Search

EP-4172826-B1 - MULTIPLE GRANULARITY CLASSIFICATION

EP4172826B1EP 4172826 B1EP4172826 B1EP 4172826B1EP-4172826-B1

Inventors

  • SONG, Yuzhou
  • Raghuramu, Arun
  • ZHANG, YANG

Dates

Publication Date
20260513
Application Date
20210615

Claims (15)

  1. A method comprising: accessing network traffic from a network (100, 200), wherein the network traffic is associated with a plurality of entities (102, 104, 106, 120, 122, 130, 150); selecting an entity of the plurality of entities (102, 104, 106, 120, 122, 130, 150); determining one or more values associated with one or more properties associated with the entity, wherein the one or more values are accessed from the network traffic; accessing a first model associated with a first level of granularity, wherein the first level of granularity comprises a first specificity of entity classifications performed by the first model; determining, by a processing device (702), a first classification result of the entity based on the first model; accessing a second model associated with a second level of granularity, wherein the second level of granularity is higher than the first level of granularity and wherein the second model is accessed based on the first classification result and wherein the second level of granularity comprises a second specificity of entity classifications performed by the second model; determining, by the processing device (702), a second classification result of the entity based on the second model; and storing at least one of the first classification result or the second classification result.
  2. The method of claim 1 further comprising: performing an action based on at least one of the first classification result or the second classification result.
  3. The method of claim 1, wherein the second model is accessed in response to a confidence associated with the first classification result being above a confidence threshold associated with the first model.
  4. The method of claim 1, wherein the second model being trained on a select set of properties associated with the second level of granularity.
  5. The method of claim 1, wherein the first model is operable to classify an entity as an information technology (IT) entity or an operational technology (OT) entity.
  6. The method of claim 1, wherein a third model is operable to classify the entity based on a patch level associated with an operating system associated with the entity.
  7. A system comprising: a memory; and a processing device (702), operatively coupled to the memory, to: access network traffic from a network (100, 200), wherein the network traffic is associated with a plurality of entities (102, 104, 106, 120, 122, 130, 150); select an entity; determine one or more values associated with one or more properties associated with the entity, wherein the one or more values are accessed from the network traffic; access a first model associated with a first level of granularity, wherein the first level of granularity comprises a first specificity of entity classifications performed by the first model; determine, by the processing device (702), a first classification result of the entity based on the first model; access a second model associated with a second level of granularity, wherein the second level of granularity is higher than the first level of granularity and wherein the second model is accessed based on the first classification result, and wherein the second level of granularity comprises a second specificity of entity classifications performed by the second model; determine, by the processing device (702), a second classification result of the entity based on the second model; and store at least one of the first classification result or the second classification result.
  8. The system of claim 7, the processing device (702) further to: perform an action based on at least one of the first classification result or the second classification result.
  9. The system of claim 7, wherein the second model is accessed in response to a confidence associated with the first classification result being above a confidence threshold associated with the first model.
  10. The system of claim 7, wherein the second model being trained on a select set of properties associated with the second level of granularity.
  11. The system of claim 7, wherein the first model is operable to classify an entity as an information technology (IT) entity or an operational technology (OT) entity.
  12. A non-transitory computer readable medium having instructions encoded thereon that, when executed by a processing device (702), cause the processing device (702) to: access network traffic from a network (100, 200), wherein the network traffic is associated with a plurality of entities (102, 104, 106, 120, 122, 130, 150); select an entity; determine one or more values associated with one or more properties associated with the entity, wherein the one or more values are accessed from the network traffic; access a first model associated with a first level of granularity, wherein the first level of granularity comprises a first specificity of entity classifications performed by the first model; determine, by the processing device (702), a first classification result of the entity based on the first model; access a second model associated with a second level of granularity, wherein the second level of granularity is higher than the first level of granularity and wherein the second model is accessed based on the first classification result, and wherein the second level of granularity comprises a second specificity of entity classifications performed by the second model; determine, by the processing device (702), a second classification result of the entity based on the second model; and store at least one of the first classification result or the second classification result.
  13. The non-transitory computer readable medium of claim 12, wherein the instructions further cause the processing device (702) to: perform an action based on at least one of the first classification result or the second classification result.
  14. The non-transitory computer readable medium of claim 12, wherein the second model is accessed in response to a confidence associated with the first classification result being above a confidence threshold associated with the first model.
  15. The non-transitory computer readable medium of claim 12, wherein the second model being trained on a select set of properties associated with the second level of granularity.

Description

TECHNICAL FIELD Aspects and implementations of the present disclosure relate to network monitoring, and more specifically, classification of entities of a network BACKGROUND As technology advances, the number and variety of devices that are connected to communications networks are rapidly increasing. Each device may have its own respective vulnerabilities which may leave the network open to compromise or other risks. Preventing the spreading of an infection of a device or an attack through a network can be important for securing a communication network. WO2020/005505 A1 (FORESCOUT TECHNOLOGIES, INC) discloses a system and a method for self-training classification. A plurality of device classification methods with associated models are accessed. Each of the classification methods has an associated reliability level. The models of classification methods with a higher reliability level than other classification methods are used to train the models associated with lower reliability levels. In accordance with the present invention, there is provided a method, system and computer-readable medium in accordance with the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS Aspects and implementations of the present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings of various aspects and implementations of the disclosure, which, however, should not be taken to limit the disclosure to the specific aspects or implementations, but are for explanation and understanding only. Figure 1 depicts an illustrative communication network in accordance with one implementation of the present disclosure.Figure 2 depicts an illustrative network topology in accordance with one implementation of the present disclosure.Figure 3 depicts a diagram of aspects of classification using multiple models in accordance with one implementation of the present disclosure.Figure 4 depicts a flow diagram of aspects of a method for performing classification in accordance with one implementation of the present disclosure.Figure 5 depicts a flow diagram of aspects of a method for training multiple models for classification in accordance with one implementation of the present disclosure.Figure 6 depicts illustrative components of a system for classifying entities, training models, or a combination thereof in accordance with one implementation of the present disclosure.Figure 7 is a block diagram illustrating an example computer system, in accordance with one implementation of the present disclosure. DETAILED DESCRIPTION Aspects and implementations of the present disclosure are directed to training and using multiple models (e.g., machine learning models, etc.) to perform classification of entities of a network (but may be applicable in other areas) at various granularities. The systems and methods disclosed can be employed with respect to network security, among other fields. More particularly, it can be appreciated that devices with vulnerabilities are a significant and growing problem. At the same time, the proliferation of network-connected devices (e.g., internet of things (IoT) devices such as televisions, security cameras (IP cameras), wearable devices, medical devices, etc.) can make it difficult to effectively ensure that network security is maintained. Classification can be particularly important for securing a network because lack of knowledge about what a device is can prevent application of appropriate security measures. Accordingly, described herein in various implementations are systems, methods, techniques, and related technologies, which allow for improved classification of entities to enable securing of a network including performing one or more policies based on classification of an entity. Accordingly, described herein in various implementations are systems, methods, techniques, and related technologies, which enable better classification by using multiple models with varying levels of granularity. The usage of multiple models with varying levels of granularity enables overcoming various problems including imbalanced labels, hierarchical labels, and discrepancies in property distribution. Embodiments may overcome these problems while improving performance and reducing resources used for classification. Entity or device visibility becomes more and more important as the number of devices and diversity of devices increases. Detecting or discovering devices in a network is likely not enough to protect the network. With the increasing number and diversity of devices, classification can increasingly need more resources such as storage, processing capabilities, etc. For example, local computing resources may limit or slow usage of increasing complicated and large machine learning (ML) models. The current profile based classification of known devices may provide classification for approximately 90% function and 75% operating system (OS) coverage. The benefits of the current profi