System and method for continuous device profiling

US 9,060,014 B2
Filed: 10/28/2013
Issued: 06/16/2015
Est. Priority Date: 05/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

providing a history of matching device profiles and a history of device profile transitions for each of a plurality of network devices, wherein matching device profiles and device profile transitions differ according to a device type of each of the plurality of network devices and wherein the matching device profile and device profile transition for a first network device differ from the matching device profile and device profile transition for a second network device;

determining a device profile of each of the first network device and the second network device over one or more observation periods, by inspecting network traffic of the corresponding network device without deep packet inspection (DPI);

matching the device profile to a first matching device profile for the first network device, based on a set of features derived from the network traffic;

matching the device profile to a first matching device profile for the second network device, based on a set of features derived from the network traffic, wherein the first matching device profile for the first network device differs from the first matching device profile for the second network device;

monitoring the network traffic of each of the first network device and the second network device for a device profile transition from the first matching device profile for the corresponding network device to a second matching device profile for the corresponding network device over an additional one or more observation periods;

predicting future device behavior of the first network device based on the history of matching device profiles for the first network device and the history of device profile transitions for the first network device;

predicting future device behavior of the second network device based on the history of matching device profiles for the second network device and the history of device profile transitions for the second network device;

detecting deviations from predicted future device behavior for at least one of the first network device and the second network device; and

reacting to the device profile transition for the at least one of the first network device and the second network device with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future device behavior for the corresponding network device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for monitoring, modeling and assessing networked devices. A continuous device profiling (CDP) system builds and maintains device-specific and network-specific behavioral models based on observation of network traffic. The behavioral models may be used for network management, detecting misconfigured or malware infected devices, performing network asset inventory, network access control, network discovery in support of network integration, and information security incident response management. CDP models and monitors the active roles that devices assume on the network based on a set of matching profiles, monitors transitions between roles, and triggers corrective action when role transitions violate the policies of the network.

41 Citations

View as Search Results

15 Claims

1. A method, comprising:
- providing a history of matching device profiles and a history of device profile transitions for each of a plurality of network devices, wherein matching device profiles and device profile transitions differ according to a device type of each of the plurality of network devices and wherein the matching device profile and device profile transition for a first network device differ from the matching device profile and device profile transition for a second network device;
  
  determining a device profile of each of the first network device and the second network device over one or more observation periods, by inspecting network traffic of the corresponding network device without deep packet inspection (DPI);
  
  matching the device profile to a first matching device profile for the first network device, based on a set of features derived from the network traffic;
  
  matching the device profile to a first matching device profile for the second network device, based on a set of features derived from the network traffic, wherein the first matching device profile for the first network device differs from the first matching device profile for the second network device;
  
  monitoring the network traffic of each of the first network device and the second network device for a device profile transition from the first matching device profile for the corresponding network device to a second matching device profile for the corresponding network device over an additional one or more observation periods;
  
  predicting future device behavior of the first network device based on the history of matching device profiles for the first network device and the history of device profile transitions for the first network device;
  
  predicting future device behavior of the second network device based on the history of matching device profiles for the second network device and the history of device profile transitions for the second network device;
  
  detecting deviations from predicted future device behavior for at least one of the first network device and the second network device; and
  
  reacting to the device profile transition for the at least one of the first network device and the second network device with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future device behavior for the corresponding network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein determining the device profile comprises:
    - capturing and time-stamping network packet header information; and
      
      determining a feature set based on the header information.
  - 3. The method of claim 2, wherein the feature set comprises at least one of a device feature set and a session feature set.
  - 4. The method of claim 3, wherein the device feature set comprises one or more of an active port set, a connection set, a volume metric, a connectivity metric, a selectivity metric, an attendance metric and a gregarity metric.
  - 5. The method of claim 3, wherein a session comprises transmitting or receiving at least one data packet, and wherein the session feature set comprises one or more of device names, device addresses, port numbers, communication protocol, and bidirectional packet counts and packet sizes.
  - 6. The method of claim 2, wherein the first matching device profile comprises an acceptable range of values for each feature in the feature set.
  - 7. The method of claim 1, wherein the device profile comprises at least one of a base profile, a declared profile, a role profile and an aggregate profile.
  - 8. The method of claim 1, wherein the network device comprises one of a plurality of network devices, and wherein the method further comprises assigning each of the plurality of network devices to one or more device profile groups based on one of a deterministic device profile match and a probabilistic device profile match.
  - 9. The method of claim 8, wherein members of a device profile group are categorized with respect to typical and atypical behavior.
  - 10. The method of claim 9, wherein members of the device profile group are categorized as:
    - known devices, unusual devices, unknown devices, and bad devices.
  - 11. The method of claim 1, further comprising Domain Name System (DNS) mappings between user-readable domain names and network addresses.
  - 12. The method of claim 1, further comprising receiving one or more of user-specific data, application-specific data and content-specific data from an end-host agent installed in the network device.

13. An apparatus, comprising:
- a processor; and
  
  a memory comprising processor executable instructions that, when executed by the processor, configures the apparatus to;
  
  provide a history of matching device profiles and a history of device profile transitions for each of a plurality of network devices, wherein matching device profiles and device profile transitions differ according to a device type of each of the plurality of network devices, and wherein the matching device profile and device profile transition for a first network device differ from the matching device profile and device profile transition for a second network device;
  
  determine a device profile of at least a first network device and a second network device over one or more observation periods, by inspecting network traffic of the first and second network devices without deep packet inspection (DPI), wherein the first and second network devices differ;
  
  match the device profile to a first matching device profile of the first network device, based on a set of features derived from the network traffic;
  
  match the device profile to a first matching device profile of the second network device, based on a set of features derived from the network traffic, wherein the first matching device profile of the first network device differs from the first matching device profile of the second network device;
  
  monitor the network traffic of the first network device and the second network device for a device profile transition from the corresponding ,first matching device profile to a corresponding second matching device profile over an additional one or more observation periods;
  
  predict future device, behavior of at least one of the first and the second network device based on a corresponding history of matching device profiles and a corresponding history of device profile transitions;
  
  detect deviations from predicted future device behavior for at least one of the first and the second network devices; and
  
  react to the device profile transition for the at least one of the first and the second network devices with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the corresponding predicted future device behavior.

14. An article of manufacture, comprising a non-transitory machine-readable medium having instructions therein that, when executed by the machine, configure the machine to:
- provide a history of matching device profiles and a history of device profile transitions for each of a plurality of network devices, wherein matching device profiles and device profile transitions differ according to a device type of each of the plurality of network devices and wherein the matching device profile and device profile transition for a first network device differ from the matching device profile and device profile transition for a second network device;
  
  determine a device profile of each of the first network device and the second network device over one or more observation periods, by inspecting network traffic of the corresponding network device without deep packet inspection (DPI);
  
  match the device profile to a first matching device profile for the first network device, based on a set of features derived from the network traffic;
  
  match the device profile to a first matching device profile for the second network device, based on a set of features derived from the network traffic, wherein the first matching device profile for the first network device differs from the first matching device profile for the second network device;
  
  monitor the network traffic of each of the first network device and the second network device for a device profile transition from the first matching device profile for the corresponding network device to a second matching device profile for the corresponding network device over an additional one or more observation periods;
  
  predict future device behavior of the first network device based on a history of matching device profiles for the first network device and a history of device profile transitions for the first network device;
  
  predict future device behavior of the second network device based on a history of matching device profiles for the second network device and a history of device profile transitions for the second network device;
  
  detect deviations from predicted future device behavior for at least one of the first network device and the second network device; and
  
  react to the device profile transition for the at least one of the first network device and the second network device with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future device behavior for the corresponding network device.

15. An apparatus, comprising:
- memory for storing instructions for performing at least one operation; and
  
  a controller that is capable of executing instructions stored in the memory, the instructions including;
  
  providing a history of matching device profiles and a history of device profile transitions for each of a plurality of network devices, wherein matching device profiles and device profile transitions differ according to a device type of each of the plurality of network devices, and wherein the matching device profile and device profile transition for a first network device differ from the matching device profile and device profile transition for a second network device;
  
  determining a device profile of at least a first network device and a second network device over one or more observation periods, by inspecting network traffic of the first and second network devices without deep packet inspection (DPI), wherein the first and second network devices differ;
  
  matching the device profile to a first matching device profile of the first network device, based on a set of features derived from the network traffic;
  
  matching the device profile to a first matching device profile of the second network device, based on a set of features derived from the network traffic, wherein the first matching device profile of the first network device differs from the first matching device profile of the second network device;
  
  monitoring the network traffic of the first network device and the second network device for a device profile transition from the corresponding first matching device profile to a corresponding second matching device profile over an additional one or more observation periods;
  
  predicting future device behavior of at least one of the first and the second network device based on a corresponding history of matching device profiles and a corresponding history of device profile transitions;
  
  detecting deviations from predicted future device behavior for at least one of the first and the second network devices; and
  
  reacting to the device profile transition for the at least one of the first and the second network devices with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the corresponding predicted future device behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Observable Networks Inc. (Cisco Systems, Inc.)
Inventors
Crowley, Patrick
Primary Examiner(s)
BROWN, CHRISTOPHER J

Application Number

US14/064,725
Publication Number

US 20140053265A1
Time in Patent Office

596 Days
Field of Search

726/22, 726/11, 726/13
US Class Current

1/1
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 41/147   for predicting network beha...

H04L 41/149   for prediction of maintenance

H04L 43/028   by filtering

H04L 43/12   Network monitoring probes

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/303   Terminal profiles

System and method for continuous device profiling

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for continuous device profiling

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links