CPC H04L 63/1466 (2013.01) [G06N 3/047 (2023.01); H04L 43/065 (2013.01); H04L 43/12 (2013.01); H04L 63/0263 (2013.01); H04L 63/1425 (2013.01)] | 16 Claims |
1. A method comprising:
obtaining, by a device classification service, device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device;
labeling, by the device classification service, the device with a device type, based on the device telemetry data;
detecting, by the device classification service, device type spoofing exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes, wherein the model takes the behavioral attributes as input and predicts declarative attributes to be compared with the declarative attributes obtained from the device telemetry data, and wherein the device type spoofing is detected when there is a discrepancy between the declarative attributes predicted by the model and the declarative attributes obtained from the device telemetry data; and
initiating, by the device classification service and based on the device type spoofing, a mitigation action regarding the device.
|