US 12,289,328 B2
Multi-dimensional periodicity detection of IOT device behavior
Jun Du, Cupertino, CA (US); and Mei Wang, Saratoga, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Oct. 15, 2019, as Appl. No. 16/653,898.
Claims priority of provisional application 62/745,757, filed on Oct. 15, 2018.
Prior Publication US 2020/0120122 A1, Apr. 16, 2020
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01)] 16 Claims
OG exemplary drawing
 
1. A method comprising:
capturing, by an event capture engine configured to listen for communications, a plurality of IoT events associated with a first IoT device, at least in part by analyzing at least one packet associated with a first communication that involves the first IoT device;
generating a plurality of IoT signal features from the plurality of IoT events, wherein:
at least some of the plurality of IoT signal features are associated, collectively, with a first activity of the first IoT device and a second activity of the first IoT device;
the plurality IoT signal features include: a start time value, an end time value, an interval value, and an interval fluctuation;
a set of the plurality of IoT signal features are usable as a signature of the first IoT device and a first IoT application;
the first activity of the first IoT device comprises a plurality of events and wherein the second activity of the first IoT device comprises a single event; and
at least some of the plurality of signal features are clustered, using machine learning, into a group that is labeled as the first activity of the first IoT device;
extracting background event context from first and second IoT events;
generating a set of periodic activity instance descriptors based on the plurality of IoT signal features and the background event context, wherein the set of periodic activity instance descriptors comprises data structures that describe an activity of the first IoT device using the start time value, the end time value, the interval value, and the interval fluctuation;
identifying a respective different first and second periodic activity of the first IoT device based on the set of periodic activity instance descriptors and external context;
determining that an expected periodicity of at least one of the first and second periodic activities of a second IoT device is an anomalous periodicity, at least in part by comparing an observed interval to a periodic activity instance descriptor included in the set of periodic activity instance descriptors of the first IoT device to a periodic activity instance descriptor included in a set of periodic activity instance descriptors of the second IoT device; and
taking a remedial action in response to detecting the anomalous periodicity, including by concluding, based at least in part on the anomalous periodicity, that the second IoT device is at least one of: (1) erroneously misclassified as sharing classification of the first IoT device, (2) has been moved or repurposed to do something other than expected, and (3) has not responded to patch or version changes, and enforcing a policy against the second IoT device based on the conclusion.