( 12 ) United States Patent
`Vaughn et al .
`
`( * ) Notice :
`
`( 54 ) COOPERATIVE SECURITY IN WIRELESS
`SENSOR NETWORKS
`( 71 ) Applicant : Intel Corporation , Santa Clara , CA
`( US )
`( 72 ) Inventors : Robert Lawson Vaughn , Portland , OR
`( US ) ; Osvaldo Diaz , Portland , OR
`( US ) ; Siu Kit Wai , Lam Tin ( HK ) ;
`Igor Tatourian , Fountain Hills , AZ
`( US )
`( 73 ) Assignee : Intel Corporation , Santa Clara , CA
`( US )
`Subject to any disclaimer , the term of this
`patent is extended or adjusted under 35
`U . S . C . 154 ( b ) by 0 days .
`This patent is subject to a terminal dis
`claimer .
`( 21 ) Appl . No . : 15 / 470 , 414
`( 22 )
`Filed :
`Mar . 27 , 2017
`Prior Publication Data
`( 65 )
`US 2017 / 0332239 A1 Nov . 16 , 2017
`Related U . S . Application Data
`( 63 ) Continuation of application No . 14 / 577 , 764 , filed on
`Dec . 19 , 2014 , now Pat . No . 9 , 609 , 517 .
`Int . CI .
`H04W 12 / 08
`H04W 24 / 04
`
`( 51 )
`
`( 52 )
`
`( 2009 . 01 )
`( 2009 . 01 )
`( Continued )
`U . S . CI .
`CPC . . . . . . . H04W 12 / 08 ( 2013 . 01 ) ; H04L 63 / 104
`( 2013 . 01 ) ; H04L 63 / 14 ( 2013 . 01 ) ; H04W 4 / 38
`( 2018 . 02 ) ;
`( Continued )
`
`US010334442B2
`
`( 10 ) Patent No . : US 10 , 334 , 442 B2
`( 45 ) Date of Patent :
`* Jun . 25 , 2019
`( 58 ) Field of Classification Search
`USPC . . . . . . . . . . . . . . 455 / 41 . 1 – 41 . 3 , 67 . 11 , 67 . 13 , 63 . 1
`See application file for complete search history .
`References Cited
`U . S . PATENT DOCUMENTS
`9 , 609 , 517 B23 / 2017 Vaughn et al .
`2008 / 0084294 A14 / 2008 Zhiying et al .
`( Continued )
`FOREIGN PATENT DOCUMENTS
`107005790 A
`8 / 2017
`W O - 2006110199 A2 10 / 2006
`( Continued )
`OTHER PUBLICATIONS
`“ U . S . Appl . No . 14 / 577 , 764 , Non Final Office Action dated Jul . 28 ,
`2016 ” , 30 pgs .
`
`( 56 )
`
`CN
`WO
`
`( Continued )
`Primary Examiner — Fayyaz Alam
`( 74 ) Attorney , Agent , or Firm — Schwegman Lundberg &
`Woessner , P . A .
`ABSTRACT
`( 57 )
`Systems , apparatuses , and methods for cooperative security
`in wireless sensor networks are described herein . A wireless
`node may organize itself into a cluster with other wireless
`nodes . The wireless node may cooperate with other wireless
`nodes in the cluster to select a leader node . The wireless
`node may describe its expected behaviors . The wireless node
`may detect a compromised wireless node within the cluster .
`The wireless node may prevent the compromised wireless
`node from compromising another wireless node .
`25 Claims , 5 Drawing Sheets
`
`pm 100
`
`SENSOR
`
`CLUSTERING MODULE
`
`110
`
`LEADER SELECTION
`MODULE
`
`BEHAVIOR DESCRIPTION
`MODULE
`
`112
`
`114
`
`BEHAVIOR OBSERVATION
`MODULE
`
`MITIGATION MODULE
`
`Netskope Exhibit 1016
`
`

`

`US 10 , 334 , 442 B2
`Page 2
`
`( 51 )
`
`( 52 )
`
`( 2009 . 01 )
`( 2018 . 01 )
`( 2006 . 01 )
`( 2009 . 01 )
`( 2009 . 01 )
`( 2009 . 01 )
`
`Int . CI .
`H04W 12 / 12
`H04W 4 / 38
`H04L 29 / 06
`H04W 12 / 00
`H046 84 / 20
`H04W 24 / 02
`U . S . CI .
`CPC . . . . . . . . . . . H04W 12 / 00 ( 2013 . 01 ) ; H04W 12 / 12
`( 2013 . 01 ) ; H04W 24 / 04 ( 2013 . 01 ) ; H04W
`24 / 02 ( 2013 . 01 ) ; H04W 84 / 20 ( 2013 . 01 )
`
`( 56 )
`
`References Cited
`U . S . PATENT DOCUMENTS
`2009 / 0168670 A1
`7 / 2009 Yang
`2010 / 0100964 A1 *
`4 / 2010 Mahaffey . . . . . . . . . . . . . . G06F 21 / 554
`726 / 25
`2010 / 0125437 A1 *
`5 / 2010 Vasseur . . . . . . . . . . . . . . . H04L 43 / 10
`702 / 188
`2012 / 0026898 A1 * 2 / 2012 Sen . . . . . . . . .
`HO4L 43 / 04
`370 / 252
`2012 / 0026938 A1 *
`2 / 2012 Pandey . . . . . . . . . . . . . . . . . . . . H04L 43 / 065
`370 / 328
`2015 / 0288532 A1 * 10 / 2015 Veyseh . . . . . . . . . . . . . . . H04L 12 / 283
`370 / 310
`
`WO
`WO
`WO
`
`4 / 2016 Mahaffey . . . . . . . . . . . H04L 63 / 0227
`2016 / 0099963 A1 *
`726 / 25
`6 / 2016 Vaughn et al .
`2016 / 0183093 A1
`FOREIGN PATENT DOCUMENTS
`WO - 2012143931 A2
`10 / 2012
`WO - 2014105893 AL
`7 / 2014
`W O - 2016099839 A1
`6 / 2016
`OTHER PUBLICATIONS
`“ U . S . Appl . No . 14 / 577 , 764 , Notice of Allowance dated Nov . 17 ,
`2016 ” , 8 pgs .
`“ U . S . Appl . No . 14 / 577 , 764 , Response filed Oct . 28 , 2016 to Non
`Final Office Action dated Jul . 28 , 2016 " , 10 pgs .
`“ International Application Serial No . PCT / US2015 / 062955 , Inter
`national Preliminary Report on Patentability dated Jun . 29 , 2017 ” ,
`7 pgs .
`“ International Application Serial No . PCT / US2015 / 062955 , Inter
`national Search Report dated Mar . 17 , 2016 " , 3 pgs .
`“ International Application Serial No . PCT / US2015 / 062955 , Written
`Opinion dated Mar . 17 , 2016 ” , 5 pgs .
`“ Korean Application Serial No . 10 - 2017 - 7013296 , Voluntary Amend
`ment filed Jul . 20 , 2017 ” , w / claims in English , 14 pgs .
`" European Application Serial No . 15870633 . 3 , Extended European
`Search Report dated Jul . 2 , 2018 ” , 8 pgs .
`* cited by examiner
`
`Netskope Exhibit 1016
`
`

`

`atent
`
`Jun . 25 , 2019
`
`Sheet 1 of 5
`
`US 10 , 334 , 442 B2
`
`Atom 100
`
`web
`
`Ang
`
`end
`
`SENSOR
`
`dooOOOOOOOOOO
`
`CACHARRIO
`
`POROMOKA
`
`D
`
`ODOCOOOOOOOOOOOOR
`
`CLUSTERING MODULE
`
`
`
`
`
`o gogasoggad soodsoogoodsas opoda
`
`KORKOKKOKKOKKOKKOK *
`
`* *
`
`OKKA
`
`ROKA
`
`proponendo
`
`LEADER SELECTION
`MODULE
`
`?????????????????????????????
`
`BEHAVIOR DESCRIPTION
`MODULE
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`'
`
`doo
`???????????????????????????????????????????????????
`
`WWWWWW BEHAVIOR OBSERVATION
`MODULE
`
`MITIGATION MODULE
`
`gogog
`
`
`
`bondaggio Rodo . nondondosonorogogogogogogogogogogogogogo
`
`Netskope Exhibit 1016
`
`

`

`atent
`
`Jun . 25 , 2019
`
`Sheet 2 of 5
`
`US 10 , 334 , 442 B2
`
`prawa 200
`
`* * *
`
`0
`
`9
`
`* XUCU OXUCU0U * * *
`
`200
`
`x200
`
`q
`
`ucau
`
`ORGANIZE THE WIRELESS SENSOR NODE INTO A CLUSTER WITH
`OTHER WIRELESS SENSOR NODES
`
`udovou
`
`ce
`
`s tou divocet
`
`touTTiTTu
`WITH THE OTHER WIELES SENSOR NOSIN MET
`
`kooboticsodo Deodosodo
`
`COOPERATE WITH THE OTHER WIRELESS SENSOR NODES IN THE
`CLUSTER TO SELECT A LEADER NODE FOR THE CLUSTER
`
`206
`
`DESCRIBE EXPECTED BEHAVIORS OF THE WIRELESS SENSOR
`E
`NODE
`
`7
`
`podobnoudondos
`
`208
`
`DETECT A COMPROMISED WIRELESS SENSOR NODE WITHIN THE
`CLUSTER
`
`*
`
`* *
`
`WAMW
`
`W WXXXXXXX
`
`2008 - 283 .
`
`928 : 29
`
`PREVENT THE COMPROMISED WIRELESS SENSOR NODE FROM
`COMPROMISING ANOTHER WIRELESS SENSOR NODE
`
`FIG . 2
`
`SA
`
`Netskope Exhibit 1016
`
`

`

`atent
`
`Jun . 25 , 2019
`
`Sheet 3 of 5
`
`US 10 , 334 , 442 B2
`
`302
`
`START
`
`Meeeeeee
`
`
`
`YEEZY . .
`
`OBTAIN DATA
`PAYLOAD FROM
`DOWNSTREAM
`CLUSTER
`
`X10000000058990ososovo
`
`330 WWWWWWW
`
`SMM
`
`ANALYZE DATA
`PAYLOAD
`
`MLA
`
`wYwwwwwwwwwwwwwwww
`
`AVA
`oooooo # GODIS
`
`306
`OBTAIN CURRENT
`DESCRIPTORS FOR
`DOWNSTREAM
`CLUSTER
`
`OXXXXXXoposon2
`
`308
`OBTAIN PRIOR
`DESCRIPTORS FOR
`DOWNSTREAM
`CLUSTER
`
`
`
`0000000000000D DOO
`
`Sooooooooooooooooooooooooooooooooooooooooooooo
`
`www . ama YES
`
`MATCH ?
`
`Po
`
`d
`
`ocx
`
`oooooooooooo
`
`320
`
`PORT BEHAVIOR
`
`CHANGE TYPE
`
`powodoodoo XXX
`
`
`
`2020oXXXXXUVOvo uvode s
`
`DATA BOUNDARY
`
`314
`
`ANOMALY ?
`HITZ
`
`wa YES
`
`ACCEPT DATA AND
`PASS UPSTREAM
`
`mond
`
`MITIGATE
`DOWNSTREAM
`CLUSTER
`
`Sexkonta
`
`GO TO START
`
`19
`
`FIG . 3
`
`Netskope Exhibit 1016
`
`

`

`atent
`
`Jun . 25 , 2019
`
`Sheet 4 of 5
`
`US 10 , 334 , 442 B2
`
`
`
`
`
`PORT CONNECTION ATTEMPTS
`
`XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
`
`
`
`001 comment
`
`102
`
`NODE cordo
`
`.
`
`8000
`
`Marco
`
`NODE
`NODE CLUSTER B NODE
`
`
`
`NODE
`
`Ware
`
`100KM
`
`
`
`STATISTICAL MODELS DESCRIPTOR
`DEVIATION TO PROXIMITY
`TXOKX
`0 000000 WIVELYVIRU
`0000000000000
`xocwxxxc
`
`KOOKOOKOOKOOKOOKOOKOOKOO
`
`408
`
`NAKON
`Cooogooo000000000
`
`FROM NODES IN THIS OBTAIN BEHAVIOR DESCRIPTIONS
`poooooooooooooooooooooooo
`CLUSTER
`
`
`
`412
`
`narinnar
`
`
`OBSERVE NETWORK BEHAVIOR OF NODES IN THIS
`
`oowoom992 Wwwxwwwwww
`WWW
`
`CLUSTER
`
`W
`
`DATA ANALYSIS
`
`yeye
`
`
`
`TRAINING MODE " LEADER
`
`NODE "
`
`404
`
`330
`
`* * * * * * * 0 % 20OVXXXXXXXXXXXXXXX
`
`* * * * * * *
`
`0
`
`XXXX00 * * * * * * * * * * * * 00
`
`* * * * * * * 00XXXXXX
`
`* * * * * * *
`
`* 300 * * * * * * *
`
`OOX70 * * * * * 00XXXXXXXXX00
`
`000XXX * * * * * * * 06 * XXOOOOOOOXX
`
`0 * * * *
`
`*
`
`OW
`
`XXXOO
`
`
`
`POWER RECYCLE
`
`
`
`PORTS OPEN
`
`SONDOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
`
`momondo000XWOOD
`
`FIG . 4
`
`RANGE BOUNDARIES
`STORE
`
`200 . 000 . 000 . 000000
`
`XXXXXXXXXXXXXXX
`
`ww
`
`Netskope Exhibit 1016
`
`

`

`U . S . Patent
`
`Jun . 25 , 2019
`
`Sheet 5 of 5
`
`US 10 , 334 , 442 B2
`
`KAKAK
`
`PROCESSOR
`
`INSTRUCTIONS
`
`MAIN MEMORY
`
`RUMAA
`
`INSTRUCTIONS
`
`KARMAKNUCKKKKKKKKKKKKKKKKKKKKKKKKKKKKWWWWWW
`
`ga
`
`DCROONDOO
`
`OOOOOOOOOOOOO
`
`STATIC MEMORY
`
`502
`
`eseme 524
`
`carena 504
`
`recomes 524
`
`WWW
`
`506
`n neuen
`het eine
`om 524
`
`WWWWWWWYRWYR
`
`Good
`
`S
`
`oggOOdpo00000000000000
`
`INSTRUCTIONS
`
`UKUVOTUSTUVUUSAASTALUBAS
`
`521
`
`INTERLINK
`
`SENSOR ( S )
`
`YOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOC
`
`SooC
`
`520
`
`O
`
`OOOOOOOO
`
`E
`
`DEVICE
`
`526
`
`NETWORK
`
`508
`
`pa 500
`
`510
`
`Para mononanotto
`
`DISPLAY DEVICE
`
`VELMIRANI
`
`ona 512
`
`INPUT DEVICE
`
`wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
`
`Lausanne 514
`
`nananasamensommes
`
`UI NAVIGATION DEVICE
`
`
`
`. 000000
`
`00000000OdvodoodbogoodDoo00odvodou
`
`MASS STORAGE
`
`ae
`
`516
`
`522
`
`c
`
`WURDU
`
`on among
`A
`
`1
`
`.
`
`MEDIUM
`
`INSTRUCT
`
`de 524
`
`nacocooooooooo
`
`Romaniancoasa
`
`- 518
`
`SIGNAL GENERATION
`DEVICE
`
`WRX
`
`dokond goodnodododomahontogody
`
`528
`
`OUTPUT CONTROLLER
`
`Sonnd
`
`FIG . 5
`
`Netskope Exhibit 1016
`
`

`

`US 10 , 334 , 442 B2
`
`20
`
`wireless sensor networks to have hundreds or even thou
`COOPERATIVE SECURITY IN WIRELESS
`SENSOR NETWORKS
`sands of wireless sensor nodes . As the quantity of wireless
`sensor nodes increases , identifying nodes that have been
`PRIORITY APPLICATION
`compromised ( e . g . , by virus , malware , etc . ) becomes
`5 increasingly complex . Accurately identifying compromised
`nodes while managing false positives in a timely manner
`This application is a continuation of U . S . application Ser .
`may become a significant challenge .
`No . 14 / 577 , 764 , filed Dec . 19 , 2014 , which is incorporated
`As the quantity of wireless sensor nodes increases , wire
`herein by reference in its entirety .
`less sensor nodes of wireless sensor networks may police
`TECHNICAL FIELD
`U themselves in an intelligent manner to ( 1 ) reduce the com
`puting resources expended by backend / centralized facilities ,
`( 2 ) leverage commonality of function and proximity of
`The present disclosure generally relates to wireless sensor
`networks and , in an embodiment , to cooperative security in
`devices to reduce network traffic , and ( 3 ) minimize false
`wireless sensor networks .
`positive alerts . These objectives may be met by a coopera
`tive security model that allows distributed wireless sensor
`BACKGROUND
`nodes to pattern the expected behavior of nodes within the
`network and to react appropriately to deviations from the
`A wireless sensor network ( WSN ) is a network of wireless
`expected behavior .
`nodes equipped with sensors to monitor physical or envi
`In an embodiment , wireless sensor nodes ( including
`ronmental conditions , such as temperature , air pressure , flow
`nodes at the edges of the wireless sensor network ) work in
`rate sound pressure etc . A wireless node transmits the data
`a cooperative manner to identify a compromised node and
`collected by its sensor to a destination . In an example , the
`mitigate its chance of compromising other wireless sensor
`wireless node may pass the data to another wireless node
`nodes in the network , whether upstream or downstream
`that is " closer ” ( either physically or logically ) to the desti
`nation than the originating wireless node ; this process con - 25 from the compromised node . The wireless sensor nodes
`cooperatively organize themselves into clusters , and each
`tinues until the data is delivered to the destination .
`cluster chooses a leader node . The leader node uses machine
`BRIEF DESCRIPTION OF THE DRAWINGS
`learning techniques to create a model of expected behaviors
`of the nodes within its cluster , and then uses the model of
`Some embodiments are illustrated by way of example and 30 expected behaviors to decide whether the observed behavior
`not limitation in the figures of the accompanying drawings .
`of a node within the cluster indicates that the node is
`FIG . 1 is a block diagram of a wireless sensor node
`compromised . The leader node compares observed behavior
`arranged to participate in cooperative security within a
`to the expected behavior , and based on these observations ,
`wireless sensor network , according to an embodiment .
`determines that a wireless sensor node within its cluster is
`FIG . 2 is a flowchart illustrating a process performed by 35 compromised . Upon determining that a wireless sensor node
`a wireless sensor node within a wireless sensor network
`within its cluster is compromised , the leader mitigates the
`employing cooperative security , according to an embodi -
`ability of the compromised node to compromise other nodes
`within the cluster .
`ment .
`FIG . 3 is a flowchart illustrating a process performed by
`FIG . 1 is a block diagram of a wireless sensor node 102
`an upstream cluster in analyzing communications from
`40 arranged ( e . g . , configured , designed , manufactured , etc . ) to
`participate in cooperative security within a wireless sensor
`downstream clusters , according to an embodiment .
`FIG . 4 is an illustration of a machine learning process for
`network according to an embodiment . In an embodiment ,
`wireless sensor node 102 includes a set of sensors 104 . In an
`observing behavior of wireless sensor nodes within a cluster
`to develop a model of expected behavior for the wireless
`embodiment , sensor set 104 includes one sensor . In an
`sensor nodes within the cluster , according to an embodi - 45 embodiment , sensor 104 is arranged to monitor one or more
`physical and / or environmental conditions , such as tempera
`ment .
`FIG . 5 is a block diagram illustrating an example of a
`ture , air pressure , flow rate , sound pressure , pH level ,
`machine , upon which one or more example embodiments
`radioactivity , etc . In an embodiment , sensor set 104 includes
`may be implemented .
`multiple sensors , each of which is arranged to monitor one
`50 or more physical and / or environmental conditions , some
`which may differ from one another . For example , one sensor
`DETAILED DESCRIPTION
`s arranged to monitor temperature , while another sensor is
`In the following detailed description , for purposes of
`arranged to monitor flow rate .
`In an embodiment , wireless sensor node 102 includes at
`explanation , numerous specific details are set forth in order
`to provide a thorough understanding of the various aspects 55 least one antenna 116 , which the wireless sensor node 102
`of the presently disclosed subject matter . However , it will be
`uses for data transmissions ( both inbound and outbound ) . In
`to those skilled in the art that the presently disclosed subject
`an embodiment , wireless sensor node 102 acquires data
`matter may be practiced without these specific details . In
`collected by the sensor 104 , and transmits this data in either
`other instances , well - known methods , procedures , and com -
`real - time , substantially near real - time , or in batch mode . In
`ponents have not been described in detail so as not to
`60 an embodiment , wireless sensor node 102 is arranged to
`obscure the presently disclosed subject matter .
`analyze or transform some of the data collected by sensor
`The use of wireless sensor networks is increasing rapidly
`104 prior to transmitting the data . In an embodiment ,
`in a variety of applications including in industrial settings ,
`wireless sensor node 102 is arranged to add to or remove
`such as manufacturing , supply chain , and energy production
`from the data collected by sensor 104 prior to transmitting
`distribution . Furthermore , the quantity of wireless sensor 65 the data . In an embodiment , wireless sensor node 102 is
`nodes ( e . g . , devices ) in deployments of wireless sensor
`arranged to selectively refuse to transmit some or all of the
`networks continues to increase . It is common for some
`data collected by sensor 104 .
`
`Netskope Exhibit 1016
`
`

`

`US 10 , 334 , 442 B2
`
`arranged to be configurable while the wireless sensor node
`In an embodiment , wireless sensor node 102 includes
`102 is operating . In an embodiment , the behavior description
`clustering module 106 . In an embodiment , clustering mod
`module 110 of wireless sensor node 102 is arranged to be
`ule 106 of wireless sensor node 102 is arranged to cooperate
`configurable with descriptions of updated or new data
`with other wireless sensor nodes 102 in the wireless network
`to organize wireless sensor node 102 into a cluster with the 5 parameters to describe a new expected behavior for the
`other wireless sensor nodes 102 . In an embodiment , a cluster
`wireless sensor node 102 .
`of wireless sensor nodes 102 is arranged to form based on
`In an embodiment , behavior description module 110 is
`proximity ( either physical proximity , network proximity ,
`arranged to broadcast the description of its expected behav
`and / or logical proximity ) , on the type ( s ) of sensor ( s ) 104
`iors to other wireless sensor nodes 102 ; in an embodiment ,
`included in wireless sensor nodes 102 , on a level of redun - 10 the broadcast is directed only to the other wireless sensor
`dancy to be created within the cluster , on hardware and / or
`nodes 102 within the cluster . In an embodiment , behavior
`software capabilities of the wireless sensor nodes 102 , etc . ,
`description module 110 is arranged to provide the descrip
`or some combination thereof .
`tion of its expected behaviors through an application pro
`In an embodiment , wireless sensor node 102 includes
`leader selection module 108 . In an embodiment , leader 15 gramming interface ( API ) ; in an embodiment , only the other
`wireless sensor nodes 102 within a cluster have access to or
`selection module 108 of wireless sensor node 102 is
`arranged to cooperate with the leader selection modules 108
`may successfully receive data from the API of another
`wireless sensor node 102 within the cluster .
`of the other wireless sensor nodes 102 in the cluster to select
`one of the wireless sensor nodes 102 in the cluster to be the
`In an embodiment , wireless sensor node 102 and / or one or
`20 more sensors 104 are configurable . In such embodiments ,
`leader node for the cluster .
`In an embodiment , upon a wireless sensor node 102
`behavior description module 110 is also configurable to
`having been selected as leader node by the wireless sensor
`reflect the expected behaviors of the new configuration of
`nodes 102 within its cluster , the leader node is arranged to
`wireless sensor node 102 and / or one or more sensors 104 .
`proxy all communications to be transmitted out of or to be
`In an embodiment , wireless sensor node 102 includes
`received by a wireless sensor node 102 within the cluster . 25 behavior observation module 112 . In an embodiment , behav
`The leader node continues to proxy all communications into
`ior observation module 112 is arranged to operate only when
`and out of the cluster until another leader node is chosen
`the wireless sensor node 102 is the leader node of its cluster
`and / or until the leader node determines itself to have been
`of wireless sensor nodes 102 .
`compromised
`In an embodiment , behavior observation module 112 is
`In an embodiment , wireless sensor node 102 includes 30 arranged to detect a compromised wireless sensor node 102
`behavior description module 110 . In an embodiment , behav -
`within the cluster by receiving descriptions of the expected
`ior description module 110 is arranged to describe the
`behaviors of each wireless sensor nodes 102 within the
`expected behavior of wireless sensor node 102 . In an
`cluster , observing behaviors ( e . g . , communications ) of the
`embodiment , behavior description module 110 is arranged to
`wireless sensor nodes 102 within the cluster , and identifying
`describe the expected behavior of wireless sensor node 102 35 anomalies in communications of suspected wireless sensor
`by describing one or more data parameters to be transmitted
`nodes 102 by comparing the expected behaviors with the
`by or to be received by the wireless sensor node 102 . A data
`observed behaviors .
`parameter may be a data sample collected by a sensor 104 ,
`In an embodiment , behavior observation module 112
`a data sample collected by a sensor 104 and modified by
`utilizes one or more machine learning algorithms to identify
`wireless sensor node 102 ( e . g . , converting between metric 40 anomalies in communications of suspected wireless sensor
`values and U . S . / Imperial values ) , data generated by wireless
`nodes 102 . The machine learning algorithm uses one or
`sensor node 102 ( e . g . , node ID , up - time , GPS coordinates ,
`more statistical models ( e . g . , topic models ) in its analyses of
`etc . ) , or data wireless sensor node 102 expects to receive
`wireless sensor node 102 communications . Some statistical
`( e . g . , cluster ID , operational instructions from the leader
`models used by the machine learning algorithm include , but
`45 are not limited to , an amount or degree of deviation from the
`node of the cluster , etc . ) .
`. ) .
`In an embodiment , a data parameter includes the name of
`description of expected behavior for the analyzed wireless
`the parameter , a data type for the parameter ( e . g . , date , time ,
`sensor node 102 , a proximity of the analyzed wireless sensor
`integer , datetime , long , double , etc . ) , and a valid range for
`node 102 to similar wireless sensor nodes 102 , the number
`the parameter . In an embodiment , the range is indicated by
`of and / or the nature of attempts by the analyzed wireless
`a bottom value that indicates the lowest value of the data 50 sensor node 102 to probe other wireless sensor nodes 102 ,
`type allowed for the parameter ( e . g . , - 100 ) and a top value
`and the number and the type of ports open or closed on the
`that indicates the highest value of the data type allowed for
`analyzed wireless sensor node 102 .
`parameter ( e . g . , 3000 ) . In an embodiment , the behavior
`In an embodiment , behavior observation module 112 is
`description module 110 is arranged to describe the expected
`arranged to calculate a threat level of an analyzed wireless
`behaviors of the wireless sensor node 102 using Extensible 55 sensor node 102 by weighing at least one of several factors ,
`Markup Language ( XML ) , JavaScript Object Notation
`including but not limited to , an amount or degree of devia
`( JSON ) , YAML ( YAML Ain ' t Markup Language ) , or some
`tion from the description of expected behavior for the
`other data representation . In an embodiment , a description of
`analyzed wireless sensor node 102 , a proximity of the
`expected behavior of wireless sensor node 102 includes a
`analyzed wireless sensor node 102 to similar wireless sensor
`digital signature from a trusted third party . In an embodi - 60 nodes 102 , the number of and / or the nature of attempts by
`ment , the digital signature is used to verify that the descrip -
`the analyzed wireless sensor node 102 to probe other wire
`tion of expected behavior for wireless sensor node 102 has
`less sensor nodes 102 ; and the number and the type of ports
`not been modified or corrupted . In an embodiment , the
`open or closed on the analyzed wireless sensor node 102 . In
`behavior description module 110 of wireless sensor node
`an embodiment , threat level is measured on a variable scale
`102 is arranged to be configurable after the wireless sensor 65 rather than simply binary ( e . g . , compromised or uncompro
`node 102 has been deployed . In an embodiment , the behav -
`mised ) . In an embodiment , behavior observation module 112
`ior description module 110 of wireless sensor node 102 is
`determines that the analyzed wireless sensor node 102 has
`
`Netskope Exhibit 1016
`
`

`

`US 10 , 334 , 442 B2
`
`102 , and makes its behavior descriptions available to the
`been compromised based on the calculated threat level for
`the analyzed wireless sensor node 102 .
`other wireless sensor nodes 102 in
`its cluster ( operation
`206 ) .
`In an embodiment , wireless sensor node 102 includes a
`In an embodiment where wireless sensor node 102 is the
`mitigation module 114 . In an embodiment , mitigation mod -
`leader node of its cluster , wireless sensor node 102 analyzes
`ule 114 is arranged to prevent a compromised wireless 5
`the actual behaviors of the other wireless sensor nodes 102
`sensor node 102 from compromising other wireless sensor
`in its cluster , and detects a compromised wireless sensor
`nodes 102 in the cluster . In an embodiment , mitigation
`node 102 by comparing the actual behavior of the wireless
`module 114 is arranged to operate only when the wireless
`sensor node 102 to the description of the expected behavior
`sensor node 102 is the leader node of its cluster of wireless
`sensor nodes 102 .
`10 for wireless sensor node 102 ( operation 208 ) .
`In an embodiment where wireless sensor node 102 is the
`In an embodiment , mitigation module 114 is arranged to
`leader node of its cluster , wireless sensor node 102 prevents
`prevent a compromised wireless sensor node 102 from
`a compromised wireless sensor node 102 from compromis
`compromising other wireless sensor nodes 102 in the cluster
`ing the other wireless sensor nodes 102 in its cluster ( opera
`by refusing to transmit some or all communications gener -
`ated by or to be delivered to the compromised wireless 15 tion 210 ) .
`sensor node 102 . In an embodiment , mitigation module 114
`FIG . 3 is a flowchart illustrating a process 300 performed
`is arranged to prevent a compromised wireless sensor node
`by an upstream cluster in analyzing communications from
`102 from compromising other wireless sensor nodes 102 in
`downstream clusters , in accordance with some example
`the cluster by forcing the compromised wireless sensor node
`embodiments . An upstream cluster ( e . g . , a cluster that is
`102 to reset itself to an uncompromised state ( e . g . , factory 20 closer to a destination where data is to be sent ) is “ higher "
`in the hierarchy than a downstream cluster ( e . g . , a cluster
`reset ) .
`In an embodiment , a suspected wireless sensor node 102
`that is further away from a destination where data is to be
`that has been determined to be compromised may periodi -
`sent ) . In an embodiment where wireless sensor node 102 is
`cally be reevaluated . In an example , the revaluation may be
`its cluster ' s leader node , the wireless sensor node 102
`undertaken by a third - party entity device . Such a reevalua - 25 performs an “ inter - cluster " health check for the cluster by
`tion may ascertain whether the suspected wireless sensor
`sharing with its neighbor cluster ( s ) the descriptions of the
`node 102 is compromised via standard threat detection
`expected behaviors of the nodes in its cluster . The neighbor
`mechanisms . If the suspected wireless sensor node 102
`cluster ( s ) then analyze ( s ) the actual behavior of the cluster
`passes the reevaluation , the aberrant behavior may be attrib -
`and detects the cluster as compromised by comparing the
`uted to proper emergent behavior based on , for example , 30 actual behavior of the cluster to the description of the
`changed conditions .
`expected behavior for cluster , similar to the “ intra - cluster ”
`In an embodiment , a suspected wireless sensor node 102
`health checks performed by a leader node within its own
`that has been determined to be compromised may object to
`cluster . If a neighbor cluster determines the cluster to be
`this determination . In an embodiment , the objection by
`compromised , the neighbor cluster performs “ inter - cluster "
`suspected wireless sensor node 102 triggers a proof opera - 35 mitigation , similar to the “ intra - cluster " mitigation per
`tion . In an embodiment , the proof operation includes the
`formed by a leader node within its own cluster .
`leader node of the cluster requesting a current description of
`In an embodiment , clusters of wireless sensor nodes 102
`the expected behaviors of suspected wireless sensor node
`within the wireless network organize themselves into a
`102 and comparing the current description of expected
`" cluster of clusters " or " super cluster " in the same way that
`behavior of suspected wireless sensor node 102 to the 40 wireless sensor nodes 102 organize themselves into clusters .
`previous description of expected behavior of suspected
`in an embodiment , the clustering module 106 and leader
`wireless sensor node 102 ; if a difference is detected between
`selection module 108 of the leader node of the cluster
`the current and previous description of expected behavior ,
`cooperates with the clustering modules 106 and leader
`the leader node reanalyzes the behavior of suspected wire -
`selection modules 108 of the leader nodes of other clusters
`less sensor node 102 ( which lead to the determination that 45 to organize into a cluster of clusters . In an embodiment , this
`suspected wireless sensor node 102 was compromised ) in
`process is recursive in that super clusters may organize with
`light of the current description of expected behavior . In an
`other clusters or other super clusters to form a larger super
`embodiment , if the reanalysis of the behavior of suspected
`cluster .
`wireless sensor node 102 results in a determination that
`In an embodiment , clusters are organized hierarchically .
`suspected wireless sensor node 102 is not compromised , the 50 For example , the cluster hierarchy may be tree - based , linear ,
`mitigation module 114 clears suspected wireless sensor node
`or some combination thereof . In an embodiment , a cluster is
`102 of its “ compromised ” status , and allows suspected
`restricted to communicating with one or more downstream
`wireless sensor node 102 to continue operating .
`clusters and one or more upstream clusters . In an embodi
`FIG . 2 is a flowchart illustrating a process 200 performed
`ment , MAC / VLAN filtering with ARP tables is used to
`by a wireless sensor node ( e . g . , wireless sensor node 102 , 55 restrict the communications of the cluster to its assigned
`described above with respect to FIG . 1 ) within a wireless
`upstream and downstream cluster ( s ) .
`sensor network employing cooperative security , in accor -
`In an embodiment , the upstream cluster starts the process
`dance with some example embodiments . In an embodiment ,
`300 of analyzing communications from downstream clusters
`wireless sensor node 102 organizes a cluster of wireless
`( operation 302 ) . In an embodiment , the upstream cluster
`sensor nodes 102 ( including itself ) by cooperating with other 60 obtains , from a downstream cluster , a data payload contain
`wireless sensor nodes 102 in the wireless network ( operation
`ing actual behavior for the downstream cluster ( operation
`304 ) .
`202 ) .
`In an embodiment , wireless sensor node 102 cooperates
`In an embodiment , the upstream cluster obtains the cur
`with the other wireless sensor nodes 102 in the cluster to
`rent description of expected behavior for the downstream
`select a leader node for the cluster ( operation 204 ) .
`65 cluster ( operation 306 ) . In an embodiment , the upstream
`In an embodiment , wireless sensor node 102 describes the
`cluster obtains the prior description of expected behavior for
`behaviors that are to be expected for wireless sensor node
`the downstream cluster ( operation 308 ) . In an embodiment ,
`
`Netskope Exhibit 1016
`
`

`

`US 10 , 334 , 442 B2
`
`ing mode 404 . In an embodiment , machine learning algo
`the upstream cluster determines ( operation 310 ) whether the
`rithm 330 obtains descriptions of expected behaviors from
`current description of expected behavior for the downstream
`the wireless sensor nodes 102 within its cluster ( operation
`cluster ( obtained at operation 306 ) matches the prior
`406 ) . In an embodiment , machine learning algorithm 330
`description of expected behavior for the downstream cluster
`( obtained at operation 308 ) .
`5 observes the network behaviors of each wireless sensor node
`102 within its cluster by storing the data transmitted from or
`If the current description of expected behavior for the
`to each wireless sensor node 102 within its cluster ( operation
`downstream cluster matches the prior description of
`408 ) .
`expected behavior for the downstream cluster , the upstream
`In an embodiment , machine learning algorithm 330 pr