1. A computer program product comprising a non-transitory computer-readable storage medium comprising instructions encoded thereon that, when executed by a processor, cause the processor to:intercept, at a network traffic hub within a local network, network communications from one or more smart appliances within the local network;
copy network traffic data from the intercepted network communications, the network traffic data comprising one or more internet addresses each corresponding to one of the one or more smart appliances and traffic bandwidth associated with the network communications;
copy identification data from the intercepted network communications, the identification data comprising one or more fields extracted from the network communications;
transmit the copied network traffic data and the copied identification data to a behavior analysis engine;
receive traffic control instructions from the behavior analysis engine, the traffic control instructions identifying a smart appliance of the one or more smart appliances and including a numeric confidence value representative of a probability that the smart appliance includes malicious code;
in response to the numeric confidence value being greater than a first threshold, block subsequent traffic to and from the identified smart appliance;
in response to the numeric confidence value being less than the first threshold but greater than a second threshold, add the smart appliance to a security watchlist and allow subsequent traffic to and from the identified smart appliance; and
in response to the numeric confidence value being less than the second threshold, allow subsequent traffic to and from the identified smart appliance.

1. A computer program product comprising a non-transitory computer-readable storage medium comprising instructions encoded thereon that, when executed by a processor, cause the processor to:intercept, at a network traffic hub within a local network, network communications from one or more smart appliances within the local network;
copy network traffic data from the intercepted network communications, the network traffic data comprising one or more internet addresses each corresponding to one of the one or more smart appliances and traffic bandwidth associated with the network communications;
copy identification data from the intercepted network communications, the identification data comprising one or more fields extracted from the network communications;
transmit the copied network traffic data and the copied identification data to a behavior analysis engine;
receive traffic control instructions from the behavior analysis engine, the traffic control instructions identifying a smart appliance of the one or more smart appliances and including a numeric confidence value representative of a probability that the smart appliance includes malicious code;
in response to the numeric confidence value being greater than a first threshold, block subsequent traffic to and from the identified smart appliance;
in response to the numeric confidence value being less than the first threshold but greater than a second threshold, add the smart appliance to a security watchlist and allow subsequent traffic to and from the identified smart appliance; and
in response to the numeric confidence value being less than the second threshold, allow subsequent traffic to and from the identified smart appliance.

1. A method comprising:receiving, at a behavior analysis engine, an executable file from a network traffic hub in a local network as the executable file is being downloaded by a networked device in the local network;
executing the executable file in a sandbox environment operated by the behavior analysis engine and configured to replicate an operating system running by the networked device that is downloading the executable file and to execute the executable file as the networked device would execute the executable file;
extracting execution features from the execution of the executable file, the execution features corresponding to characteristics of the execution of the executable file;
applying an execution model to the extracted execution features, the execution model to determine whether an executable file is malicious based on execution features of the executable file; and
transmitting processing instructions to the network traffic hub based on the determination of whether the execution file is malicious.

1. A method comprising:receiving network traffic data from a network traffic hub within a local network, the network traffic data identifying a source address, a destination address, and traffic bandwidth through the local network, the network traffic data aggregated by the network traffic hub based on intercepted network traffic transmitted between one or more smart appliances within the local network and the Internet;
receiving identification data from the network traffic hub identifying a type of a smart appliance on the local network and a current internet address for the smart appliance on the local network, the identification data aggregated by the network traffic hub based on the intercepted network traffic between the one or more smart appliances and devices on the Internet;
computing features of network traffic using the network traffic data and the identification data, the features corresponding to characteristics of the network traffic;
computing, for the smart appliance, a score based on the features of the network traffic data and the identification data, the score computed using information from a manufacturer of the smart appliance and comprising a numeric confidence value representing a probability that the device is performing a malicious behavior and associated with at least one source address and destination address; and
in response to the numeric confidence value exceeding a threshold, blocking network traffic associated with a process executed by the smart appliance being sent to the destination address or being sent from the source address responsive to subsequently detecting network traffic associated with the process and sending a notification to a user.

1. A computer program product comprising a non-transitory computer-readable storage medium comprising instructions encoded thereon that, when executed by a processor, cause the processor to:intercept, at a network traffic hub within a local network, a set of network communications from one or more smart appliances within the local network;
receive traffic control instructions from a behavior analysis engine associated with the network traffic hub, the traffic control instructions identifying a smart appliance of the one or more smart appliances and including a numeric confidence value representative of a probability that the smart appliance includes malicious code;
in response to the numeric confidence value being greater than a first threshold, block subsequent traffic to and from the identified smart appliance; andin response to the numeric confidence value being less than the first threshold but greater than a second threshold, add the identified smart appliance to a security watchlist,allow subsequent traffic to and from the identified smart appliance, and provide by redirecting the subsequent traffic to and from the identified smart appliance to a server for analysis for malicious behavior.

1. A method comprising:receiving network traffic data from a network traffic hub within a local network, the network traffic data identifying a source address comprising a port number for a process on the smart appliance and a destination internet address, the network traffic hub configured to aggregate intercepted network traffic;
receiving identification data from the network traffic hub identifying a smart appliance on the local network and identifying a current internet address for the smart appliance on the local network;
computing, for the smart appliance, a score based on a bandwidth between the port number for the process on the smart appliance and the destination internet address and the identification data, the score comprising a numeric confidence value representing a probability that the smart appliance is performing a malicious behavior and based on different network traffic data and different identification data associated with a different smart appliance performing malicious behavior; and
in response to the numeric confidence value exceeding a threshold, blocking subsequent network traffic being sent to the destination internet address or being sent from the port number for the process on the smart appliance and sending a notification to a user.

1. A method, comprising:receiving, by a cloud server, an augmented netflow representative of network traffic from a user device including a client application, the augmented netflow comprising a plurality of sampled packets selected from the network traffic, wherein the plurality of sampled packets are aggregated from a larger number of packets from the network traffic over an aggregation time period;
determining, by the cloud server, based at least in part on content of one or more of the sampled packets in the augmented netflow, that the augmented netflow is associated with the client application;
in response to determining that the augmented netflow is associated with the client application, classifying, by the cloud server, the augmented netflow as an active usage of the client application or a passive usage of the client application based on the sampled packets of the augmented netflow, wherein an active usage classification is deemed to constitute network traffic caused by user interactions with the client application and a passive usage classification is deemed to constitute network traffic not caused by user interactions with the client application;
in response to classifying the augmented netflow as an active usage of the client application, accessing, by the cloud server, a total amount of active usage of the client application within a previous time interval based on previously received augmented netflows representative of previous network traffic from the user device that were previously classified as active usage augmented netflows, the previously received augmented netflows comprising a plurality of packets aggregated from a larger number of packets from the previous network traffic received over a previous different aggregation time period; and
in response to the total amount of active usage of the client application within the previous time interval exceeding an active usage threshold, providing, by the cloud server, a network traffic management instruction to the user device to control subsequent traffic of the client application.

1. A method comprising:intercepting, at a network traffic hub within a local network, a message from a smart appliance to receive an internet address, the smart appliance being communicatively connected to the local network via a switch and configured to receive information from outside the local network, the message being sent through the switch, the network traffic hub being configured within the local network to intercept network traffic between the switch and a router;
transmitting, by the network traffic hub, the message from the network traffic hub to the router;
intercepting, at the network traffic hub, a response from the router, the response comprising an internet address and a netmask;
modifying the netmask in the response such that subsequent intra-network traffic sent from the smart appliance directly to a second smart appliance within the local network via the switch and without leaving the local network is instead sent to the network traffic hub, the second smart appliance different from the network traffic hub, the switch, and the router;
transmitting, from the network traffic hub, the response with the modified netmask to the smart appliance;
receiving, at the network traffic hub, communications from the smart appliance intended for the second smart appliance and forwarding the received communications to a remote server;
determining, by the network traffic hub, that the smart appliance is exhibiting malicious behavior resulting from embedded malicious code based on an analysis of the received communications, the analysis received from the remote server; and
in response to determining that the smart appliance is exhibiting malicious behavior resulting from embedded malicious code, quarantining the smart appliance by preventing the communications from being received by the second smart appliance and by blocking subsequent traffic sent from and to the smart appliance.

1. A network traffic hub for detecting malicious behavior based on network communications establishing an encrypted connection between a smart appliance and a remote server, the network traffic hub comprising:a network interface communicatively coupled to a smart appliance via a first communication channel in a local network and communicatively coupled to a remote server via a second communication channel in a wide area network;
a processor; and
a memory storing program code, the program code when executed causes the processor to:
intercept, via the first communication channel, a first network communication from the smart appliance for transmission, via the second communication channel, to the remote server, the first network communication comprising an encryption suite that comprises one or more encryption algorithms the smart appliance uses to encrypt network traffic with the remote server;
extract the encryption suite from the first network communication;
transmit, via the second communication channel, the first network communication to the remote server;
intercept, via the second communication channel, one or more second network communications from the remote server to the smart appliance, the one or more second network communications comprising a public certificate associated with the remote server and an identified subset of the one or more encryption algorithms;
extract the public certificate and the identified subset of the one or more encryption algorithms from the one or more second network communications;
transmit, via the first communication channel, the one or more second network communications to the smart appliance;
detect malicious behavior performed by the smart appliance or remote server, via the first and second communication channels, based on the encryption suite, public certificate, and the identified subset of the one or more encryption algorithms; and
block network communications between the smart appliance and the remote server in response to detecting malicious behavior in the network communications between the smart appliance and the remote server.

1. A wardrobe comprising:a top,
a bottom,
two side walls,
a back,
four wheels along the bottom,
a cover, and
a hinge,
wherein:
the back includes at least one peg configured to releasably affixed the wardrobe to one or more holes in a wall;
the hinge is at a bottom of a front of the wardrobe and attaches the cover to the front of the wardrobe;
the cover is configured to be in an upright position and in a downright position; and
in the upright position, the cover is not covering the wheels and in the downright position, the cover is covering the wheels.

1. A method, comprising:identifying, by a network traffic hub, a user device on a local network, the user device including a client application;
receiving, by the network traffic hub, network traffic to and from the user device;
aggregating, by the network traffic hub, the network traffic into a netflow;
determining, by a behavior analysis engine of the network traffic hub, if the augmented netflow is associated with the client application based on parameters of the network traffic;
in response to the augmented netflow being associated with the client application, classifying, by the behavior analysis engine of the network traffic hub, the augmented netflow as an active usage of the client application or a passive usage of the client application based on a quantity of data within the augmented netflow associated with the client application; and
in response to the augmented netflow being classified as an active usage of the client application and in response to the augmented netflow causing an active usage threshold associated with the client application being exceeded, performing, by the network traffic hub, a network traffic management action in response to receiving subsequent network traffic associated with the client application.