Determining a device profile and anomalous behavior associated with a device in a network

US 10,742,687 B2
Filed: 08/30/2018
Issued: 08/11/2020
Est. Priority Date: 08/30/2018
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium comprising instructions which, when executed by one or more hardware processors, cause performance of operations comprising:

obtaining a first set of one or more data packets associated with a communication session conducted by a first device in a network;

determining a first value for a first attribute associated with the first device based on the first set of data packets;

determining a second value for a second attribute associated with the first device based on the first set of data packets;

determining that any value for a third attribute associated with the first device has not been determined based on the first set of data packets;

selecting a subset of a set of classifiers, wherein the subset of classifiers;

includes a first classifier that is associated with the first attribute;

includes a second classifier that is associated with the second attribute;

does not include a third classifier that is associated with the third attribute;

applying at least the first value for the first attribute to the first classifier to determine a first candidate device profile, of a plurality of candidate device profiles, for the first device;

applying at least the second value for the second attribute to the second classifier to determine a second candidate device profile, of the plurality of candidate device profiles, for the first device;

refraining from using the third classifier to determine any candidate device profile for the first device;

based at least on the first candidate device profile and the second candidate device profile, determining the first candidate device profile as a current device profile for the first device;

wherein determining the first candidate device profile as the current device profile for the first device comprises;

determining a first weight associated with the first classifier;

determining a second weight associated with the second classifier;

determining a first profile score for the first candidate device profile based at least on the first weight;

determining a second profile score for the second candidate device profile based at least on the second weight;

determining that the first profile score is greater than the second profile score;

determining one or more expected values for the first attribute based on the current device profile;

determining whether a particular value for the first attribute matches the one or more expected values for the first attribute;

responsive to determining that the particular value for the first attribute does not match the one or more expected values for the first attribute;

performing a corrective action.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for determining a device profile and anomalous behavior associated with a device in a network are disclosed. Attribute values associated with a target device are determined based on data packets detected from a network. A subset of a set of classifiers associated with the available attribute values are selected. The attribute values are applied to the selected classifiers to determine a respective candidate device profile. A current device profile is determined for the target device based on the candidate device profiles. The current device profile indicates expected attribute values for the target device. Current attribute values are compared to the expected attribute values to determine whether there is any anomalous behavior associated with the target device.

Citations

23 Claims

1. A non-transitory computer readable medium comprising instructions which, when executed by one or more hardware processors, cause performance of operations comprising:
- obtaining a first set of one or more data packets associated with a communication session conducted by a first device in a network;
  
  determining a first value for a first attribute associated with the first device based on the first set of data packets;
  
  determining a second value for a second attribute associated with the first device based on the first set of data packets;
  
  determining that any value for a third attribute associated with the first device has not been determined based on the first set of data packets;
  
  selecting a subset of a set of classifiers, wherein the subset of classifiers;
  
  includes a first classifier that is associated with the first attribute;
  
  includes a second classifier that is associated with the second attribute;
  
  does not include a third classifier that is associated with the third attribute;
  
  applying at least the first value for the first attribute to the first classifier to determine a first candidate device profile, of a plurality of candidate device profiles, for the first device;
  
  applying at least the second value for the second attribute to the second classifier to determine a second candidate device profile, of the plurality of candidate device profiles, for the first device;
  
  refraining from using the third classifier to determine any candidate device profile for the first device;
  
  based at least on the first candidate device profile and the second candidate device profile, determining the first candidate device profile as a current device profile for the first device;
  
  wherein determining the first candidate device profile as the current device profile for the first device comprises;
  
  determining a first weight associated with the first classifier;
  
  determining a second weight associated with the second classifier;
  
  determining a first profile score for the first candidate device profile based at least on the first weight;
  
  determining a second profile score for the second candidate device profile based at least on the second weight;
  
  determining that the first profile score is greater than the second profile score;
  
  determining one or more expected values for the first attribute based on the current device profile;
  
  determining whether a particular value for the first attribute matches the one or more expected values for the first attribute;
  
  responsive to determining that the particular value for the first attribute does not match the one or more expected values for the first attribute;
  
  performing a corrective action.

2. The medium of claim 1, wherein the operations further comprise:
- subsequent to determining the current device profile for the first device;
  
  obtaining a second set of one or more data packets associated with a second communication session conducted by the first device;
  
  determining a third value for the third attribute associated with the first device based on the second set of data packets;
  
  selecting a second subset of the set of classifiers, wherein the second subset of classifiers includes the third classifier that is associated with the third attribute;
  
  applying at least the third value for the third attribute to the third classifier to determine a third candidate device profile, of the plurality of candidate device profiles, for the first device;
  
  based at least on the third candidate device profile, determining the third candidate device profile as the current device profile for the first device.

3. The medium of claim 1, wherein the one or more expected values for the first attribute is determined based on a centroid of a cluster determined for the current device profile using machine learning.

4. The medium of claim 1, wherein the corrective action comprises one or more of:
- transmitting an alert;
  
  disconnecting the first device from the network;
  
  prohibiting the first device from connecting to the network;
  
  quarantining the first device.

5. The medium of claim 1, wherein the operations further comprise:
- obtaining a second set of one or more data packets associated with a second communication session conducted by the first device;
  
  determining the particular value for the first attribute associated with the first device based on the second set of data packets.

6. The medium of claim 1, wherein the first attribute comprises at least one of:
- an attribute associated with a flow of the communication session;
  
  an attribute associated with a Domain Name System (DNS) protocol used by the communication session;
  
  an attribute associated with a Dynamic Host Configuration Protocol (DHCP) used by the communication session;
  
  an attribute associated with a Digital Imaging and Communications in Medicine (DICOM) protocol used by the communication session;
  
  an attribute associated with a Point of Care Testing (POCT) protocol used by the communication session;
  
  an attribute associated with a Common Industrial Protocol (CIP) used by the communication session;
  
  an attribute associated with a Session Initiation Protocol (SIP) used by the communication session;
  
  an attribute associated with a Real Time Streaming Protocol (RTSP) used by the communication session; and
  
  an attribute associated with a Building Automation and Control network (BACnet) protocol used by the communication session.

7. The medium of claim 1, wherein the first set of one or more data packets are obtained using a set of sensors associated with at least one of:
- a distribution layer of a network hierarchy, and a core layer of the network hierarchy.

8. The medium of claim 1, wherein the operations further comprise:
- extracting a first device identifier from the first set of data packets;
  
  obtaining a second set of one or more data packets associated with a second communication session conducted by the first device;
  
  determining a third value for a fourth attribute based on the second set of data packets;
  
  extracting a second device identifier from the second set of data packets;
  
  responsive to determining that the first device identifier and the second device identifier correspond to the first device;
  
  determining the first value for the first attribute and the third value for the fourth attribute are associated with the first device.

9. The medium of claim 8, wherein the operations further comprise:
- applying at least the third value for the fourth attribute to a fourth classifier to determine a third candidate device profile, of the plurality of candidate device profiles, for the first device;
  
  based at least on the first candidate device profile, the second candidate device profile, and the third candidate device profile, determining the first candidate device profile as the current device profile for the first device.

10. The medium of claim 1, wherein the particular value for the first attribute is the first value for the first attribute.

11. The medium of claim 1, wherein the operations further comprise:
- determining whether another particular value for the first attribute matches the one or more expected values for the first attribute;
  
  responsive to determining that the another particular value for the first attribute matches the one or more expected values for the first attribute;
  
  refraining from performing the corrective action.

12. A system, comprising:
- at least one device including a hardware processor; and
  
  the system being configured to perform operations comprising;
  
  obtaining a first set of one or more data packets associated with a communication session conducted by a first device in a network;
  
  determining a first value for a first attribute associated with the first device based on the first set of data packets;
  
  determining a second value for a second attribute associated with the first device based on the first set of data packets;
  
  determining that any value for a third attribute associated with the first device has not been determined based on the first set of data packets;
  
  selecting a subset of a set of classifiers, wherein the subset of classifiers;
  
  includes a first classifier that is associated with the first attribute;
  
  includes a second classifier that is associated with the second attribute;
  
  does not include a third classifier that is associated with the third attribute;
  
  applying at least the first value for the first attribute to the first classifier to determine a first candidate device profile, of a plurality of candidate device profiles, for the first device;
  
  applying at least the second value for the second attribute to the second classifier to determine a second candidate device profile, of the plurality of candidate device profiles, for the first device;
  
  refraining from using the third classifier to determine any candidate device profile for the first device;
  
  based at least on the first candidate device profile and the second candidate device profile, determining the first candidate device profile as a current device profile for the first device;
  
  wherein determining the first candidate device profile as the current device profile for the first device comprises;
  
  determining a first weight associated with the first classifier;
  
  determining a second weight associated with the second classifier;
  
  determining a first profile score for the first candidate device profile based at least on the first weight;
  
  determining a second profile score for the second candidate device profile based at least on the second weight;
  
  determining that the first profile score is greater than the second profile score;
  
  determining one or more expected values for the first attribute based on the current device profile;
  
  determining whether a particular value for the first attribute matches the one or more expected values for the first attribute;
  
  responsive to determining that the particular value for the first attribute does not match the one or more expected values for the first attribute;
  
  performing a corrective action.

13. The system of claim 12, wherein the operations further comprise:
- subsequent to determining the current device profile for the first device;
  
  obtaining a second set of one or more data packets associated with a second communication session conducted by the first device;
  
  determining a third value for the third attribute associated with the first device based on the second set of data packets;
  
  selecting a second subset of the set of classifiers, wherein the second subset of classifiers includes the third classifier that is associated with the third attribute;
  
  applying at least the third value for the third attribute to the third classifier to determine a third candidate device profile, of the plurality of candidate device profiles, for the first device;
  
  based at least on the third candidate device profile, determining the third candidate device profile as the current device profile for the first device.

14. The system of claim 12, wherein the one or more expected values for the first attribute is determined based on a centroid of a cluster determined for the current device profile using machine learning.

15. The system of claim 12, wherein the corrective action comprises one or more of:
- transmitting an alert;
  
  disconnecting the first device from the network;
  
  prohibiting the first device from connecting to the network;
  
  quarantining the first device.

16. The system of claim 12, wherein the operations further comprise:
- obtaining a second set of one or more data packets associated with a second communication session conducted by the first device;
  
  determining the particular value for the first attribute associated with the first device based on the second set of data packets.

17. The system of claim 12, wherein the particular value for the first attribute is the first value for the first attribute.

18. The system of claim 12, wherein the operations further comprise:
- determining whether another particular value for the first attribute matches the one or more expected values for the first attribute;
  
  responsive to determining that the another particular value for the first attribute matches the one or more expected values for the first attribute;
  
  refraining from performing the corrective action.

19. A method, comprising:
- obtaining a first set of one or more data packets associated with a communication session conducted by a first device in a network;
  
  determining a first value for a first attribute associated with the first device based on the first set of data packets;
  
  determining a second value for a second attribute associated with the first device based on the first set of data packets;
  
  determining that any value for a third attribute associated with the first device has not been determined based on the first set of data packets;
  
  selecting a subset of a set of classifiers, wherein the subset of classifiers;
  
  includes a first classifier that is associated with the first attribute;
  
  includes a second classifier that is associated with the second attribute;
  
  does not include a third classifier that is associated with the third attribute;
  
  applying at least the first value for the first attribute to the first classifier to determine a first candidate device profile, of a plurality of candidate device profiles, for the first device;
  
  applying at least the second value for the second attribute to the second classifier to determine a second candidate device profile, of the plurality of candidate device profiles, for the first device;
  
  refraining from using the third classifier to determine any candidate device profile for the first device;
  
  based at least on the first candidate device profile and the second candidate device profile, determining the first candidate device profile as a current device profile for the first device;
  
  wherein determining the first candidate device profile as the current device profile for the first device comprises;
  
  determining a first weight associated with the first classifier;
  
  determining a second weight associated with the second classifier;
  
  determining a first profile score for the first candidate device profile based at least on the first weight;
  
  determining a second profile score for the second candidate device profile based at least on the second weight;
  
  determining that the first profile score is greater than the second profile score;
  
  determining one or more expected values for the first attribute based on the current device profile;
  
  determining whether a particular value for the first attribute matches the one or more expected values for the first attribute;
  
  responsive to determining that the particular value for the first attribute does not match the one or more expected values for the first attribute;
  
  performing a corrective action;
  
  wherein the method is performed by at least one device including a hardware processor.

20. The method of claim 19, further comprising:
- subsequent to determining the current device profile for the first device;
  
  obtaining a second set of one or more data packets associated with a second communication session conducted by the first device;
  
  determining a third value for the third attribute associated with the first device based on the second set of data packets;
  
  selecting a second subset of the set of classifiers, wherein the second subset of classifiers includes the third classifier that is associated with the third attribute;
  
  applying at least the third value for the third attribute to the third classifier to determine a third candidate device profile, of the plurality of candidate device profiles, for the first device;
  
  based at least on the third candidate device profile, determining the third candidate device profile as the current device profile for the first device.

21. The method of claim 19, wherein the one or more expected values for the first attribute is determined based on a centroid of a cluster determined for the current device profile using machine learning.

22. The method of claim 19, wherein the corrective action comprises one or more of:
- transmitting an alert;
  
  disconnecting the first device from the network;
  
  prohibiting the first device from connecting to the network;
  
  quarantining the first device.

23. The method of claim 19, further comprising:
- obtaining a second set of one or more data packets associated with a second communication session conducted by the first device;
  
  determining the particular value for the first attribute associated with the first device based on the second set of data packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ordr Inc.
Original Assignee
Ordr Inc.
Inventors
Pandian, Gnanaprakasam, Vinayagam, Vivekanandan, Yang, Sheausong, Doraiswami, Vijayaraghavan, Vavilala, Krishna Kumar
Primary Examiner(s)
Huang, Cheng-Feng

Application Number

US16/117,897
Publication Number

US 20200076853A1
Time in Patent Office

712 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/01   Dynamic search techniques; ...

G16H 30/20   for handling medical images...

H04L 61/4511   using domain name system [DNS]

H04L 61/5014   using dynamic host configur...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Determining a device profile and anomalous behavior associated with a device in a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Determining a device profile and anomalous behavior associated with a device in a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links