US 12,386,947 B2
Techniques for securing network environments by identifying device attributes based on string field conventions
Ron Shoham, Tel Aviv (IL); Tom Hanetz, Tel Aviv (IL); Yuval Friedlander, Petah Tikva (IL); and Gil Ben Zvi, Hod Hasharon (IL)
Assigned to Armis Security Ltd., Tel Aviv-Jaffa (IL)
Filed by Armis Security Ltd., Tel Aviv (IL)
Filed on Jun. 3, 2024, as Appl. No. 18/732,000.
Application 18/732,000 is a continuation of application No. 17/344,294, filed on Jun. 10, 2021, granted, now 12,026,248.
Prior Publication US 2025/0036748 A1, Jan. 30, 2025
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/51 (2013.01); G06F 21/55 (2013.01)
CPC G06F 21/51 (2013.01) [G06F 21/552 (2013.01); G06F 2221/2141 (2013.01)] 13 Claims
OG exemplary drawing
 
1. A method for identifying device attributes based on string field conventions, comprising:
applying at least one machine learning model to an application data set extracted based on a first string indicated in a field of device data corresponding to a network device, wherein the application data set is extracted by generating a plurality of substrings of the first string, wherein each of the at least one machine learning model is applied to each of the plurality of substrings, wherein each of the at least one machine learning model is a neural network including a convolutional layer, wherein the convolutional layer of each neural network includes a plurality of filters, wherein each filter of each convolutional layer is applied to each of the plurality of substrings and outputs a value representing a degree of similarity between the filter and each applied substring, wherein each of the at least one machine learning model is trained based on a training data set collected from a network environment, the training data including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the network device based on the first string;
identifying, based on the output of the at least one machine learning model, a device attribute of the network device;
determining at least one network activity policy corresponding the identified device attribute of the network device;
monitoring network activity of the network device with respect to the at least one network activity policy corresponding to the identified device attribute of the network device; and
when the monitored network activity of the network device violates the at least one network activity policy, performing at least one mitigation action based on the monitored network activity.