US 11,729,210 B2
Detecting spoofing in device classification systems
Jean-Philippe Vasseur, Saint Martin d'uriage (FR); Pierre-André Savalle, Rueil-Malmaison (FR); Grégory Mermoud, Veyras (CH); and David Tedaldi, Zurich (CH)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Apr. 17, 2020, as Appl. No. 16/851,290.
Prior Publication US 2021/0329029 A1, Oct. 21, 2021
Int. Cl. H04L 9/40 (2022.01); H04L 43/065 (2022.01); H04L 43/12 (2022.01); G06N 3/047 (2023.01)
CPC H04L 63/1466 (2013.01) [G06N 3/047 (2023.01); H04L 43/065 (2013.01); H04L 43/12 (2013.01); H04L 63/0263 (2013.01); H04L 63/1425 (2013.01)] 16 Claims
OG exemplary drawing
 
1. A method comprising:
obtaining, by a device classification service, device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device;
labeling, by the device classification service, the device with a device type, based on the device telemetry data;
detecting, by the device classification service, device type spoofing exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes, wherein the model takes the behavioral attributes as input and predicts declarative attributes to be compared with the declarative attributes obtained from the device telemetry data, and wherein the device type spoofing is detected when there is a discrepancy between the declarative attributes predicted by the model and the declarative attributes obtained from the device telemetry data; and
initiating, by the device classification service and based on the device type spoofing, a mitigation action regarding the device.