System and method for continuous device profiling

摘要

A system and method for monitoring, modeling and assessing networked devices. A continuous device profiling (CDP) system builds and maintains device-specific and network-specific behavioral models based on observation of network traffic. The behavioral models may be used for network management, detecting misconfigured or malware infected devices, performing network asset inventory, network access control, network discovery in support of network integration, and information security incident response management. CDP models and monitors the active roles that devices assume on the network based on a set of matching profiles, monitors transitions between roles, and triggers corrective action when role transitions violate the policies of the network.

主权项

1. A method, comprising:
providing a history of matching device profiles and a history of device profile transitions for each of a plurality of network devices, wherein matching device profiles and device profile transitions differ according to a device type of each of the plurality of network devices and wherein the matching device profile and device profile transition for a first network device differ from the matching device profile and device profile transition for a second network device; determining a device profile of each of the first network device and the second network device over one or more observation periods, by inspecting network traffic of the corresponding network device without deep packet inspection (DPI); matching the device profile to a first matching device profile for the first network device, based on a set of features derived from the network traffic; matching the device profile to a first matching device profile for the second network device, based on a set of features derived from the network traffic, wherein the first matching device profile for the first network device differs from the first matching device profile for the second network device; monitoring the network traffic of each of the first network device and the second network device for a device profile transition from the first matching device profile for the corresponding network device to a second matching device profile for the corresponding network device over an additional one or more observation periods; predicting future device behavior of the first network device based on the history of matching device profiles for the first network device and the history of device profile transitions for the first network device; predicting future device behavior of the second network device based on the history of matching device profiles for the second network device and the history of device profile transitions for the second network device; detecting deviations from predicted future device behavior for at least one of the first network device and the second network device; and reacting to the device profile transition for the at least one of the first network device and the second network device with a programmed response based on a measure of significance wherein such reaction comprises taking corrective action based on a measure of significant deviation from the predicted future device behavior for the corresponding network device.