Abstract: A process for monitoring network behaviour of IoT devices, which includes: monitoring a communication network traffic to identify TCP and UDP traffic flows to and from each of one or more IoT devices; processing the identified traffic flows to generate a corresponding data structure representing the identified network traffic flows of the IoT device in terms of, for each of local and internet networks, one or more identifiers of respective hosts and/or devices that had a network connection with the IoT device, source and destination ports and network protocols; and comparing the generated data structure for each IoT device to corresponding data structures representing predetermined manufacturer usage description (MUD) specifications of known types of IoT devices to generate quantitative measures of similarity of the traffic flows of the IoT device to traffic flows defined by the predetermined MUD specifications to identify the type of the IoT device

Abstract: Some embodiments include a network attack detection process, including, for each of a plurality of IoT devices of a communications network: receiving corresponding network traffic data representing network traffic characteristics of a plurality of network traffic flows of the device; processing the network traffic data to generate a plurality of corresponding features for each of the network traffic flows; and applying a corresponding set of one-class flow classifiers to the generated features to classify network traffic flows of the device and assess whether the network traffic characteristics of the network traffic flows are indicative of the device being under attack or having been compromised; wherein the flow classifiers are trained with training data representing normal network traffic behaviour of the device in an uncompromised state.

Abstract: Some embodiments include a network attack detection process, including, for each of a plurality of IoT devices of a communications network: receiving corresponding network traffic data representing network traffic characteristics of a plurality of network traffic flows of the device; processing the network traffic data to generate a plurality of corresponding features for each of the network traffic flows; and applying a corresponding set of one-class flow classifiers to the generated features to classify network traffic flows of the device and assess whether the network traffic characteristics of the network traffic flows are indicative of the device being under attack or having been compromised; wherein the flow classifiers are trained with training data representing normal network traffic behaviour of the device in an uncompromised state.

Abstract: A process for monitoring network behaviour of IoT devices, which includes: monitoring a communication network traffic to identify TCP and UDP traffic flows to and from each of one or more IoT devices; processing the identified traffic flows to generate a corresponding data structure representing the identified network traffic flows of the IoT device in terms of, for each of local and internet networks, one or more identifiers of respective hosts and/or devices that had a network connection with the IoT device, source and destination ports and network protocols; and comparing the generated data structure for each IoT device to corresponding data structures representing predetermined manufacturer usage description (MUD) specifications of known types of IoT devices to generate quantitative measures of similarity of the traffic flows of the IoT device to traffic flows defined by the predetermined MUD specifications to identify the type of the IoT device