Determining a device profile and anomalous behavior associated with a device in a network
First Claim
1. A non-transitory computer readable medium comprising instructions which, when executed by one or more hardware processors, cause performance of operations comprising:
- obtaining a first set of one or more data packets associated with a communication session conducted by a first device in a network;
determining a first value for a first attribute associated with the first device based on the first set of data packets;
determining a second value for a second attribute associated with the first device based on the first set of data packets;
determining that any value for a third attribute associated with the first device has not been determined based on the first set of data packets;
selecting a subset of a set of classifiers, wherein the subset of classifiers;
includes a first classifier that is associated with the first attribute;
includes a second classifier that is associated with the second attribute;
does not include a third classifier that is associated with the third attribute;
applying at least the first value for the first attribute to the first classifier to determine a first candidate device profile, of a plurality of candidate device profiles, for the first device;
applying at least the second value for the second attribute to the second classifier to determine a second candidate device profile, of the plurality of candidate device profiles, for the first device;
refraining from using the third classifier to determine any candidate device profile for the first device;
based at least on the first candidate device profile and the second candidate device profile, determining the first candidate device profile as a current device profile for the first device;
wherein determining the first candidate device profile as the current device profile for the first device comprises;
determining a first weight associated with the first classifier;
determining a second weight associated with the second classifier;
determining a first profile score for the first candidate device profile based at least on the first weight;
determining a second profile score for the second candidate device profile based at least on the second weight;
determining that the first profile score is greater than the second profile score;
determining one or more expected values for the first attribute based on the current device profile;
determining whether a particular value for the first attribute matches the one or more expected values for the first attribute;
responsive to determining that the particular value for the first attribute does not match the one or more expected values for the first attribute;
performing a corrective action.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques for determining a device profile and anomalous behavior associated with a device in a network are disclosed. Attribute values associated with a target device are determined based on data packets detected from a network. A subset of a set of classifiers associated with the available attribute values are selected. The attribute values are applied to the selected classifiers to determine a respective candidate device profile. A current device profile is determined for the target device based on the candidate device profiles. The current device profile indicates expected attribute values for the target device. Current attribute values are compared to the expected attribute values to determine whether there is any anomalous behavior associated with the target device.
-
Citations
23 Claims
-
1. A non-transitory computer readable medium comprising instructions which, when executed by one or more hardware processors, cause performance of operations comprising:
-
obtaining a first set of one or more data packets associated with a communication session conducted by a first device in a network; determining a first value for a first attribute associated with the first device based on the first set of data packets; determining a second value for a second attribute associated with the first device based on the first set of data packets; determining that any value for a third attribute associated with the first device has not been determined based on the first set of data packets; selecting a subset of a set of classifiers, wherein the subset of classifiers; includes a first classifier that is associated with the first attribute; includes a second classifier that is associated with the second attribute; does not include a third classifier that is associated with the third attribute; applying at least the first value for the first attribute to the first classifier to determine a first candidate device profile, of a plurality of candidate device profiles, for the first device; applying at least the second value for the second attribute to the second classifier to determine a second candidate device profile, of the plurality of candidate device profiles, for the first device; refraining from using the third classifier to determine any candidate device profile for the first device; based at least on the first candidate device profile and the second candidate device profile, determining the first candidate device profile as a current device profile for the first device; wherein determining the first candidate device profile as the current device profile for the first device comprises; determining a first weight associated with the first classifier; determining a second weight associated with the second classifier; determining a first profile score for the first candidate device profile based at least on the first weight; determining a second profile score for the second candidate device profile based at least on the second weight; determining that the first profile score is greater than the second profile score; determining one or more expected values for the first attribute based on the current device profile; determining whether a particular value for the first attribute matches the one or more expected values for the first attribute; responsive to determining that the particular value for the first attribute does not match the one or more expected values for the first attribute;
performing a corrective action.
-
-
2. The medium of claim 1, wherein the operations further comprise:
-
subsequent to determining the current device profile for the first device; obtaining a second set of one or more data packets associated with a second communication session conducted by the first device; determining a third value for the third attribute associated with the first device based on the second set of data packets; selecting a second subset of the set of classifiers, wherein the second subset of classifiers includes the third classifier that is associated with the third attribute; applying at least the third value for the third attribute to the third classifier to determine a third candidate device profile, of the plurality of candidate device profiles, for the first device; based at least on the third candidate device profile, determining the third candidate device profile as the current device profile for the first device.
-
-
3. The medium of claim 1, wherein the one or more expected values for the first attribute is determined based on a centroid of a cluster determined for the current device profile using machine learning.
-
4. The medium of claim 1, wherein the corrective action comprises one or more of:
-
transmitting an alert; disconnecting the first device from the network; prohibiting the first device from connecting to the network; quarantining the first device.
-
-
5. The medium of claim 1, wherein the operations further comprise:
-
obtaining a second set of one or more data packets associated with a second communication session conducted by the first device; determining the particular value for the first attribute associated with the first device based on the second set of data packets.
-
-
6. The medium of claim 1, wherein the first attribute comprises at least one of:
-
an attribute associated with a flow of the communication session; an attribute associated with a Domain Name System (DNS) protocol used by the communication session; an attribute associated with a Dynamic Host Configuration Protocol (DHCP) used by the communication session; an attribute associated with a Digital Imaging and Communications in Medicine (DICOM) protocol used by the communication session; an attribute associated with a Point of Care Testing (POCT) protocol used by the communication session; an attribute associated with a Common Industrial Protocol (CIP) used by the communication session; an attribute associated with a Session Initiation Protocol (SIP) used by the communication session; an attribute associated with a Real Time Streaming Protocol (RTSP) used by the communication session; and an attribute associated with a Building Automation and Control network (BACnet) protocol used by the communication session.
-
-
7. The medium of claim 1, wherein the first set of one or more data packets are obtained using a set of sensors associated with at least one of:
- a distribution layer of a network hierarchy, and a core layer of the network hierarchy.
-
8. The medium of claim 1, wherein the operations further comprise:
-
extracting a first device identifier from the first set of data packets; obtaining a second set of one or more data packets associated with a second communication session conducted by the first device; determining a third value for a fourth attribute based on the second set of data packets; extracting a second device identifier from the second set of data packets; responsive to determining that the first device identifier and the second device identifier correspond to the first device; determining the first value for the first attribute and the third value for the fourth attribute are associated with the first device.
-
-
9. The medium of claim 8, wherein the operations further comprise:
-
applying at least the third value for the fourth attribute to a fourth classifier to determine a third candidate device profile, of the plurality of candidate device profiles, for the first device; based at least on the first candidate device profile, the second candidate device profile, and the third candidate device profile, determining the first candidate device profile as the current device profile for the first device.
-
-
10. The medium of claim 1, wherein the particular value for the first attribute is the first value for the first attribute.
-
11. The medium of claim 1, wherein the operations further comprise:
-
determining whether another particular value for the first attribute matches the one or more expected values for the first attribute; responsive to determining that the another particular value for the first attribute matches the one or more expected values for the first attribute;
refraining from performing the corrective action.
-
-
12. A system, comprising:
-
at least one device including a hardware processor; and the system being configured to perform operations comprising; obtaining a first set of one or more data packets associated with a communication session conducted by a first device in a network; determining a first value for a first attribute associated with the first device based on the first set of data packets; determining a second value for a second attribute associated with the first device based on the first set of data packets; determining that any value for a third attribute associated with the first device has not been determined based on the first set of data packets; selecting a subset of a set of classifiers, wherein the subset of classifiers; includes a first classifier that is associated with the first attribute; includes a second classifier that is associated with the second attribute; does not include a third classifier that is associated with the third attribute; applying at least the first value for the first attribute to the first classifier to determine a first candidate device profile, of a plurality of candidate device profiles, for the first device; applying at least the second value for the second attribute to the second classifier to determine a second candidate device profile, of the plurality of candidate device profiles, for the first device; refraining from using the third classifier to determine any candidate device profile for the first device; based at least on the first candidate device profile and the second candidate device profile, determining the first candidate device profile as a current device profile for the first device; wherein determining the first candidate device profile as the current device profile for the first device comprises; determining a first weight associated with the first classifier; determining a second weight associated with the second classifier; determining a first profile score for the first candidate device profile based at least on the first weight; determining a second profile score for the second candidate device profile based at least on the second weight; determining that the first profile score is greater than the second profile score; determining one or more expected values for the first attribute based on the current device profile; determining whether a particular value for the first attribute matches the one or more expected values for the first attribute; responsive to determining that the particular value for the first attribute does not match the one or more expected values for the first attribute;
performing a corrective action.
-
-
13. The system of claim 12, wherein the operations further comprise:
-
subsequent to determining the current device profile for the first device; obtaining a second set of one or more data packets associated with a second communication session conducted by the first device; determining a third value for the third attribute associated with the first device based on the second set of data packets; selecting a second subset of the set of classifiers, wherein the second subset of classifiers includes the third classifier that is associated with the third attribute; applying at least the third value for the third attribute to the third classifier to determine a third candidate device profile, of the plurality of candidate device profiles, for the first device; based at least on the third candidate device profile, determining the third candidate device profile as the current device profile for the first device.
-
-
14. The system of claim 12, wherein the one or more expected values for the first attribute is determined based on a centroid of a cluster determined for the current device profile using machine learning.
-
15. The system of claim 12, wherein the corrective action comprises one or more of:
-
transmitting an alert; disconnecting the first device from the network; prohibiting the first device from connecting to the network; quarantining the first device.
-
-
16. The system of claim 12, wherein the operations further comprise:
-
obtaining a second set of one or more data packets associated with a second communication session conducted by the first device; determining the particular value for the first attribute associated with the first device based on the second set of data packets.
-
-
17. The system of claim 12, wherein the particular value for the first attribute is the first value for the first attribute.
-
18. The system of claim 12, wherein the operations further comprise:
-
determining whether another particular value for the first attribute matches the one or more expected values for the first attribute; responsive to determining that the another particular value for the first attribute matches the one or more expected values for the first attribute;
refraining from performing the corrective action.
-
-
19. A method, comprising:
-
obtaining a first set of one or more data packets associated with a communication session conducted by a first device in a network; determining a first value for a first attribute associated with the first device based on the first set of data packets; determining a second value for a second attribute associated with the first device based on the first set of data packets; determining that any value for a third attribute associated with the first device has not been determined based on the first set of data packets; selecting a subset of a set of classifiers, wherein the subset of classifiers; includes a first classifier that is associated with the first attribute; includes a second classifier that is associated with the second attribute; does not include a third classifier that is associated with the third attribute; applying at least the first value for the first attribute to the first classifier to determine a first candidate device profile, of a plurality of candidate device profiles, for the first device; applying at least the second value for the second attribute to the second classifier to determine a second candidate device profile, of the plurality of candidate device profiles, for the first device; refraining from using the third classifier to determine any candidate device profile for the first device; based at least on the first candidate device profile and the second candidate device profile, determining the first candidate device profile as a current device profile for the first device; wherein determining the first candidate device profile as the current device profile for the first device comprises; determining a first weight associated with the first classifier; determining a second weight associated with the second classifier; determining a first profile score for the first candidate device profile based at least on the first weight; determining a second profile score for the second candidate device profile based at least on the second weight; determining that the first profile score is greater than the second profile score; determining one or more expected values for the first attribute based on the current device profile; determining whether a particular value for the first attribute matches the one or more expected values for the first attribute; responsive to determining that the particular value for the first attribute does not match the one or more expected values for the first attribute;
performing a corrective action;wherein the method is performed by at least one device including a hardware processor.
-
-
20. The method of claim 19, further comprising:
-
subsequent to determining the current device profile for the first device; obtaining a second set of one or more data packets associated with a second communication session conducted by the first device; determining a third value for the third attribute associated with the first device based on the second set of data packets; selecting a second subset of the set of classifiers, wherein the second subset of classifiers includes the third classifier that is associated with the third attribute; applying at least the third value for the third attribute to the third classifier to determine a third candidate device profile, of the plurality of candidate device profiles, for the first device; based at least on the third candidate device profile, determining the third candidate device profile as the current device profile for the first device.
-
-
21. The method of claim 19, wherein the one or more expected values for the first attribute is determined based on a centroid of a cluster determined for the current device profile using machine learning.
-
22. The method of claim 19, wherein the corrective action comprises one or more of:
-
transmitting an alert; disconnecting the first device from the network; prohibiting the first device from connecting to the network; quarantining the first device.
-
-
23. The method of claim 19, further comprising:
-
obtaining a second set of one or more data packets associated with a second communication session conducted by the first device; determining the particular value for the first attribute associated with the first device based on the second set of data packets.
-
Specification