| CPC G06F 16/285 (2019.01) [G06F 16/245 (2019.01)] | 13 Claims |
|
1. A system comprising:
one or more processors communicatively coupled to a computer environment; and
a memory storing computer code instructions, the computer code instructions, when executed by the one or more processors, cause the one or more processors to:
transmit, via a communication network and according to probing scripts, a plurality of probe queries to each device of a plurality of devices associated with the computer environment, the probing scripts specifying types and frequencies of probe queries used for each device of the plurality of devices and the plurality of probe queries including at least one ping command configured to measure, for each device of a plurality of devices, a corresponding response latency;
determine, from responses of the plurality of probe queries received from the plurality of devices, parameters for the plurality of devices, the parameters including, for each device of the plurality of devices, the corresponding response latency;
record in memory the parameters from the responses;
cluster, by a clustering module applying a clustering algorithm to the recorded parameters, the plurality of devices into a plurality of clusters, clustered data of the plurality of clusters comprising recorded parameters represented by parameter vectors;
determine, by a profiling module based on the plurality of clusters and the clustered data, a profile of a first cluster of the plurality of clusters, the profile stored in a database in association with the first cluster and defining one or more common features of devices of the first cluster and including at least one of a common category or a common type of the devices in the first cluster;
assign, by the profiling module, the profile of the first cluster to an unknown device of the first cluster, the unknown device not listed in an asset management record of the computer environment;
identify, by the profiling module using one or more communication logs, one or more other devices of the computing environment that communicated with the unknown device;
obtain, by the profiling module, additional information about the unknown device from the identified one or more other devices of the computer environment;
compare, by the profiling module, the additional information about the unknown device received from the one or more other devices to the profile of the first cluster stored in the database; and
determine, by the profiling module, the unknown device to be a potential rogue device based on the comparison identifying a discrepancy; and
provide an alert indicating that the unknown device is a rogue device.
|