US 12,021,697 B2
IoT device grouping and labeling
Jun Du, Cupertino, CA (US); Gong Cheng, Sunnyvale, CA (US); Yilin Zhao, San Jose, CA (US); and Pui-Chuen Yip, Santa Clara, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Feb. 7, 2023, as Appl. No. 18/106,914.
Application 18/106,914 is a continuation of application No. 17/353,682, filed on Jun. 21, 2021, granted, now 11,671,327.
Application 17/353,682 is a continuation of application No. 15/894,861, filed on Feb. 12, 2018, granted, now 11,082,296, issued on Aug. 3, 2021.
Claims priority of provisional application 62/578,266, filed on Oct. 27, 2017.
Prior Publication US 2023/0188422 A1, Jun. 15, 2023
Int. Cl. H04L 41/0893 (2022.01); H04L 12/46 (2006.01); H04L 41/0631 (2022.01); H04L 41/069 (2022.01); H04L 41/0816 (2022.01); H04L 41/14 (2022.01); H04L 67/12 (2022.01); H04W 4/06 (2009.01); H04W 4/70 (2018.01)
CPC H04L 41/0893 (2013.01) [H04L 12/4641 (2013.01); H04L 41/065 (2013.01); H04L 41/069 (2013.01); H04L 41/0816 (2013.01); H04L 41/145 (2013.01); H04L 67/12 (2013.01); H04W 4/06 (2013.01); H04W 4/70 (2018.02)] 21 Claims
OG exemplary drawing
 
1. A method comprising:
identifying a first set of raw events associated with a first Internet of Things (IoT) device in operation, wherein at least one raw event included in the first set of raw events is a transmission made by the first IoT device;
determining, based at least in part on a communication manner of the first IoT device, a first time period, and generating one or more formatted events of the first IoT device in operation, at least in part by examining the first set of raw events over the first time period;
using the one or more formatted events of the first IoT device in operation to extract a set of features of the first IoT device in operation;
identifying a second set of raw events associated with a second IoT device in operation, wherein at least one raw event included in the second set of raw events is a transmission made by the second IoT device;
determining, based at least in part on a communication manner of the second IoT device, a second time period that is different from the first time period, and generating one or more formatted events of the second IoT device in operation, at least in part by examining the second set of raw events over the second time period;
using the one or more formatted events of the second IoT device in operation to extract a set of features of the second IoT device in operation;
generating a context-based IoT device grouping model based at least in part on at least one of: (1) the extracted set of features of the first IoT device in operation or (2) the extracted set of features of the second IoT device in operation;
applying the generated context-based IoT device grouping model to determine that a third IoT device belongs to a particular group; and
detecting, as an undesired behavior, a deviation by the third IoT device from group behavior, and generating an alert in response.