The computer-readable medium 102 and other computer readable mediums discussed in this paper are intended to include all mediums that are statutory (e.g., in the United States, under 35 U.S.C. 101), and to specifically exclude all mediums that are non-statutory in nature to the extent that the exclusion is necessary for a claim that includes the computer-readable medium to be valid. Known statutory computer-readable mediums include hardware (e.g., registers, random access memory (RAM), non-volatile (NV) storage, to name a few), but may or may not be limited to hardware.
The computer-readable medium 102 and other computer readable mediums discussed in this paper are intended to represent a variety of potentially applicable technologies. For example, the computer-readable medium 102 can be used to form a network or part of a network. Where two components are co-located on a device, the computer-readable medium 102 can include a bus or other data conduit or plane. Where a first component is co-located on one device and a second component is located on a different device, the computer-readable medium 102 can include a wireless or wired back-end network or LAN. The computer-readable medium 102 can also encompass a relevant portion of a WAN or other network, if applicable.
The devices, systems, and computer-readable mediums described in this paper can be implemented as a computer system or parts of a computer system or a plurality of computer systems. In general, a computer system will include a processor, memory, non-volatile storage, and an interface. A typical computer system will usually include at least a processor, memory, and a device (e.g., a bus) coupling the memory to the processor. The processor can be, for example, a general-purpose central processing unit (CPU), such as a microprocessor, or a special-purpose processor, such as a microcontroller.
The memory can include, by way of example but not limitation, random access memory (RAM), such as dynamic RAM (DRAM) and static RAM (SRAM). The memory can be local, remote, or distributed. The bus can also couple the processor to non-volatile storage. The non-volatile storage is often a magnetic floppy or hard disk, a magnetic-optical disk, an optical disk, a read-only memory (ROM), such as a CD-ROM, EPROM, or EEPROM, a magnetic or optical card, or another form of storage for large amounts of data. Some of this data is often written, by a direct memory access process, into memory during execution of software on the computer system. The non-volatile storage can be local, remote, or distributed. The non-volatile storage is optional because systems can be created with all applicable data available in memory.
Software is typically stored in the non-volatile storage. Indeed, for large programs, it may not even be possible to store the entire program in the memory. Nevertheless, it should be understood that for software to run, if necessary, it is moved to a computer-readable location appropriate for processing, and for illustrative purposes, that location is referred to as the memory in this paper. Even when software is moved to the memory for execution, the processor will typically make use of hardware registers to store values associated with the software, and local cache that, ideally, serves to speed up execution. As used herein, a software program is assumed to be stored at an applicable known or convenient location (from non-volatile storage to hardware registers) when the software program is referred to as “implemented in a computer-readable storage medium.” A processor is considered to be “configured to execute a program” when at least one value associated with the program is stored in a register readable by the processor.
In one example of operation, a computer system can be controlled by operating system software, which is a software program that includes a file management system, such as a disk operating system. One example of operating system software with associated file management system software is the family of operating systems known as Windows® from Microsoft Corporation of Redmond, Wash., and their associated file management systems. Another example of operating system software with its associated file management system software is the Linux operating system and its associated file management system. The file management system is typically stored in the non-volatile storage and causes the processor to execute the various acts required by the operating system to input and output data and to store data in the memory, including storing files on the non-volatile storage.
The bus can also couple the processor to the interface. The interface can include one or more input and/or output (I/O) devices. Depending upon implementation-specific or other considerations, the I/O devices can include, by way of example but not limitation, a keyboard, a mouse or other pointing device, disk drives, printers, a scanner, and other I/O devices, including a display device. The display device can include, by way of example but not limitation, a cathode ray tube (CRT), liquid crystal display (LCD), or some other applicable known or convenient display device. The interface can include one or more of a modem or network interface. It will be appreciated that a modem or network interface can be considered to be part of the computer system. The interface can include an analog modem, ISDN modem, cable modem, token ring interface, satellite transmission interface (e.g. “direct PC”), or other interfaces for coupling a computer system to other computer systems. Interfaces enable computer systems and other devices to be coupled together in a network.
The computer systems can be compatible with or implemented as part of or through a cloud-based computing system. As used in this paper, a cloud-based computing system is a system that provides virtualized computing resources, software and/or information to end user devices. The computing resources, software and/or information can be virtualized by maintaining centralized services and resources that the edge devices can access over a communication interface, such as a network. “Cloud” may be a marketing term and for the purposes of this paper can include any of the networks described herein. The cloud-based computing system can involve a subscription for services or use a utility pricing model. Users can access the protocols of the cloud-based computing system through a web browser or other container application located on their end user device.
A computer system can be implemented as an engine, as part of an engine or through multiple engines. As used in this paper, an engine includes one or more processors or a portion thereof. A portion of one or more processors can include some portion of hardware less than all of the hardware comprising any given one or more processors, such as a subset of registers, the portion of the processor dedicated to one or more threads of a multi-threaded processor, a time slice during which the processor is wholly or partially dedicated to carrying out part of the engine's functionality, or the like. As such, a first engine and a second engine can have one or more dedicated processors or a first engine and a second engine can share one or more processors with one another or other engines. Depending upon implementation-specific or other considerations, an engine can be centralized or its functionality distributed. An engine can include hardware, firmware, or software embodied in a computer-readable medium for execution by the processor. The processor transforms data into new data using implemented data structures and methods, such as is described with reference to the figures in this paper.
The engines described in this paper, or the engines through which the systems and devices described in this paper can be implemented, can be cloud-based engines. As used in this paper, a cloud-based engine is an engine that can run applications and/or functionalities using a cloud-based computing system. All or portions of the applications and/or functionalities can be distributed across multiple computing devices, and need not be restricted to only one computing device. In some embodiments, the cloud-based engines can execute functionalities and/or modules that end users access through a web browser or container application without having the functionalities and/or modules installed locally on the end-users' computing devices.
As used in this paper, datastores are intended to include repositories having any applicable organization of data, including tables, comma-separated values (CSV) files, traditional databases (e.g., SQL), or other applicable known or convenient organizational formats. Datastores can be implemented, for example, as software embodied in a physical computer-readable medium on a specific-purpose machine, in firmware, in hardware, in a combination thereof, or in an applicable known or convenient device or system. Datastore-associated components, such as database interfaces, can be considered “part of” a datastore, part of some other system component, or a combination thereof, though the physical location and other characteristics of datastore-associated components is not critical for an understanding of the techniques described in this paper.
Datastores can include data structures. As used in this paper, a data structure is associated with a particular way of storing and organizing data in a computer so that it can be used efficiently within a given context. Data structures are generally based on the ability of a computer to fetch and store data at any place in its memory, specified by an address, a bit string that can be itself stored in memory and manipulated by the program. Thus, some data structures are based on computing the addresses of data items with arithmetic operations; while other data structures are based on storing addresses of data items within the structure itself. Many data structures use both principles, sometimes combined in non-trivial ways. The implementation of a data structure usually entails writing a set of procedures that create and manipulate instances of that structure. The datastores, described in this paper, can be cloud-based datastores. A cloud-based datastore is a datastore that is compatible with cloud-based computing systems and engines.
Returning to the example of
In a specific implementation, the IoT devices 104 act as stations. A station, as used in this paper, can be referred to as a device with a media access control (MAC) address and a physical layer (PHY) interface to a wireless medium that complies with the IEEE 802.11 standard. Thus, for example, the network devices can be referred to as stations, if applicable. IEEE 802.11a-1999, IEEE 802.11b-1999, IEEE 802.11g-2003, IEEE 802.11-2007, and IEEE 802.11n TGn Draft 8.0 (2009) are incorporated by reference. As used in this paper, a system that is 802.11 standards-compatible or 802.11 standards-compliant complies with at least some of one or more of the incorporated documents' requirements and/or recommendations, or requirements and/or recommendations from earlier drafts of the documents, and includes Wi-Fi systems. Wi-Fi is a non-technical description that is generally correlated with the IEEE 802.11 standards, as well as Wi-Fi Protected Access (WPA) and WPA2 security standards, and the Extensible Authentication Protocol (EAP) standard. In alternative embodiments, a station may comply with a different standard than Wi-Fi or IEEE 802.11, may be referred to as something other than a “station,” and may have different interfaces to a wireless or other medium.
In a specific implementation, the IoT devices 104 are configured to access network services in compliance with IEEE 802.3. IEEE 802.3 is a working group and a collection of IEEE standards produced by the working group defining the physical layer and data link layer's MAC of wired Ethernet. This is generally a local area network technology with some wide area network applications. Physical connections are typically made between nodes and/or infrastructure devices (hubs, switches, routers) by various types of copper or fiber cable. IEEE 802.3 is a technology that supports the IEEE 802.1 network architecture. As is well-known in the relevant art, IEEE 802.11 is a working group and collection of standards for implementing wireless local area network (WLAN) computer communication in the 2.4, 3.6 and 5 GHz frequency bands. The base version of the standard IEEE 802.11-2007 has had subsequent amendments. These standards provide the basis for wireless network products using the Wi-Fi brand. IEEE 802.1 and 802.3 are incorporated by reference.
In a specific implementation, the IoT devices 104 are purposefully built or configured IoT devices. In being purposely built IoT devices, the IoT devices 104 are built to have specific operational parameters. For example, a thermometer may be built to provide signals from a temperature sensor. In being purposely configured IoT devices, the IoT devices 104 can be configured to operate according to specific operational parameters in accordance with input from a human or artificial agent. For example, an IoT device of the IoT devices 104 can be a thermostat configured to control an air conditioner to cool a room to a configurable temperature at a configurable time. As another example, an agent can specify an IoT device should not communicate with a specific data source, and the IoT device can be configured to refrain from communicating with the specific data source as part of purposeful configuration.
In the example of
The example system shown in
The example system shown in
The personality aware enrichment engine 202 is intended to represent an engine that functions to enrich raw event metadata received based on operation of an IoT device. The personality aware enrichment engine 202 can receive raw metadata in the form of data packets or portions of data packets transmitted to and from an IoT device in operation of the IoT device. In enriching raw event metadata, the personality aware enrichment engine 202 can identify an IoT device and assign a context to the IoT device.
The IoT device demographics generation engine 204 is intended to represent an engine that receives enriched metadata to maintain demographics of IoT devices including the IoT device. The IoT device demographics generation engine 204 receives the enriched metadata from the personality aware enrichment engine 202. In maintaining demographics of IoT devices based on enriched metadata, the IoT device demographics generation engine 204 can establish profiles of groups of IoT devices. For example, the IoT device demographics generation engine 204 can group together IoT devices that share a common context together to form a profile of a group of the IoT devices. Additionally, in maintaining demographics of IoT devices, the IoT device demographics generation engine 204 can aggregate and create permutations of the enriched metadata to generate aggregated metadata permutations. For example, the IoT device demographics generation engine 204 can group together all enriched metadata related to streaming events at the IoT device together to generate aggregated metadata permutations.
The IoT personality definition engine 206 is intended to represent an engine that functions to define a personality of the IoT device. The IoT personality definition engine 206 can define a personality of the IoT device by generating and updating IoT personality data stored in the IoT personality datastore 208. Additionally, the IoT personality definition engine 206 can define a personality of the IoT device using aggregated metadata permutations received from the IoT device demographics generation engine 204. More specifically, the IoT personality definition engine 206 can identify feature values indicating behaviors of the IoT device in operation based on aggregated metadata permutations received from the IoT device demographics generation engine 204.
The offline modeling engine 210 is intended to represent an engine that functions to build a context-based undesired behavior detection model for use in detecting undesired behavior in the operation of the IoT device. The offline modeling engine 210 can build a context-based undesired behavior detection model based on feature values indicating behaviors of the IoT device in operation, as determined by the IoT personality definition engine 206. Additionally, the offline modeling engine 210 can use an applicable machine learning mechanism to recognize behavior patterns in the feature values to build the context-based undesired behavior detection model. For example, the offline modeling engine 210 can use either or both learned state transition-based learning and deep learning to identify behavior patterns of the IoT in operation for purposes of maintaining a context-based undesired behavior detection model.
The personality aware undesired behavior detection engine 212 is intended to represent an engine that functions to apply a context-based undesired behavior detection model to feature values for purposes of detecting undesired behavior in the operation of the IoT device. The personality aware undesired behavior detection engine 212 can apply a context-based undesired behavior detection model maintained by the offline modeling engine 210 to feature values of the IoT device identified by the IoT personality definition engine 206. In applying the model to feature values, the personality aware undesired behavior detection engine 212 generate a signal comparing actual behaviors of the IoT device in operation to modeled behaviors of the IoT device.
The signal correlation engine 214 is intended to represent an engine that functions to generate and send undesirable behavior alerts. The signal correlation engine 214 can generate and send undesirable behavior alerts based on actual behaviors of the IoT device in operation to modeled behaviors of the IoT device, as received from the personality aware undesired behavior detection engine 212. The signal correlation engine 214 can send an undesirable behavior alert indicating how the IoT device deviated from normal behavior patterns, e.g. benign behavior patterns, in exhibiting undesired behavior in operation.
The new personality profile discovery engine 216 is intended to represent an engine that functions to identify a personality profile of the IoT device. The new personality profile discovery engine 216 can detect whether an IoT personality profile exists for the IoT device based on one or a combination of raw metadata received at the personality aware enrichment engine 202, enriched raw metadata received at the IoT device demographics generation engine 204, aggregated metadata permutation received at the IoT personality definition engine 206, and feature values determined by the IoT personality definition engine 206. The new personality profile discovery engine 216 can inform the IoT personality definition engine 206 whether an IoT personality profile exists for the IoT device for purposes of defining the IoT personality for the IoT device.
The flowchart 300 continues to module 304 with obtaining domain knowledge, including knowledge regarding bad IoT personalities, from a network administration engine. An example of an engine that can perform module 304 is the IoT personality definition engine 204 of
The flowchart 300 continues to module 306 with defining a personality, including feature values associated with the personality, using the aggregated metadata permutations, the domain knowledge, and prior personality data set feedback from a new personality profile discovery engine. An example of an engine that can perform module 306 is the IoT personality definition engine 206 of
The flowchart 300 continues to module 308 with classifying the personality using the feature values and IoT personality models, wherein the personality has a signal associated therewith. An example of an engine that can perform module 308 is the personality classification engine 212 of
The flowchart 300 continues to module 310 with correlating the signal to reach a verdict and, if the personality is a bad personality, generate a bad personality alert for provisioning to the network administration engine. An example of an engine that can perform module 310 is the signal correlation engine 214 of
The flowchart 300 continues to module 312 with discovering, at the new personality profile discovery engine, new personality data set feedback from the classified personality and the verdict. An example of an engine that can perform module 312 is the new personality profile discovery engine 216 of
Referring once again to the example of
Instead or in addition, at least a portion of the multi-layered policy management subsystem 108 can be implemented through a mirror in a gateway, one or more local agents, or on one or more IoT devices; intelligence can be distributed. A local agent includes software implemented on a physical device locally coupled to IoT devices. Local coupling involves operationally connecting the local agent via a LAN interface (or a smaller network interface, such as a PAN interface) to IoT devices. It should be noted enterprise networks can include geographically distributed LANs coupled across WAN segments. In a distributed enterprise network, the local agents may be local at each LAN (each LAN is sometimes referred to as a Basic Service Set (BSS) in IEEE 802.11 parlance, though no explicit requirement is suggested here) or localized using, e.g., VLAN tunneling (the connected LANs are sometimes referred to as an Extended Service Set (ESS) in IEEE 802.11 parlance, though no explicit requirement is suggested here). Depending upon implementation-specific or other considerations, the multi-layered policy management subsystem 108 can include wired communication interfaces and wireless communication interfaces for communicating over wired or wireless communication channels. The multi-layered policy management subsystem 108 can be, at least in part, a device provided by an Internet service provider directly purchased by a consumer and acting as a conduit between networks. Depending upon implementation or other considerations, the multi-layered policy management subsystem 108 can be implemented as part of a private cloud. A private cloud implementing the multi-layered policy management subsystem 108, at least in part, can be specific to an entity.
Policy is defined by institutional or security system agents at one of multiple levels of abstraction. The context-level policy management engine 116 is intended to represent an engine that enables a human or artificial agent to create, read, update, or delete (CRUD) policy at a context-level of abstraction (via context-level parameters). A context of an IoT device, as used herein, includes IoT device profiles, IoT device categories, applicable operational parameters of an IoT device in operation, to name a few. For example, an IoT can be profiled as a thermostat, categorized as a General Electric product, and context can include an ID of an IoT device, sources (or paths) of messages to the IoT device, destinations (or paths) of messages from the IoT device, current operational parameters of the IoT device, e.g. how an IoT device operates in controlling itself, behaviors of an IoT device in operation, whether an IoT device is actually operating, data ports used by an IoT device in sending and receiving data, types of data sent or received, operating systems used by an IoT device, and applications used by an IoT device. Further, a context of an IoT device can include applicable operational parameters of an IoT device in operation to either or both access network services and broadcast. For example, a context of an IoT device can include a message an IoT device broadcasts in acting as a beacon. In another example, a context of an IoT device can include a data source with which an IoT device communicates through a WAN.
Context-level policy management parameters are granular. Accordingly, creating and managing policy at the context level may, in some cases, require some network administrative expertise. Contexts can include background event contexts, identity-based contexts, and group-based contexts. Identity-based and group-based contexts can be characterized as dynamically-established context because they take into account baseline (predicted) behavior. The type of device (or group) can be considered part of group-based context, allowing application of policy to devices in the group. For example, IV pumps do not talk to VLANs, so one predefined context-level protocol can be used for IV pumps.
Context parameters can include, for example, specific threat vectors, IoT device information (e.g., MAC address, operating system, operating system version, model), VLAN information, or the like. Advantageously, identity-based, behavioral, risk/threat models, and other parameters that are derived from IoT personality creation and management are available at the context level.
In a specific implementation, the context-level policy management engine 116 makes decisions regarding policy, instead of a human, based on context. Otherwise, the human would have had to take care of all conditions. For example, a user would have to make a policy for a specific IV pump, but the context-level policy management engine 116 can apply policy to all IV pumps (or prompt the human to do the same); henceforth, when a human says “IV pump,” the context-level policy management engine 116 knows the human is referring to IV pumps matching the policy. Advantageously, keywords allow a human to teach the context-level policy management engine 116 about policy preferences simply by using them and the context-level policy management engine 116 can recommend policy matching value thresholds for use in policy creation.
Policy can be based upon patterns in packets that match regular expressions of policy rules. The packet-level policy management engine 118 is intended to represent an engine that enables a human or artificial agent to create, read, update, or delete (CRUD) policy at a packet-level of abstraction (via packet-level parameters). A network intrusion detection system (IDS) and intrusion prevention system (IPS) known as snort is recognized as an excellent piece of open source software that utilizes regular expressions. Snort rules, however, are sufficiently granular that they regularly produce false positives. For an IoT network in particular, the number of false positives can reach nuisance levels. Advantageously, the packet-level policy management engine 118 can use snort rules as a backup (e.g., to be certain), without relying on snort rules as a matter of course. The system instead encourages rules to be made at as high a level as possible. Specifically, it is easier to build in hooks at higher levels of abstraction than it is using regular expression matching at the packet- (or context-) level.
Recognizing that “normal” matches may be associated with malicious activity in the aggregate, machine learning is used to determine whether “normal” packets are part of a malicious sequence. Because the multi-layered policy management system 108 includes multiple levels (including at least one of a higher level of abstraction than the packet-level), policy need not be based solely upon regular expression matching at the packet-level. Patterns can be converted to fields of an event, which is a higher level of abstraction, for example. As used in this paper, the packet- and context-levels of abstraction are defined as “low levels of abstraction” and the event- and higher levels of abstraction are defined as “high levels of abstraction.” In a specific implementation, human agents are permitted to create policy at high levels of abstraction, but not at low levels of abstraction.
The event-level policy management engine 120 is intended to represent an engine that enables a human or artificial agent to create, read, update, or delete (CRUD) policy at an event-level of abstraction (via event-level parameters). In an example of operation, events are assumed to be network session events. A transformation, enrichment, and aggregation of data from low levels of abstraction to high levels of abstraction hides granular details, resulting in a layered policy engine that enables agents to engage with the system at a level of abstraction with which they are comfortable. (Transformation, enrichment, and aggregation are also done between event- and activity-levels and between activity- and behavior-levels.)
The raw event datastore 402 is intended to represent events of various kinds. A significant subclass of events are network session events or “network events.” In some implementations, network events can appropriately be referred to as “packet-based” (or “frame-based”) events because network event capture is of packets or frames. In a specific implementation, a discrete network event is a network session. Alternatively or in addition, a discrete network event is a portion of a persistent network session that has been broken into chunks, wherein the chunks of a network session, in the aggregate, comprise a network session. Another potential subclass of events includes message transport events, such as messages using a lightweight publish/subscribe messaging transport (e.g., message queuing telemetry transport (MQTT)). Another potential subclass of events includes message log events, such as messages using a standard to separate message generators, systems that store messages, and message analysis and reporting engines (e.g., syslog). The raw event datastore 402 can be considered part of a “super” datastore that incorporates other datastores, such as the normalized event datastore 408, the aggregated event datastore 412, and the IoT signal feature datastore 416.
The event normalization engine 404 is intended to represent an engine that normalizes events of disparate formats. The event normalization engine 404 uses information from the domain datastore 406 to determine a normalized (e.g., standardized) format for events and normalizes (e.g., transforms) events from the raw event datastore 402 for storage into the normalized event datastore 408. In a specific implementation, events are normalized using one or more of a timestamp, tagging (e.g., from the domain datastore 406), an ID (e.g., a user ID or event ID), or the like. Normalizing events enables later engines to perform an apples-to-apples comparison of events for, e.g., aggregation purposes. In an implementation in which, e.g., only network events are aggregated, normalization may or may not be considered optional.
The event aggregation engine 410 is intended to represent an engine for aggregating a normalized event from the normalized event datastore 408 with other related events. In a specific implementation, the other related events are also normalized events in the normalized event datastore 408. Related events can include, for example, multiple discrete network events of a persistent session; events associated with the same source, user, time, or application; events that (based on, e.g., domain knowledge) might be related to an activity (e.g., login, download, streaming, or other possible activity); events associated with an IoT device profile; events that are related on a time series level; or the like.
As used in this paper, an analytics feature is a transformation of one or more timestamped events, including composite events. As used in this paper, a composite event comprises multiple event parameters, but is referred to as an “event,” which is a more general term intended to represent a discrete event or a combination of event parameters (which can include one or more discrete events). For example, a discrete event, such as a signal transmitted from a thermometer associated with a discrete temperature sensing instance, can be combined with an event parameters for the destination of the signal, historical signal transmissions, transmissions of similarly classified IoT devices, and the like, to generate a composite event. A machine learning analytics engine can determine analytics features of IoT devices in operation based on messages transmitted to or from IoT devices. For example, the machine learning analytics engine can examine messages transmitted to an IoT device to determine an event which can subsequently be timestamped to create an analytics feature of the IoT device in operation. The machine learning analytics engine can generate analytics features of IoT devices in operation within a time window. For example, the machine learning analytics engine can examine all messages transmitted from an IoT device within a one hour period to determine a feature of the IoT device in operation. A time window, also referred to as a data rollup window, used by the machine learning analytics engine to generate features of an IoT device in operation. For example, the machine learning analytics engine can examine packets transmitted from a first IoT device over a 24 hour period and examine packets transmitted from a second IoT device over a five minute period to extract features of the first and second IoT devices in operation. A time window used by the machine learning analytics engine to extract features of IoT devices in operation can vary based on contexts of the IoT devices. For example, the machine learning analytics engine can vary time windows used to extract features of IoT devices in operation based on device types of the IoT devices.
Common factor aggregation creates various aggregations and transformations from the incoming data events leveraging on supervised classification, unsupervised clustering-based machine learning, and multi-layer deep learning to model various behavior patterns of IoT devices so the IoT devices can be grouped/labelled based on their behaviors. For example, an ultrasound machine running windows OS and connecting to its home servers in Europe would be tagged with, in this example, two different behavior aggregation factors and the correlation of these behaviors can help accurately identify the device as an ultrasound machine of a specific model. Events can be aggregated based on context, such as by way of a profile-based aggregation. For example, event can be aggregated based on recipients of data packets transmitted from an IoT device, an IoT device ID, or a port used transmit data packets from which the events are translated.
To allow comparison of events for common factor aggregation, a harmonized framework of events (e.g., a common methodological framework) is desirable, which can be implemented as a huge amount of data that is analyzed for commonalities. The analysis takes more or less work depending upon the type of data (e.g., comparing sources and destinations is relatively straight-forward, while comparing values identified using deep packet inspection of payload is relatively less straight-forward). Reducing factors to a common baseline is impractical due to the number of different aggregations that are relevant in an IoT network comprising a large number of devices; reduction to a common baseline is useless for predictive purposes. Multiple aggregations are necessary and may not even be easily identifiable to a human because the common factors are not easily categorized by the human mind and, due to their numbers, will, in practice, likely go without human-understandable aggregations of common factors. Indeed, it is a hopeless task for a human given the number and frequency of communications IoT networks are already generating, even if all of the aggregations were uniquely describable to a human. So a computer must be used to find the large number of common factors necessary to yield predictable, and therefore actionable, intelligence; humans can, of course, help in categorization or other tasks after being augmented by the computer.
The event aggregation engine 410 stores the aggregated events in the aggregated event datastore 412. Note that an “aggregated event” can include one or more normalized events and context will dictate whether that means one aggregated event includes one normalized event or one aggregated event includes multiple normalized events.
The IoT signal feature extraction engine 414 is intended to represent an engine for extracting features from signals associated with an IoT device. A feature value includes a data sample corresponding to the feature itself. The IoT signal feature extraction engine 414 stores the feature values in the IoT signal feature datastore 416.
In an example of operation, events are assumed to be network session events. The event normalization engine 404 (if applicable) normalizes a volume (e.g., a number of bytes) of events over a time span (e.g., a five minute interval). The event aggregation engine 410 aggregates the one or more events captured during the time span. It may be noted, an event that is not aggregated may still be analyzed by the IoT signal feature extraction engine 414, along with any aggregated events.
Referring once again to the example of
The event-level policy engine 502 is intended to represent generating policy at a level of abstraction above the packet-level. The event-level policy engine 502 obtains policy updates from the policy updates datastore 504, which is intended to represent policy updates from human or artificial agents. It may be noted the policy updates can be for levels of abstraction above or below that of the event-level if they impact policy at the event-level. The event-level policy engine 502 also obtains IoT device, environment, and administrative context from the domain datastore 506. The event-level policy engine 502 generates event-level policy as represented by the event-level policy datastore 508.
In the example of
Advantageously, a conditional rule can be made for an event without matching packet data. The abstraction reduces complexity and the likelihood of error or misunderstanding. The abstraction also enables predictive policy. For example, if B (malicious) happens a small amount of time after A (benign), machine learning can be used to find a common-sense threshold.
Referring once again to the example of
The behavior-level policy management engine 124 is intended to represent an engine that enables a human or artificial agent to create, read, update, or delete (CRUD) policy at a behavior-level of abstraction (via behavior-level parameters). As used in this paper, a behavior includes one or more activities and data associated with those activities (and an activity includes one or more events and data associated with those events). Thus,
The IP endpoint discovery and classification engine 110 is intended to represent an engine that discovers IP endpoints that do not match policy and uses machine-learning techniques to classify the discovered IP endpoints to make policy applicable. In a specific implementation, at least a portion of the IP endpoint discovery and classification engine 110 is implemented remote relative to IoT devices for which the system manages policy. Advantageously, policy can apply when a device is categorized or identified, even if the device has been there for awhile (whether the device is an IP endpoint or other IoT device). Although ghost matching is a known technique, it does not entail 1) policy is generated, 2) IP endpoints are discovered that do not match the policy, and 3) the IP endpoints are classified to make the policy applicable.
The flowchart 600 continues to module 604 with discovering an IP endpoint. An IP endpoint can be discovered by an IP endpoint discovery and classification engine, such as the IP endpoint discovery and classification engine 110 (
The flowchart 600 continues to module 606 with classifying the IP endpoint. An IP endpoint can be classified by an IP endpoint discovery and classification engine, such as the IP endpoint discovery and classification engine 110 (
The flowchart 600 ends at module 608 with applying the multi-level policy to the IP endpoint. Multi-level policy can be applied by a multi-level policy compliance detection engine, such as the multi-level policy compliance detection engine 112 (
Referring once again to the example of
In the example of
Advantageously, policy generation and compliance and asset management are integrated. Action can be taken through policy (and redirect to integrated service for further action) on a security orchestration platform, network access control system, and/or security incident event management (SIEM) platform. Based upon event-, activity-, and/or behavior-level changes, the policy-integrated asset management engine 114 can make suggestions, such as virus scans or IoT device inventory recommendations (e.g., by determining, based upon the number of IV pump usage trends, failure rate, and the like, how many IV pumps should be ordered), or respond to previous commands (e.g., I want to know when a new IV pump model is detected, which would be an identity-based trigger).
A language can be defined for multi-level IoT network conduct. The language should be general enough to allow humans to create rules without a great deal of network administrative expertise that is applicable to events, activities, and behaviors. In a specific implementation, the language utilizes a keyword file that serves to identify activity parameters (e.g., those associated with a Windows download, device operations, etc.). Although it is difficult to provide a precise (finite) number of activities, in a specific implementation, about 200 activities have been identified and used in a network environment with exceptional results. The activities can be grouped.
A scenario, as used in this paper, is defined as one or more specific sequences of activities one or more of which can be mapped to a behavior. Behavior-level scenarios include, for example, compromised device (e.g., security anomaly with low risk, security anomaly with high risk, device infected by malware, device infected by ransomware, device hijacked for mining, device hijacked for botnet), device efficiency, device malfunction, connection anomalies (e.g., forming too many connections), data breach (e.g., file download followed by login anomaly). Activity-level scenarios include IT-based scan (e.g., network scan, port scan, file operation, backup, login, API form, or the like), device operations (e.g., device operational, device idle, device goes offline, device in use, or the like), or an application-specific quality (e.g., send email, send email with attachments, send email with executable file, send email with non-executable file, send a file that is a picture, or the like). Event-level scenarios include message volume, weak password, or the like. Context-level scenarios include presence on a medical VLAN (instead of a regular VLAN), version, or the like.
In an example of operation, when presenting behavioral scenarios, the policy-integrated asset management engine 114 does not include behaviors that are activities (note: a behavior can include a single activity) or activities that are events (note: an activity can include a single (discrete or aggregated) event) in order to better abstract for the benefit of a human agent. For a behavioral class with behavioral scenario instances, a human agent can choose scenario 1, 2, . . . , n, or all.
These and other examples provided in this paper are intended to illustrate but not necessarily to limit the described implementation. As used herein, the term “implementation” means an implementation that serves to illustrate by way of example but not limitation. The techniques described in the preceding text and figures can be mixed and matched as circumstances demand to produce alternative implementations.
The present application claims priority to U.S. Provisional Patent Application Ser. No. 62/787,190 filed Dec. 31, 2018 and entitled “Multi-Layered Policy Management,” which is hereby incorporated by reference herein.
Number | Name | Date | Kind |
---|---|---|---|
6142682 | Skogby | Nov 2000 | A |
6877146 | Teig | Apr 2005 | B1 |
8146133 | Moon | Mar 2012 | B2 |
8159966 | Mabee | Apr 2012 | B1 |
8331229 | Hu | Dec 2012 | B1 |
8671099 | Kapoor | Mar 2014 | B2 |
8683598 | Cashin | Mar 2014 | B1 |
8850588 | Kumar | Sep 2014 | B2 |
8874550 | Soubramanien | Oct 2014 | B1 |
8891528 | Moriarty | Nov 2014 | B2 |
8898788 | Ashar | Nov 2014 | B1 |
8973088 | Leung | Mar 2015 | B1 |
9324119 | Singh | Apr 2016 | B2 |
9516053 | Muddu | Dec 2016 | B1 |
9548987 | Poole | Jan 2017 | B1 |
9584536 | Nantel | Feb 2017 | B2 |
9600571 | Shaashua | Mar 2017 | B2 |
9609003 | Chmielewski | Mar 2017 | B1 |
9661011 | Van Horenbeeck | May 2017 | B1 |
9692784 | Nenov | Jun 2017 | B1 |
9774604 | Zou | Sep 2017 | B2 |
9891907 | Searle | Feb 2018 | B2 |
9961096 | Pierce | May 2018 | B1 |
9984344 | Singh | May 2018 | B2 |
10038700 | Duchin | Jul 2018 | B1 |
10043591 | Laborde | Aug 2018 | B1 |
10122747 | Mahaffey | Nov 2018 | B2 |
10191794 | Smith | Jan 2019 | B2 |
10204312 | Singh | Feb 2019 | B2 |
10212176 | Wang | Feb 2019 | B2 |
10212178 | Cheng | Feb 2019 | B2 |
10229269 | Patton | Mar 2019 | B1 |
10237875 | Romanov | Mar 2019 | B1 |
10320613 | Cam-Winget | Jun 2019 | B1 |
10348739 | Greenspan | Jul 2019 | B2 |
10459827 | Aghdaie | Oct 2019 | B1 |
10489361 | Sisk | Nov 2019 | B2 |
10511620 | Schwartz | Dec 2019 | B2 |
10623389 | Childress | Apr 2020 | B2 |
10630728 | Ghosh | Apr 2020 | B2 |
10764315 | Carroll | Sep 2020 | B1 |
10885393 | Sirianni | Jan 2021 | B1 |
10887306 | Gupta | Jan 2021 | B2 |
11005839 | Shahidzadeh | May 2021 | B1 |
11070568 | Ektare | Jul 2021 | B2 |
11115799 | Du | Sep 2021 | B1 |
11455641 | Shahidzadeh | Sep 2022 | B1 |
20040243835 | Terzis | Dec 2004 | A1 |
20060265397 | Bryan | Nov 2006 | A1 |
20080059536 | Brock | Mar 2008 | A1 |
20100284282 | Golic | Nov 2010 | A1 |
20120065749 | Hunter | Mar 2012 | A1 |
20120102543 | Kohli | Apr 2012 | A1 |
20120240185 | Kapoor | Sep 2012 | A1 |
20130086261 | Lim | Apr 2013 | A1 |
20130173621 | Kapoor | Jul 2013 | A1 |
20130247190 | Spurlock | Sep 2013 | A1 |
20130305357 | Ayyagari | Nov 2013 | A1 |
20140006479 | Maloo | Jan 2014 | A1 |
20140244834 | Guedalia | Aug 2014 | A1 |
20140281912 | Doi | Sep 2014 | A1 |
20140325670 | Singh | Oct 2014 | A1 |
20140337862 | Valencia | Nov 2014 | A1 |
20150039513 | Adjaoute | Feb 2015 | A1 |
20150055623 | Li | Feb 2015 | A1 |
20150161024 | Gupta | Jun 2015 | A1 |
20150229654 | Perier | Aug 2015 | A1 |
20150262067 | Sridhara | Sep 2015 | A1 |
20150271192 | Crowley | Sep 2015 | A1 |
20150293954 | Hsiao | Oct 2015 | A1 |
20150295945 | Canzanese, Jr. | Oct 2015 | A1 |
20150324559 | Boss | Nov 2015 | A1 |
20150356451 | Gupta | Dec 2015 | A1 |
20160028750 | Di Pietro | Jan 2016 | A1 |
20160036819 | Zehavi | Feb 2016 | A1 |
20160048984 | Frigo | Feb 2016 | A1 |
20160119372 | Borlick | Apr 2016 | A1 |
20160128043 | Shuman | May 2016 | A1 |
20160173446 | Nantel | Jun 2016 | A1 |
20160173495 | Joo | Jun 2016 | A1 |
20160182497 | Smith | Jun 2016 | A1 |
20160196558 | Mercille | Jul 2016 | A1 |
20160212099 | Zou | Jul 2016 | A1 |
20160218949 | Dasgupta | Jul 2016 | A1 |
20160261465 | Gupta | Sep 2016 | A1 |
20160267406 | Bodo | Sep 2016 | A1 |
20160267408 | Singh | Sep 2016 | A1 |
20160277435 | Salajegheh | Sep 2016 | A1 |
20160301707 | Cheng | Oct 2016 | A1 |
20160301717 | Dotan | Oct 2016 | A1 |
20160337127 | Schultz | Nov 2016 | A1 |
20160352685 | Park | Dec 2016 | A1 |
20160366141 | Smith | Dec 2016 | A1 |
20160366181 | Smith | Dec 2016 | A1 |
20170006028 | Tunnell | Jan 2017 | A1 |
20170006135 | Siebel | Jan 2017 | A1 |
20170011406 | Andrew | Jan 2017 | A1 |
20170013005 | Galula | Jan 2017 | A1 |
20170055913 | Bandyopadhyay | Mar 2017 | A1 |
20170063774 | Chen | Mar 2017 | A1 |
20170093915 | Ellis | Mar 2017 | A1 |
20170118237 | Devi Reddy | Apr 2017 | A1 |
20170118240 | Devi Reddy | Apr 2017 | A1 |
20170124660 | Srivastava | May 2017 | A1 |
20170126704 | Nandha Premnath | May 2017 | A1 |
20170149813 | Wright | May 2017 | A1 |
20170180380 | Bagasra | Jun 2017 | A1 |
20170180399 | Sukhomlinov | Jun 2017 | A1 |
20170188242 | Ghosh | Jun 2017 | A1 |
20170200061 | Julian | Jul 2017 | A1 |
20170230402 | Greenspan | Aug 2017 | A1 |
20170232300 | Bao | Aug 2017 | A1 |
20170235585 | Gupta | Aug 2017 | A1 |
20170235783 | Chen | Aug 2017 | A1 |
20170244737 | Kuperman | Aug 2017 | A1 |
20170251007 | Fujisawa | Aug 2017 | A1 |
20170272554 | Kwan | Sep 2017 | A1 |
20170279685 | Mota | Sep 2017 | A1 |
20170289184 | Subramanian | Oct 2017 | A1 |
20170331671 | Olsson | Nov 2017 | A1 |
20170331906 | Choi | Nov 2017 | A1 |
20170339178 | Mahaffey | Nov 2017 | A1 |
20170344407 | Jeon | Nov 2017 | A1 |
20170346677 | Suryanarayana | Nov 2017 | A1 |
20180007058 | Zou | Jan 2018 | A1 |
20180012227 | Tunnell | Jan 2018 | A1 |
20180018684 | Orr | Jan 2018 | A1 |
20180027006 | Zimmermann | Jan 2018 | A1 |
20180078843 | Bao | Mar 2018 | A1 |
20180115574 | Ridley | Apr 2018 | A1 |
20180117446 | Tran | May 2018 | A1 |
20180117447 | Tran | May 2018 | A1 |
20180139227 | Martin | May 2018 | A1 |
20180144139 | Cheng | May 2018 | A1 |
20180191729 | Whittle | Jul 2018 | A1 |
20180191746 | De Knijf | Jul 2018 | A1 |
20180191848 | Bhattacharya | Jul 2018 | A1 |
20180205793 | Loeb | Jul 2018 | A1 |
20180212768 | Kawashima | Jul 2018 | A1 |
20180234302 | James | Aug 2018 | A1 |
20180234519 | Boyapalle | Aug 2018 | A1 |
20180248902 | Dãnilã-Dumitrescu | Aug 2018 | A1 |
20180255084 | Kotinas | Sep 2018 | A1 |
20180261070 | Stevens | Sep 2018 | A1 |
20180264347 | Tran | Sep 2018 | A1 |
20180285234 | Degaonkar | Oct 2018 | A1 |
20180293387 | Bar-El | Oct 2018 | A1 |
20180295148 | Mayorgo | Oct 2018 | A1 |
20180302440 | Hu | Oct 2018 | A1 |
20180349598 | Harel | Dec 2018 | A1 |
20180349612 | Harel | Dec 2018 | A1 |
20180357556 | Rai | Dec 2018 | A1 |
20180375887 | Dezent | Dec 2018 | A1 |
20190019249 | Bhattacharjee | Jan 2019 | A1 |
20190081961 | Bansal | Mar 2019 | A1 |
20190089747 | Wang | Mar 2019 | A1 |
20190098028 | Ektare | Mar 2019 | A1 |
20190098058 | Ikegami | Mar 2019 | A1 |
20190109717 | Reddy | Apr 2019 | A1 |
20190121978 | Kraemer | Apr 2019 | A1 |
20190138512 | Pourmohammad | May 2019 | A1 |
20190182278 | Das | Jun 2019 | A1 |
20190268305 | Zhi | Aug 2019 | A1 |
20190349426 | Smith | Nov 2019 | A1 |
20190361917 | Tran | Nov 2019 | A1 |
20190373472 | Smith | Dec 2019 | A1 |
20190387399 | Weinberg | Dec 2019 | A1 |
20200036603 | Nieves | Jan 2020 | A1 |
20200076846 | Pandian | Mar 2020 | A1 |
20200076853 | Pandian | Mar 2020 | A1 |
20200117690 | Tran | Apr 2020 | A1 |
20200156654 | Boss | May 2020 | A1 |
20200162278 | Delaney | May 2020 | A1 |
20200177485 | Shurtleff | Jun 2020 | A1 |
20200177589 | Mangalvedkar | Jun 2020 | A1 |
20200213146 | Kodam | Jul 2020 | A1 |
20200409957 | Zhang | Dec 2020 | A1 |
Number | Date | Country |
---|---|---|
102025577 | Jul 2012 | CN |
107862468 | Mar 2018 | CN |
108650133 | Oct 2018 | CN |
107135093 | May 2020 | CN |
108306911 | Dec 2020 | CN |
3136297 | Mar 2017 | EP |
2018513467 | May 2018 | JP |
2019218874 | Nov 2019 | WO |
Entry |
---|
Li et al., A Distributed Consensus Algorithm for Decision Making in Service-Oriented Internet of Things, Old Dominion University, ODU Digital Commons, 2014. |
Nguyen et al., A Software-Defined Model for loT Clusters: Enabling Applications on Demand, Faculty of Engineering and IT, University of Technology Sydney, Australia, IEEE Xplore, Apr. 23, 2018. |
Blackstock et al., IoT Interoperability: A Hub-based Approach, 2014, IEEE International Conference on the Internet of Things (IOT), pp. 80-84. |
Miloslavskaya et al., Ensuring Information Security for Internet of Things, 2017, IEEE 5th International Conference of Future Internet of Things and Cloud, pp. 62-69. |
Fredj et al., A Scalable IoT Service Search Based on Clustering and Aggregation, 2013 IEEE International Conference on Green Computing and Communication and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing, pp. 1-8. |
International Application No. PCT/US2016/025661, International Search Report and Written Opinion dated Jul. 7, 2016. |
Liu et al., A Lightweight Anomaly Mining Algorithm in the Internet of Things, 2014 IEEE 5th International Conference an Software Engineering and Service Science, 2014, pp. 1142-1145. |
Sivanathan et al., Classifying IoT Devices in Smart Environments Using Network Traffic Characteristics, IEEE, TMC, No. 8, pp. 1745-1759, Aug. 2018. |
Sivanathan et al., Detecting Behavioral Change of IoT Devices Using Clustering-Based Network Traffic Modeling, IEEE LCN 2019, Mar. 30, 2020. |
Sivanathan et al., Inferring IoT Device Types from Network Behavior Using Unsupervised Clustering, IEEE ICN 2019, Oct. 2019. |
Author Unknown, Cisco Encrypted Traffic Analytics, Feb. 10, 2021. |
Charyyev et al., Locality-Sensitive IoT Network Tiaffic Fingerprinting for Device Identification, IEEE Internet of Things Journal, 2020, vol. 8, No. 3, pp. 1272-1281. |
Du et al., A Lightweight Flow Feature-Based IoT Device Identification Scheme, Security and Communication Networks, 2022. |
Zhao et al., A Few-Shot Learning Based Approach to IoT Traffic Classification, IEEE Communications Letters, 2021. |
Al-Shaer et al., Design and Implementation of Firewall Policy Advisor Tools, 2002. |
Al-Shaer et al., Firewall Policy Advisor for Anomaly Discovery and Rule Editing, Integrated Network Management VIII, 2003. |
Martin et al., Requirements and Recommendations for CWE Compatibility and CWE Effectiveness, Version 1.0, Jul. 28, 2011. |
National Electrical Manufacturers Association, Manufacturer Disclosure Statement for Medical Device Security, HIMSS/NEMA Standard HN Jan. 2013, 2013. |
Charu C. Aggarwal, Outlier Analysis, Retrieved from the Internet, URL: https://web.archive.org/web/20130210212057/http://charuaggarwal.net/outlierbook.pdf. |
Hirofumi Nakakoji, et al., “Study of the Incident Tendency Detection Method on Frequency Analysis,” Technical Report of IEICE, Japan, The Institute of Electronics, Information and Communication Engineers (IEICE), Jul. 14, 2005, vol. 105, No. 193, pp. 83-88. |
Arash Fasihi, Rule Based Inference and Action Selection Based on Monitoring Data in IoT, Dec. 1, 2015. |
Cramer et al., Detecting Anomalies in Device Event Data in the IoT, Proceedings of the 3td International Conference an Internet of Things, Big Data and Security, Mar. 21, 2018, pp. 52-62. |
Midi et al., Kalis—A System for Knowledge-driven Adaptable Intrusion Detection for the Internet of Things, 2017 IEEE 37th International Conference on Distributed Computing Systems, pp. 656-666. |
Chen et al., A Model-Based Validated Autonomic Approach to Self-Protect Computing Systems, IEEE Internet of Things Journal, Oct. 2014, pp. 446-460, vol. 1, No. 5. |
Number | Date | Country | |
---|---|---|---|
20200213361 A1 | Jul 2020 | US |
Number | Date | Country | |
---|---|---|---|
62787190 | Dec 2018 | US |