Abstract: Embodiments of the present disclosure may include a method for enforcing network flow rules of a heterogeneous network of devices including receiving a description of a physical environment. Embodiments may also include receiving a device behavior profile of a plurality of network devices. Embodiments may also include receiving at least one network configuration input. Embodiments may also include translating the received description of the physical environment, the received device behavior profile, and the at least one network configuration input into a formal model. Embodiments may also include determining network flow rules based at least in part on the formal model. Embodiments may also include enforcing the network flow rules. In some embodiments, the network flow rules enhance the security of a heterogeneous network of devices.

Abstract: A process for monitoring network behaviour of IoT devices, which includes: monitoring a communication network traffic to identify TCP and UDP traffic flows to and from each of one or more IoT devices; processing the identified traffic flows to generate a corresponding data structure representing the identified network traffic flows of the IoT device in terms of, for each of local and internet networks, one or more identifiers of respective hosts and/or devices that had a network connection with the IoT device, source and destination ports and network protocols; and comparing the generated data structure for each IoT device to corresponding data structures representing predetermined manufacturer usage description (MUD) specifications of known types of IoT devices to generate quantitative measures of similarity of the traffic flows of the IoT device to traffic flows defined by the predetermined MUD specifications to identify the type of the IoT device

Abstract: Some embodiments include a network attack detection process, including, for each of a plurality of IoT devices of a communications network: receiving corresponding network traffic data representing network traffic characteristics of a plurality of network traffic flows of the device; processing the network traffic data to generate a plurality of corresponding features for each of the network traffic flows; and applying a corresponding set of one-class flow classifiers to the generated features to classify network traffic flows of the device and assess whether the network traffic characteristics of the network traffic flows are indicative of the device being under attack or having been compromised; wherein the flow classifiers are trained with training data representing normal network traffic behaviour of the device in an uncompromised state.

Abstract: A process for monitoring network behaviour of IoT devices, which includes: monitoring a communication network traffic to identify TCP and UDP traffic flows to and from each of one or more IoT devices; processing the identified traffic flows to generate a corresponding data structure representing the identified network traffic flows of the IoT device in terms of, for each of local and internet networks, one or more identifiers of respective hosts and/or devices that had a network connection with the IoT device, source and destination ports and network protocols; and comparing the generated data structure for each IoT device to corresponding data structures representing predetermined manufacturer usage description (MUD) specifications of known types of IoT devices to generate quantitative measures of similarity of the traffic flows of the IoT device to traffic flows defined by the predetermined MUD specifications to identify the type of the IoT device

Abstract: Some embodiments include a network attack detection process, including, for each of a plurality of IoT devices of a communications network: receiving corresponding network traffic data representing network traffic characteristics of a plurality of network traffic flows of the device; processing the network traffic data to generate a plurality of corresponding features for each of the network traffic flows; and applying a corresponding set of one-class flow classifiers to the generated features to classify network traffic flows of the device and assess whether the network traffic characteristics of the network traffic flows are indicative of the device being under attack or having been compromised; wherein the flow classifiers are trained with training data representing normal network traffic behaviour of the device in an uncompromised state.