Abstract: The behavior analysis engine can condense stored machine-learned models and transmit the condensed versions of the machine-learned models to the network traffic hub to be applied in the local networks. When the behavior analysis engine receives new data that can be used to further train a machine-learned model, the behavior analysis engine updates the machine-learned model and generates a condensed-version of the machine-learned model. The condensed-version of the machine-learned model may be more resource efficient than the machine-learned model while capable of making similar or the same decisions as the machine-learned model. The behavior analysis engine transmits the condensed version of the machine-learned model to the network traffic hub and the network traffic hub uses the condensed-version of the machine-learned model to identify malicious behavior in the local network.

Abstract: The behavior analysis engine can identify malicious entities based on connections between the entity and other entities. The behavior analysis engine receives an entity from the network traffic hub and identifies entities that are connected to the entity within a threshold degree of separation. The behavior analysis engine applies a recursive process to the entity whereby the behavior analysis engine determines whether an entity is malicious based on whether its connections within a threshold degree of separation are malicious. The behavior analysis engine uses the maliciousness of the entities' connections to determine whether the entity is malicious and, if the entity is malicious, the behavior analysis engine may instruct the network traffic hub to block network communications associated with the malicious entity.

Abstract: The behavior analysis engine can also detect malicious network addresses that are sent to networked devices in the local network. The network traffic hub identifies network communications that are transmitted through the local network that contain network addresses. The network traffic hub transmits (or sends) the network address to the behavior analysis engine and the behavior analysis engine extracts network address features from the network address. The behavior analysis engine then applies an execution model to the execution features to determine a confidence score for the network address that represents the execution model's certainty that the network address is malicious. The behavior analysis engine uses the confidence score to provide instructions to the network traffic hub as to whether to allow the networked device to receive the network address.

Abstract: A system and method for intercepting intra-network traffic for smart appliance behavior analysis. A network traffic hub is configured to intercept network traffic between a switch and a router. A smart appliance sends a message to the router, such as a DHCP request when the smart appliance joins the network. The router sends a response to the smart appliance. The network traffic hub intercepts and modifies the response to instruct the smart appliance to send all future intra-network traffic through the network traffic hub and the router. In some embodiments, the network traffic hub alters a network mask in the response message to instruct the smart appliance to send traffic through the network traffic hub. The network traffic hub then extracts data from the network traffic and uses that data for behavior analysis of smart appliances.

Abstract: A network traffic hub extracts encryption metadata from messages establishing an encrypted connection between a smart appliance and a remote server and determines whether malicious behavior is present in the messages. For example, the network traffic hub can extract an encryption cipher suite, identified encryption algorithms, or a public certificate. The network traffic hub detects malicious behavior or security threats based on the encryption metadata. These security threats may include a man-in-the-middle attacker or a Padding Oracle On Downgraded Legacy Encryption attack. Upon detecting malicious behavior or security threats, the network traffic hub blocks the encrypted traffic or notifies a user.

Abstract: The behavior analysis engine can also detect malicious network addresses that are sent to networked devices in the local network. The network traffic hub identifies network communications that are transmitted through the local network that contain network addresses. The network traffic hub transmits (or sends) the network address to the behavior analysis engine and the behavior analysis engine extracts network address features from the network address. The behavior analysis engine then applies an execution model to the execution features to determine a confidence score for the network address that represents the execution model's certainty that the network address is malicious. The behavior analysis engine uses the confidence score to provide instructions to the network traffic hub as to whether to allow the networked device to receive the network address.

Abstract: A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.

Abstract: An application detection method includes receiving, from one or more user devices on a plurality of local networks, first network traffic metadata being related to a client application running on the one or more user devices, receiving, from a plurality of network traffic hubs of the plurality of local networks, second network traffic metadata corresponding to the first network traffic metadata but excluding user device specific data, generating a plurality of combined network traffic metadata datasets for each received first network traffic metadata and the corresponding second network traffic metadata by matching metadata attributes of the first and second network traffic metadata, generating an application detection model by using the plurality of combined network traffic metadata datasets, and using the application detection model for detecting further client applications running on one or more user devices on one or more local networks.

Abstract: A network traffic hub receives network traffic from a user device running an application. The network traffic hub aggregates the network traffic into augmented netflows. Based on netflow parameters extracted by the network traffic hub, one or more augmented netflows are associated with the application. The network traffic hub determines whether an augmented netflow is a result of the application being in an active state or a passive state based on, for example, the quantity of data within the netflow. If the quantity of data within the augmented netflow is larger than a data threshold, the augmented netflow can be classified as an active usage, and if the data is less than the data threshold, the augmented netflow can be classified as a passive usage. Thus, by classifying network traffic of an application as active or passive, a record of a user's active usage of the application can be recorded.

Abstract: A wardrobe capable of being moved into and out of a hotel room, and into and out of a storage room, is disclosed. The wardrobe comprises a top, a bottom, two side walls, a back, and four wheels along the bottom, where the wardrobe would otherwise touch the floor. The wheels can optionally be lockable wheels. The wardrobe also includes a means for attachment to one or more walls in a room in which the wardrobe will be used. Suitable means for attachment include holes through which pins can be inserted, pins which fit into holes in a wall, Velcro or other hook and loop attachments, straps, ropes, magnets, clips, cotter pins, and the like. The wardrobe can optionally include one or more additional elements, including one or more doors, one or more drawers, shelves, closet rods, tie/belt racks, mirrors, cubby holes, a cover for the wheels, a safe, and crown, chair, and/or base molding.

Abstract: A network traffic hub receives network traffic from a user device running an application. The network traffic hub aggregates the network traffic into augmented netflows. Based on netflow parameters extracted by the network traffic hub, one or more augmented netflows are associated with the application. The network traffic hub determines whether an augmented netflow is a result of the application being in an active state or a passive state based on, for example, the quantity of data within the netflow. If the quantity of data within the augmented netflow is larger than a data threshold, the augmented netflow can be classified as an active usage, and if the data is less than the data threshold, the augmented netflow can be classified as a passive usage. Thus, by classifying network traffic of an application as active or passive, a record of a user's active usage of the application can be recorded.

Abstract: A network traffic hub is configured to receive a request for a port service (i.e., port forwarding or port triggering) from a smart appliance in a local network. The request may be a part of the UPnP protocol, which includes SSDP and IGDP. The request may be transmitted to the network traffic hub directly or the network traffic hub may intercept the request transmitted to a router of the local network. By receiving the request, the network traffic hub prevents automatic establishment of the port service between the smart appliance and the router until an approval or denial of the port service is received from a user. As such, the user is informed of the request and has the ability to approve or deny the port service. Furthermore, the network traffic hub can configure a network to perform a port service if the network does not allow for it natively.

Abstract: A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.

Abstract: The behavior analysis engine detects malicious executable files that are being downloaded by networked devices in the local network by executing the executable files in a sandboxing environment operating on the behavior analysis engine. The network traffic hub identifies network communications that are transmitted through the local network that contain executable files. The network traffic hub sends the executable file to the behavior analysis engine and the behavior analysis engine executes the executable file in a sandboxing environment that replicates the networked device that was downloading the executable. The behavior analysis engine extracts execution features from the execution of the executable file and applies an execution model to the execution features to determine a confidence score for the executable file. The behavior analysis engine uses the confidence score to provide instructions to the network traffic hub as to whether to allow the networked device to download the executable.

Abstract: A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and appliance identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.

Abstract: A network traffic hub extracts encryption metadata from messages establishing an encrypted connection between a smart appliance and a remote server and determines whether malicious behavior is present in the messages. For example, the network traffic hub can extract an encryption cipher suite, identified encryption algorithms, or a public certificate. The network traffic hub detects malicious behavior or security threats based on the encryption metadata. These security threats may include a man-in-the-middle attacker or a Padding Oracle On Downgraded Legacy Encryption attack. Upon detecting malicious behavior or security threats, the network traffic hub blocks the encrypted traffic or notifies a user.

Abstract: A system and method for intercepting intra-network traffic for smart appliance behavior analysis. A network traffic hub is configured to intercept network traffic between a switch and a router. A smart appliance sends a message to the router, such as a DHCP request when the smart appliance joins the network. The router sends a response to the smart appliance. The network traffic hub intercepts and modifies the response to instruct the smart appliance to send all future intra-network traffic through the network traffic hub and the router. In some embodiments, the network traffic hub alters a network mask in the response message to instruct the smart appliance to send traffic through the network traffic hub. The network traffic hub then extracts data from the network traffic and uses that data for behavior analysis of smart appliances.

Abstract: A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.

Abstract: A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and appliance identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.

Abstract: A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and appliance identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.