Method and system for detecting an anomalous networked device
First Claim
Patent Images
1. A method for detecting one or more anomalous devices, the method comprising:
- for each of a plurality of devices, receiving, from the device, semi-structured system registry data corresponding to one or more applications on the device;
for each pair of devices of the plurality of devices, determining a similarity measurement between first semi-structured system registry data from a first device of the pair of devices and second semi-structured system registry data from a second device of the pair of devices by;
compressing the first semi-structured system registry data and the second semi-structured system registry data,determining a first size associated with the compressed first semi-structured system registry data,determining a second size associated with the compressed second semi-structured system registry data,concatenating the first semi-structured system registry data and the second semi-structured system registry data to create concatenated semi-structured system registry data, anddetermining the similarity measurement by determining a ratio of a size of the concatenated semi-structured system registry data and a sum of the first size and the second size;
clustering the devices based on the determined similarity measurements to form one or more device clusters;
identifying one or more outliers based on the clustering, wherein an outlier represents an anomalous device that is part of a cluster that has a small number of devices as compared to other clusters; and
performing one or more remedial actions for the one or more identified anomalous devices.
6 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for detecting one or more anomalous devices are disclosed. For each of a plurality of devices, semi-structured data may be received from the device. For each pair of devices, of the plurality of devices, a similarity measurement may be determined between semi-structured data from a first device of the pair of devices and semi-structured data from a second device of the pair of devices. One or more anomalous devices may then be identified and one or more remedial actions may be performed for the one or more identified anomalous devices.
65 Citations
18 Claims
-
1. A method for detecting one or more anomalous devices, the method comprising:
-
for each of a plurality of devices, receiving, from the device, semi-structured system registry data corresponding to one or more applications on the device; for each pair of devices of the plurality of devices, determining a similarity measurement between first semi-structured system registry data from a first device of the pair of devices and second semi-structured system registry data from a second device of the pair of devices by; compressing the first semi-structured system registry data and the second semi-structured system registry data, determining a first size associated with the compressed first semi-structured system registry data, determining a second size associated with the compressed second semi-structured system registry data, concatenating the first semi-structured system registry data and the second semi-structured system registry data to create concatenated semi-structured system registry data, and determining the similarity measurement by determining a ratio of a size of the concatenated semi-structured system registry data and a sum of the first size and the second size; clustering the devices based on the determined similarity measurements to form one or more device clusters; identifying one or more outliers based on the clustering, wherein an outlier represents an anomalous device that is part of a cluster that has a small number of devices as compared to other clusters; and performing one or more remedial actions for the one or more identified anomalous devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for detecting one or more anomalous devices, the system comprising:
-
a processor; a communication port in communication with the processor; and a processor-readable storage medium in communication with the processor, wherein the processor-readable storage medium comprises one or more programming instructions for; for each of a plurality of devices, receiving, from the device, semi-structured system registry data corresponding to one or more applications on the device, for each pair of devices of the plurality of devices, determining a similarity measurement between first semi-structured system registry data from a first device of the pair of devices and second semi-structured system registry data from a second device of the pair of devices by; compressing the first semi-structured system registry data and the second semi-structured system registry data, determining a first size associated with the compressed first semi-structured system registry data, determining a second size associated with the compressed second semi-structured system registry data, concatenating the first semi-structured system registry data and the second semi-structured system registry data to create concatenated semi-structured system registry data, and determining the similarity measurement by determining a ratio of a size of the concatenated semi-structured system registry data and a sum of the first size and the second size; clustering the devices based on the determined similarity measurements to form one or more device clusters; identifying one or more outliers based on the clustering, wherein an outlier represents an anomalous device that is part of a cluster that has a small number of devices as compared to other clusters; and performing one or more remedial actions for the one or more identified anomalous devices. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification