SYSTEM AND METHOD FOR CONTINUOUS DEVICE PROFILING
First Claim
1. A method, comprising:
- determining a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI);
matching the device profile to a first matching profile, based on a set of features derived from the network traffic;
monitoring the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods;
predicting behavior of the network device based on a history of profile matches;
detecting deviations from predicted future behavior; and
reacting to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for monitoring, modeling and assessing networked devices. A continuous device profiling (CDP) system builds and maintains device-specific and network-specific behavioral models based on observation of network traffic. The behavioral models may be used for network management, detecting misconfigured or malware infected devices, performing network asset inventory, network access control, network discovery in support of network integration, and information security incident response management. CDP models and monitors the active roles that devices assume on the network based on a set of matching profiles, monitors transitions between roles, and triggers corrective action when role transitions violate the policies of the network.
36 Citations
19 Claims
-
1. A method, comprising:
-
determining a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI); matching the device profile to a first matching profile, based on a set of features derived from the network traffic; monitoring the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods; predicting behavior of the network device based on a history of profile matches; detecting deviations from predicted future behavior; and reacting to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
2. (canceled)
-
14. An apparatus, comprising:
-
a processor; and a memory comprising processor executable instructions that, when executed by the processor, configures the apparatus to; determine a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI); match the device profile to a first matching profile, based on a set of features derived from the network traffic; monitor the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods; predict behavior of the network device based on a history of profile matches; detect deviations from predicted future behavior; and react to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.
-
-
15. (canceled)
-
16. An article of manufacture, comprising a non-transitory machine-readable medium having instructions therein that, when executed by the machine, configure the machine to:
-
determine a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI); match the device profile to a first matching profile, based on a set of features derived from the network traffic; monitor the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods; predict behavior of the network device based on a history of profile matches; detect deviations from predicted future behavior; and react to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.
-
-
17. (canceled)
-
18. An apparatus, comprising:
-
means for determining a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI); means for matching the device profile to a first matching profile, based on a set of features derived from the network traffic; means for monitoring the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods; means for predicting behavior of the network device based on a history of profile matches; means for detecting deviations from predicted future behavior; and means for reacting to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.
-
-
19. (canceled)
Specification