CPC H04L 41/0893 (2013.01) [H04L 12/4641 (2013.01); H04L 41/065 (2013.01); H04L 41/069 (2013.01); H04L 41/0816 (2013.01); H04L 41/145 (2013.01); H04L 67/12 (2013.01); H04W 4/06 (2013.01); H04W 4/70 (2018.02)] | 21 Claims |
1. A method comprising:
identifying a first set of raw events associated with a first Internet of Things (IoT) device in operation, wherein at least one raw event included in the first set of raw events is a transmission made by the first IoT device;
determining, based at least in part on a communication manner of the first IoT device, a first time period, and generating one or more formatted events of the first IoT device in operation, at least in part by examining the first set of raw events over the first time period;
using the one or more formatted events of the first IoT device in operation to extract a set of features of the first IoT device in operation;
identifying a second set of raw events associated with a second IoT device in operation, wherein at least one raw event included in the second set of raw events is a transmission made by the second IoT device;
determining, based at least in part on a communication manner of the second IoT device, a second time period that is different from the first time period, and generating one or more formatted events of the second IoT device in operation, at least in part by examining the second set of raw events over the second time period;
using the one or more formatted events of the second IoT device in operation to extract a set of features of the second IoT device in operation;
generating a context-based IoT device grouping model based at least in part on at least one of: (1) the extracted set of features of the first IoT device in operation or (2) the extracted set of features of the second IoT device in operation;
applying the generated context-based IoT device grouping model to determine that a third IoT device belongs to a particular group; and
detecting, as an undesired behavior, a deviation by the third IoT device from group behavior, and generating an alert in response.
|