METHOD AND SYSTEM FOR DETECTING AN ANOMALOUS NETWORKED DEVICE

US 20080256230A1
Filed: 04/10/2007
Published: 10/16/2008
Est. Priority Date: 04/10/2007
Status: Active Grant

First Claim

Patent Images

1. A method for detecting one or more anomalous devices, the method comprising:

for each of a plurality of devices, receiving semi-structured data from the device;

for each pair of devices of the plurality of devices, determining a similarity measurement between semi-structured data from a first device of the pair of devices and semi-structured data from a second device of the pair of devices;

identifying one or more anomalous devices; and

performing one or more remedial actions for the one or more identified anomalous devices.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting one or more anomalous devices are disclosed. For each of a plurality of devices, semi-structured data may be received from the device. For each pair of devices, of the plurality of devices, a similarity measurement may be determined between semi-structured data from a first device of the pair of devices and semi-structured data from a second device of the pair of devices. One or more anomalous devices may then be identified and one or more remedial actions may be performed for the one or more identified anomalous devices.

77 Citations

View as Search Results

24 Claims

1. A method for detecting one or more anomalous devices, the method comprising:
- for each of a plurality of devices, receiving semi-structured data from the device;
  
  for each pair of devices of the plurality of devices, determining a similarity measurement between semi-structured data from a first device of the pair of devices and semi-structured data from a second device of the pair of devices;
  
  identifying one or more anomalous devices; and
  
  performing one or more remedial actions for the one or more identified anomalous devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein identifying one or more anomalous devices comprises:
    - for each device;
      
      determining a distance between the device and each other device, andselecting a minimum distance for the device from the distances;
      
      determining a median distance of the minimum distances for each device;
      
      for each device, determining an absolute value of a difference between the minimum distance for the device and the median distance;
      
      determining a median absolute deviation equal to a median of the absolute values; and
      
      for each device, identifying the device to be anomalous if the minimum distance for the device exceeds a sum of the median distance and a product of a positive constant and the median absolute deviation.
  - 3. The method of claim 1, further comprising:
    - clustering the plurality of devices into one or more device clusters based on the determined similarity measurements using a clustering algorithm,wherein identifying one or more anomalous devices comprises identifying one or more anomalous devices based on the device clusters.
  - 4. The method of claim 3 wherein the clustering algorithm comprises hierarchical agglomerative clustering.
  - 5. The method of claim 4 wherein determining a distance comprises determining one or more of a single link metric, a complete link metric and an average link metric.
  - 6. The method of claim 3 wherein the clustering algorithm comprises K-means clustering.
  - 7. The method of claim 1 wherein receiving semi-structured data from the device comprises receiving a system registry from the device.
  - 8. The method of claim 1 wherein receiving semi-structured data from the device comprises receiving XML data from the device.
  - 9. The method of claim 1 wherein determining a similarity measurement comprises determining a value for a compression dissimilarity measure.
  - 10. The method of claim 1 wherein each device comprises one or more of a computer, a print engine and a document processing device.
  - 11. The method of claim 1 wherein performing one or more remedial actions comprises providing information identifying the one or more anomalous devices.
  - 12. The method of claim 1, further comprising:
    - displaying a graph representing differences between the similarity measurements for each device.

13. A system for detecting one or more anomalous devices, the system comprising:
- a processor;
  
  a communication port in communication with the processor; and
  
  a processor-readable storage medium in communication with the processor,wherein the processor-readable storage medium contains one or more programming instructions for performing a method of detecting one or more anomalous devices, the method comprising;
  
  for each of a plurality of devices, receiving semi-structured data from the device,for each pair of devices of the plurality of devices, determining a similarity measurement between semi-structured data from, a first device of the pair of devices and semi-structured data from a second device of the pair of devices,identifying one or more anomalous devices, andperforming one or more remedial actions for the one or more identified anomalous devices.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13 wherein identifying one or more anomalous devices comprises one or more programming instructions for performing the following:
    - each device;
      
      determining a distance between the device and each other device, andselecting a minimum distance for the device from the distances;
      
      determining a median distance of the minimum distances for each device;
      
      for each device, determining an absolute value of a difference between the minimum distance for the device and the median distance;
      
      determining a median absolute deviation equal to a median of the absolute values; and
      
      for each device, identifying the device to be anomalous if the minimum distance for the device exceeds a sum of the median distance and a product of a positive constant and the median absolute deviation.
  - 15. The system of claim 14, wherein the processor-readable storage medium further comprises one or more programming instructions for performing the following:
    - clustering the plurality of devices into one or more device clusters based on the determined similarity measurements using a clustering algorithm,wherein identifying one or more anomalous devices comprises identifying one or more anomalous devices based on the device clusters.
  - 16. The system of claim 15 wherein the clustering algorithm comprises hierarchical agglomerative clustering and K-means clustering.
  - 17. The system of claim 16 wherein determining a distance comprises one or more programming instructions for determining one or more of a single link metric, a complete link metric and an average link metric.
  - 18. The system of claim 15 wherein the clustering algorithm comprises K-means clustering.
  - 19. The system of claim 13 wherein receiving semi-structured data from the device comprises one or more programming instructions for receiving a system registry from the device.
  - 20. The system of claim 13 wherein receiving semi-structured data from the device comprises one or more programming instructions for receiving XML data from the device.
  - 21. The system of claim 13 wherein determining a similarity measurement comprises one or more programming instructions for determining a value for a compression dissimilarity measure.
  - 22. The system of claim 13 wherein each device comprises one or more of a computer, a print engine and a document processing device.
  - 23. The system of claim 13 wherein performing one or more remedial actions comprises one or more programming instructions for providing information identifying the one or more anomalous devices.
  - 24. The system of claim 13, wherein the processor-readable storage medium further comprises one or more programming instructions for performing the following:
    - displaying a graph representing differences between the similarity measurements for each device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Xerox Corporation (Xerox Holdings Corp.)
Inventors
Handley, John C.

Granted Patent

US 8,117,486 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/145 the attack involving the pr...

METHOD AND SYSTEM FOR DETECTING AN ANOMALOUS NETWORKED DEVICE

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DETECTING AN ANOMALOUS NETWORKED DEVICE

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links