral features and the one or more behavior vectors map the n behavioral features into an n-dimensional space. 13. The apparatus recited in claim 11 , wherein: the at least one storage device is further configured to store information modeling the local IoT network that includes the IoT device; and the one or more processors are further configured to update at least the current state associated with the local IoT network based on the behavioral information observed at the IoT device. 14. The apparatus recited in claim 13 , wherein the one or more processors are further configured to: aggregate attributes associated with each IoT device in the local IoT network; construct a topology associated with the local IoT network; obtain behavioral models associated with each IoT device in the local IoT network from a manufacturer associated with each IoT device or one or more repositories configured to store the behavioral models; and combine the aggregated attributes associated with each IoT device in the local IoT network, the topology associated with the local IoT network, and the behavioral models associated with each IoT device in the local IoT network to model the local IoT network. 15. The apparatus recited in claim 11 , wherein the one or more processors are further configured to report the one or more local behaviors observed at the IoT device to a customer service entity in response to the one or more local behaviors observed at the IoT device indicating anomalous behavior. 16. The apparatus recited in claim 15 , wherein the anomalous behavior comprises one or
Assignees
Inventors
Classifications
Traffic logging, e.g. anomaly detection · CPC title
characterised by the interaction between service providers and their network customers, e.g. customer relationship management · CPC title
Home automation networks · CPC title
- H04L41/145Primary
involving simulating, designing, planning or modelling of a network · CPC title
using network fault recovery (ring fault isolation or reconfiguration in loop networks without recovery actions by a network management system H04L12/437) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9979606B2 cover?
- The disclosure generally relates to behavioral analysis to automate monitoring Internet of Things (IoT) device health in a direct and/or indirect manner. In particular, normal behavior associated with an IoT device in a local IoT network may be modeled such that behaviors observed at the IoT device may be compared to the modeled normal behavior to determine whether the behaviors observed at the…
- Who is the assignee on this patent?
- Qualcomm Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L41/145. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 22 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).