SYSTEM AND METHOD FOR CONTINUOUS DEVICE PROFILING

US 20140053265A1
Filed: 10/28/2013
Published: 02/20/2014
Est. Priority Date: 05/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

determining a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI);

matching the device profile to a first matching profile, based on a set of features derived from the network traffic;

monitoring the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods;

predicting behavior of the network device based on a history of profile matches;

detecting deviations from predicted future behavior; and

reacting to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for monitoring, modeling and assessing networked devices. A continuous device profiling (CDP) system builds and maintains device-specific and network-specific behavioral models based on observation of network traffic. The behavioral models may be used for network management, detecting misconfigured or malware infected devices, performing network asset inventory, network access control, network discovery in support of network integration, and information security incident response management. CDP models and monitors the active roles that devices assume on the network based on a set of matching profiles, monitors transitions between roles, and triggers corrective action when role transitions violate the policies of the network.

36 Citations

View as Search Results

19 Claims

1. A method, comprising:
- determining a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI);
  
  matching the device profile to a first matching profile, based on a set of features derived from the network traffic;
  
  monitoring the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods;
  
  predicting behavior of the network device based on a history of profile matches;
  
  detecting deviations from predicted future behavior; and
  
  reacting to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 3. The method of claim 1, wherein determining the device profile comprises:
    - capturing and time-stamping network packet header information; and
      
      determining a feature set based on the header information.
  - 4. The method of claim 3, wherein the feature set comprises at least one of a device feature set and a session feature set.
  - 5. The method of claim 4, wherein the device feature set comprises one or more of an active port set, a connection set, a volume metric, a connectivity metric, a selectivity metric, an attendance metric and a gregarity metric.
  - 6. The method of claim 4, wherein a session comprises transmitting or receiving at least one data packet, and wherein the session feature set comprises one or more of device names, device addresses, port numbers, communication protocol, and bidirectional packet counts and packet sizes.
  - 7. The method of claim 3, wherein the first matching profile comprises an acceptable range of values for each feature in the feature set.
  - 8. The method of claim 1, wherein the device profile comprises at least one of a base profile, a declared profile, a role profile and an aggregate profile.
  - 9. The method of claim 1, wherein the network device comprises one of a plurality of network devices, and wherein the method further comprises assigning each of the plurality of network devices to one or more profile groups based on one of a deterministic profile match and a probabilistic profile match.
  - 10. The method of claim 9, wherein members of a profile group are categorized with respect to typical and atypical behavior.
  - 11. The method of claim 10, wherein device categories comprise known devices, unusual devices, unknown devices and bad devices.
  - 12. The method of claim 1, further comprising Domain Name System (DNS) mappings between user-readable domain names and network addresses.
  - 13. The method of claim 1, further comprising receiving one or more of user-specific data, application-specific data and content-specific data from an end-host agent installed in the network device.

2. (canceled)

14. An apparatus, comprising:
- a processor; and
  
  a memory comprising processor executable instructions that, when executed by the processor, configures the apparatus to;
  
  determine a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI);
  
  match the device profile to a first matching profile, based on a set of features derived from the network traffic;
  
  monitor the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods;
  
  predict behavior of the network device based on a history of profile matches;
  
  detect deviations from predicted future behavior; and
  
  react to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.

15. (canceled)

16. An article of manufacture, comprising a non-transitory machine-readable medium having instructions therein that, when executed by the machine, configure the machine to:
- determine a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI);
  
  match the device profile to a first matching profile, based on a set of features derived from the network traffic;
  
  monitor the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods;
  
  predict behavior of the network device based on a history of profile matches;
  
  detect deviations from predicted future behavior; and
  
  react to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.

17. (canceled)

18. An apparatus, comprising:
- means for determining a device profile of a network device over one or more observation periods, by inspecting network traffic of the network device without deep packet inspection (DPI);
  
  means for matching the device profile to a first matching profile, based on a set of features derived from the network traffic;
  
  means for monitoring the network traffic of the network device for a device profile transition from the first matching profile to a second matching profile over an additional one or more observation periods;
  
  means for predicting behavior of the network device based on a history of profile matches;
  
  means for detecting deviations from predicted future behavior; and
  
  means for reacting to the profile transition with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future behavior.

19. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Observable Networks Inc. (Cisco Systems, Inc.)
Inventors
Crowley, Patrick

Granted Patent

US 9,060,014 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 41/147   for predicting network beha...

H04L 41/149   for prediction of maintenance

H04L 43/028   by filtering

H04L 43/12   Network monitoring probes

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/303   Terminal profiles

SYSTEM AND METHOD FOR CONTINUOUS DEVICE PROFILING

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR CONTINUOUS DEVICE PROFILING

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others