GB2566010A - Method and system for network devices - Google Patents
Method and system for network devices Download PDFInfo
- Publication number
- GB2566010A GB2566010A GB1713588.0A GB201713588A GB2566010A GB 2566010 A GB2566010 A GB 2566010A GB 201713588 A GB201713588 A GB 201713588A GB 2566010 A GB2566010 A GB 2566010A
- Authority
- GB
- United Kingdom
- Prior art keywords
- network
- fingerprint
- request
- identifying
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2803—Home automation networks
- H04L12/2807—Exchanging configuration information on appliance services in a home automation network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/303—Terminal profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Automation & Control Theory (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Computer And Data Communications (AREA)
Abstract
The identity of a device 402 connected to a network 404 is determined by first obtaining one or more identifying characteristics 410 from the device. The probability of a first identity may be derived based on both these identifying characteristics and data stored in a database. A device fingerprint may be obtained based on these characteristics and respective probabilities derived of a match between this and a plurality of stored fingerprints. The characteristics may be obtained by sending a query 412 to the device, and the determination may be performed by a remotely located processing device. The system may be used to improve the security of a network with respect to devices which do not have means for installing security software, such as fridges, kettles and toasters which possess a network connection for maintenance reporting. In a second aspect, a measure of the vulnerability of a device may be obtained based on a characteristic of the device, and in a third aspect a communication from a source is processed based on a confidence factor.
Description
METHOD AND SYSTEM FOR NETWORK DEVICES
Field of the invention
This invention relates to methods and systems for networks and particularly, but not exclusively, methods and systems for identifying vulnerabilities in networks.
Background to the invention
Local networks are nearly a ubiquitous feature of most businesses and homes. The number of devices connected to the average local network is increasing. This is particularly true as more and more non-computing devices are given connectivity. Examples include security cameras, fridges, kettles, toasters, coffee makers, toys and the like. These devices connect to a network for a variety of reasons, including fault and maintenance reporting and for marketing reasons.
While most computing devices are protected from malicious influence and attack by use of security software (e.g. “virus scanners” and the like), the same does not hold true for non-computing devices, most of which do not have a means to install security software. The majority of such devices possess only rudimentary security measures, if any at all. Furthermore, such devices are rarely subjected to periodic updates. Yet further, many such devices are provided with inadequate protection for any confidential information, such as passwords (in particular network passwords), stored in their memory. This potentially allows unauthorised persons to connect to, and make use of, these devices without the consent of the owner. In some cases, the unauthorised person can take over a device without the owner even realising.
In order for the risk to a network to be mitigated or removed, it is necessary for a network owner or operator to be aware of the risks posed by each of the devices connected thereto. While databases of security concerns and vulnerabilities exist, these are typically not updated sufficiently often to be of daily use.
Furthermore, in order to properly identify and assess security risks or concerns, it is necessary to be able to identify each device on a network. This is, however, not always possible.
Summary of the invention
In accordance with a first aspect of the invention, there is provided a method for determining an identity of a device, the device being connected to a first network, the method comprising detecting a first device;
obtaining at least one identifying characteristic from the first device; and determining an identity of the first device based on the at least one identifying characteristic.
In some embodiments, the step of determining may comprise deriving at least one probability of a first identity of the first device, wherein the first probability is derived based on the at least one identifying characteristic. The first probability may further be derive based on data stored in a first database.
In some embodiments, the deriving step may comprise:
obtaining a fingerprint of the first device based on the at least one identifying characteristic;
deriving at least a one probability of a match between the fingerprint and at least one of a plurality of stored fingerprints; and selecting one of the at least one derived probabilities based on a first selection criterion.
In some embodiments, a plurality of identifying characteristics are obtained. Further, the fingerprint may be obtained based on a plurality of identifying characteristics.
In some embodiments, the step of obtaining the at least one identifying characteristic may comprise:
transmitting at least a first query to the first device; and receiving a response to the at least first query from the first device, the response comprising the at least one identifying characteristic.
The at least first query may comprise one or more of: an ICMP request; mDNS broadcast; a uPnP broadcast; an ARP lookup; a SNMP request; a DNS request; an HTTP request; an SMB request; a ssh request; a certificate request; a ftp banner; local network settings request; or a list of open IP ports.
The list of responses may include (but not be limited to) the following: an ICMP response; mDNS response; a uPnP response; an ARP lookup; a SNMP response; a DNS response; an HTTP response; an SMB response; a ssh response; the certificate details from a secure protocol; a ftp response; details about the local network; or a list of open IP ports and their protocols
In accordance with a second aspect of the invention, there is provided a computer system comprising at least a first computing device, the first computing device being operable to connect to a network, wherein the first computing device comprises:
a detection element for performing detection step as set out above; and a communication element for performing the obtaining step as set out above.
Embodiments of the second aspect of the invention may include one or more features of the first aspect of the invention or its embodiments.
In accordance with a third aspect of the invention, there is provided a method of scanning a network, comprising:
detecting a first device;
obtaining at least one identifying characteristic of the first device; and transmitting the at least one identifying characteristic to a remote device for processing.
Embodiments of the third aspect of the invention may include one or more features of the first or second aspects of the invention or its embodiments.
In accordance with a fourth aspect of the invention, there is provided a computing device, the computing device being operable to connect to a network, wherein the computing device comprises:
a detection element for performing detection step as set out above; and a communication element for performing the obtaining step as set out above.
In an aspect, there is further provided a processing device, the processing device being located remotely from the first computing device, wherein the processing device comprises:
a processing element for performing the determining step as set out above.
Embodiments of the fourth aspect of the invention may include one or more features of the first, second or third aspects of the invention or its embodiments.
In accordance with a fifth aspect of the invention, there is provided a method of identifying a first device, the method comprising:
receiving at least one identifying characteristic of a first device; and determining an identity of the first device based on the at least one identifying characteristic.
Embodiments of the fifth aspect of the invention may include one or more features of the first, second, third or fourth aspects of the invention or its embodiments.
In accordance with a sixth aspect of the invention, there is provided a processing device, the processing device being connected to a network, wherein the processing device comprises:
a communication receiving element for performing the receiving step as set out above; and a processing component for performing the determining step as set out above.
Embodiments of the sixth aspect of the invention may include one or more features of the first, second, third, fourth or fifth aspects of the invention or its embodiments.
In accordance with a seventh aspect of the invention, there is provided a method of determining vulnerability of a first device, the method comprising:
obtaining at least a first fingerprint of the first device; identifying the first device based on the first fingerprint; determining a first characteristic of the first device; and deriving a measure of the vulnerability of the first device
Embodiments of the seventh aspect of the invention may include one or more features of the first, second, third, fourth, fifth or sixth aspects of the invention or its embodiments.
In accordance with an eighth aspect of the invention, there is provided a computer system comprising at least a first computing device, the first computing device being operable to connect to a network, wherein the first computing device comprises:
a communication element for performing the obtaining step as set out above.
In an embodiment, the computer system further comprises a processing device, the processing device being located remotely from the first computing device, wherein the processing device comprises:
a processing element for performing at least some of the identification, determining or derivation steps as set out above.
Embodiments of the eighth aspect of the invention may include one or more features of the first, second, third, fourth, fifth, sixth or seventh aspects of the invention or its embodiments.
In accordance with a ninth aspect of the invention, there is provided a method for a computer system connected to a network of issuing notifications to devices, the devices being unconnected to the network, the method comprising;
determining a vulnerability score for a device, said device being unconnected to a network; and transmitting an alert to the device by way of a secondary transmission means.
Embodiments of the ninth aspect of the invention may include one or more features of the first, second, third, fourth, fifth, sixth, seventh or eighth aspects of the invention or its embodiments.
In accordance with a tenth aspect of the invention, there is provided a computer system comprising at least a first processing device, wherein the first processing device comprises:
a processing element for performing the method as set out above.
Embodiments of the tenth aspect of the invention may include one or more features of the first, second, third, fourth, fifth, sixth, seventh, eighth or ninth aspects of the invention or its embodiments.
In accordance with an eleventh aspect of the invention, there is provided a method for a computer system, the method comprising receiving a first communication from a first source;
determining a first confidence factor for the first communication based on a first set of requirements; and processing the first communication based on the first confidence factor.
Embodiments of the eleventh aspect of the invention may include one or more features of the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth or tenth aspects of the invention or its embodiments.
In accordance with a twelfth aspect of the invention, there is provided a computer system comprising at least a first processing device, the processing device being operable to connect to a network, wherein the processing device comprises:
a communication element for performing the receiving step as set out above; and a processing element for performing the determining and processing steps as set out above.
Embodiments of the twelfth aspect of the invention may include one or more features of the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth or eleventh aspects of the invention or its embodiments.
In accordance with a thirteenth aspect of the invention, there is provided a computer program product comprising machine-readable instructions which, when executed by a computer, cause the computer to carry out the method as set out above.
Embodiments of the thirteenth aspect of the invention may include one or more features of the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh or twelfth aspects of the invention or its embodiments.
These and other aspects and advantages of the apparatus and methods disclosed herein will be appreciated from a consideration of the following description and drawings of exemplary embodiments.
Brief description of the drawings
An embodiment of the invention will now be described, by way of example, with reference to the drawings, in which:
Figure 1 is a schematic illustration of a local network;
Figure 2 shows an example of unauthorised access into a local network;
Figure 3 illustrates a method of identifying a first device in accordance with a first embodiment of the invention;
Figure 4 shows a system in which the method of Figure 3 is implemented;
Figure 5 shows an exemplary derivation step that may be implemented in the method of Figure 3;
Figure 6 illustrates a method of scanning a network in accordance with a second embodiment of the invention;
Figure 7 shows a system in which the method of Figure 6 is implemented;
Figure 8 illustrates a method of identifying a first device in accordance with a third embodiment of the invention;
Figure 9 shows a system in which the method of Figure 8 may be implemented;
Figure 10 illustrates a method of determining vulnerability of a first device in accordance with a fourth embodiment of the invention;
Figure 11 illustrates a system in which the method of Figure 10 may be implemented;
Figure 12 shows a method for a computer system connected to a network of issuing notifications to devices in accordance with a fifth embodiment of the invention;
Figure 13 illustrates a system in which the method of Figure 12 may be implemented;
Figure 14 shows a method for a computer system connected to a network of issuing notifications to devices in accordance with a sixth embodiment of the invention; and
Figure 15 illustrates a system in which the method of Figure 14 may be implemented.
Description of preferred embodiments
It may be illustrative to describe an exemplary environment in which the exemplary embodiments of the invention may be implemented. It will, of course, be appreciated that the following environment is exemplary only, and not intended to be limiting. Other environments, comprising alternative or additional components, may easily be envisaged.
Figure 1 illustrates a local network 102 comprising a number of devices or elements connected thereto. The local network comprises a first communication element 104 (e.g. a router or a hub) that connects the network to an outside network 106 (e.g. a WAN). Each of the devices 108, 110, 112, 114 connected to the local network may be connected to each of the other devices in a suitable fashion. In some examples, the connections between devices comprise wired connections. In other examples, the connections comprise wireless connections. In yet other examples, the connections comprise both wired and wireless connections.
The local network may comprise any suitable types of devices. The types and number of devices may be dependent on the specific type of local network. For example, a network located in a person’s home may comprise one or more personal mobile devices (e.g. telephones, tablet devices, etc), one or more entertainment devices (e.g. televisions or entertainment consoles) and one or more personal computing devices (e.g. PCs or laptops). In some examples, the local network may also comprise one or more so-called “smart devices”. These include, but are not limited to, security cameras, fridges, washing machines, toasters, tumble dryers or toys.
Traditionally, the main vulnerability for a local network such as the one described above, has been the router or other access points from the outside network. However, with the advent of “smart devices”, the potential number of vulnerabilities in a home network is rapidly increasing.
In part, this is due to the increased use of wireless communication technology (e.g. WiFi, Bluetooth, Zigbee orZ-wave) within local networks. Rather than using traditional wired connections, an increasing number of devices primarily connect to local networks using wireless technology. Furthermore, “smart devices” are typically only equipped with rudimentary protection mechanisms, such as password protection, rather than the more complex and secure protection mechanisms found on personal computing devices. As a result, it is often easier for an unauthorised person to gain access to a local network via a “smart device” than via the router or another computing device.
In situations where a “smart device” is located in a well-controlled or private location, this may not be a problem. However, if the “smart device” is in a public location, or if it can potentially be accessed by unauthorised persons, it poses a risk to the security and integrity of the network to which it is connected.
Figure 2 illustrates an exemplary situation, where an unauthorised person 202 is able to access a first “smart device” 204 belonging to a local network 206. The unauthorised person is not able to access any other devices 208, 210, 212 connected to the network apart from the first “smart device”. The smart device may, for example, be a security camera that is able to access the local network via a wireless connection.
The unauthorised person gains access to the first “smart device” either remotely or physically (e.g. by stealing the above-mentioned security camera), and is therefore able to gain access to any passwords (or other security measures) that may be stored in the memory 214 of the first “smart device”. This, in turn, enables the unauthorised person to gain access to the local network itself. At this stage, the local network is essentially under the control of the unauthorised person.
In order to reduce the risk of the above-described unauthorised access to the local network, it would be advantageous if the network operator or owner is able to evaluate the integrity of the network. In particular, it would be advantageous for the network operator or owner to be able to identify which devices potentially constitute a security risk to the network.
A first exemplary method in accordance with the present invention will now be described with reference to Figures 3 and 4.
In a first step 301, a first device 402 is detected, the first device being previously unidentified. It should be noted that the term unidentified is purely used in terms of vulnerability assessments and electronic recognition of a device. Accordingly, the first device could be a new device that an owner of a local network 404 has just purchased, which is being connected to the local network. In the present example, the first device is connected to local network 404. The first device may be detected in any suitable fashion. The unidentified device may be detected by any suitable device, for example a second device 406 already connected to the network. For clarity and conciseness purposes, reference will only be made to the second device in the following, although it will be appreciated that the exemplary method could be performed by any one or more of the one or more devices 408 located within the network.
In some examples, the first device 402 may transmit one or more notifications which, when received by the second device 406, cause the second device to detect the presence of the unidentified device. Any suitable notification could be used. In other examples, the second device 406 transmits a suitable signal to detect any previously undetected devices. The second device may transmit the suitable signal any suitable number of times. In an example, the second device transmits the suitable signal once only. In another example, the second device transmits a plurality of suitable signals at one or more suitable intervals. This could, for example, be a standard query signal that is transmitted at periodic intervals (e.g. once a day, twice a day, once a week or once a month).
In a second step 302, at least one identifying characteristic 410 is obtained from the first device. The at least one identifying characteristic may be obtained in any suitable fashion. In some examples, the identifying characteristic is transmitted by the first device. In an example, the identifying characteristic is transmitted by the first device periodically at a suitable interval. In an example, the identifying characteristic is transmitted only once to the second device. In a specific example, the first device transmits the identifying characteristic upon performing its own detection step.
In other examples, the second device transmits a query 412 to the first device 402 in response to which the first device replies by transmitting the identifying characteristic 410 to the second device 406. The query, in some examples, is substantially identical to the suitable signal described above. The query may have any suitable type or format, including (but not limited to) an ICMP request; mDNS broadcast; a uPnP broadcast; an ARP lookup; a SNMP request; a DNS request; an HTTP request; an SMB request; a ssh request; a certificate request; a ftp banner; local network settings request; or a list of open IP ports.
The identifying characteristic may comprise any suitable information having any suitable format. For example, the identifying characteristic may, without limitation, comprise DNS information, an IP address or a MAC address. It will be appreciated that the specific format and type of data comprised in the identifying characteristic may be dependent on a number of specific factors, including (but not limited to): type and format of the query; type and model of one or more components comprised in the unidentified device; one or more characteristics of the network; one or more characteristics of the first device; or the content and/or format of the query.
In a third step 303, an identity of the first device 402 is determined, based on the at least one identifying characteristic. The determination may be performed in any suitable fashion. In some examples, the specific implementation of the determination may be dependent on the format and/or type of the at least one identifying characteristic.
In one example, the determining step comprises deriving at least one probability of a first identity of the first device, wherein the first probability is derived based on the at least one identifying characteristic. It will be appreciated the first probability may be derived in any suitable fashion and using a suitable deriving algorithm, either in isolation or as part of a submethod with one or more steps. The first probability may be derived based on any suitable amount of data from any suitable number of sources. In an example, the first probability is derived solely based on the at least one identifying characteristic. In another example, however, the first probability is additionally based on data stored in a first database. The database may be located within the network, or it may be a remote database to which the first device is connected via a suitable connection.
An exemplary derivation step for deriving the at least one probability of a first identity will now be described with reference to Figure 5. It will be appreciated that modifications and alternative implementations of the derivation step may be envisaged within the scope of the present invention.
In a first step 501, a fingerprint of the first device based on the at least one identifying characteristic is obtained. The fingerprint may be obtained in any suitable fashion and may comprise any suitable amount of data. In some examples, the fingerprint comprises all of the at least one identifying characteristics. In other examples, the fingerprint comprises a modified instance of all of the at least one identifying characteristics. It will be appreciated that the step of obtaining the fingerprint may comprise any relevant number of processing steps. In some examples, the identifying characteristics may be reformatted or encoded as part of the obtaining step.
In a second step 502, at least a one probability of a match between the fingerprint and at least one of a plurality of stored fingerprints is derived. The probability may be derived in any suitable fashion using a suitable algorithm. It will be appreciated that a number of specific implementations of the second step may be envisaged. For example, the probability may be calculated by combining a number of identifying characteristics of a device, e.g. an ICMP response; mDNS response; a uPnP response; an ARP lookup; a SNMP response; a DNS response; an HTTP response; an SMB response; a ssh response; the certificate details from a secure protocol; a ftp response; details about the local network; or a list of open IP ports and their protocols. In some examples, one or more of the identifying characteristics may be weighted. In an example, a plurality of probabilities are derived between the fingerprint and a plurality of stored fingerprints. This may, for example be the case if two stored fingerprints are identical. In such an instance, the user may optionally be prompted to select which device is actually being evaluated.
In a third step 503, one of the at least one derived probabilities based on a first selection criterion is selected. Any suitable selection criterion may be used. In an example, the first selection criterion comprises a threshold probability value. In another example, the first selection criterion comprises selecting the derived probability with the highest value. In yet other examples, the first selection criterion comprises a number of subcriteria, which may be used in conjunction. In a specific example, the first selection criterion comprises selecting the highest probability value that is over a particular threshold. The first selection criterion may be selected in dependence on the specific situation. The first selection criterion may have a fixed value (or values), or it may be variable. The above methods may be performed using any suitable system. In some examples, all of the method steps are performed by a single device (e.g. the second device 406 of Figure 4). However, under certain circumstances, it may not be feasible for a single device to perform all of the method steps. This could, for example, be if the device performing the method steps lacks sufficient processing or memory capacity to carry out the method steps within an acceptable timeframe.
In an example, the first step is performed by a device located within the same local network as the unidentified device (e.g. the second device 406 of Figure 4). For example, the device could be a user’s personal computing device (e.g. mobile telephone, tablet or other computer). Once the fingerprint has been obtained, it is transmitted via a secure connection to a remote processing device (e.g. a server) operated by a trusted party. Alternatively, the fingerprint may be delivered to the remote processing device by way of a secure storage medium, such as a USB or Flash drive. The remote processing device then performs the second method step.
The third method step may also be performed by the remote processing device. Alternatively, the results of the second step may be transmitted back to the device, which then performs the third method step. It will be appreciated that many specific implementations of the above method are possible, and that at least some of them will be dependent on the characteristics and properties of the devices involved.
The remote processing device may be of any suitable type or may comprise any suitable number of components. It may be located in any suitable location, including (but not limited to): within the network; in a remote location outside the network; or in a remote location connected to the network by the secure connection (e.g. a “cloud” processing device).
An exemplary method in accordance with the present invention will now be described with reference to Figures 6 and 7.
In a first step 601, a first device 702 is detected. The first device is previously unidentified. As described above with reference to Figures 4 and 5, the term unidentified is purely used in terms of vulnerability assessments and electronic recognition of a device. In the present example, the first device is connected to a local network 704. The first device may be detected in any suitable fashion by any suitable device, for example a second device 706 already connected to the network. For clarity and conciseness purposes, reference will only be made to the second device in the following, although it will be appreciated that the exemplary method could be performed by any one or more of any additional devices 708 that may be located within the network.
In some examples, the first device may transmit one or more notifications which, when received by the second device, cause the second device to detect the presence of the unidentified device. Any suitable notification could be used. In other examples, the second device transmits a suitable signal to detect any previously undetected devices. The second device may transmit the suitable signal any suitable number of times. In an example, the second device transmits the suitable signal once only. In another example, the second device transmits a plurality of suitable signals at one or more suitable intervals. This could, for example, be a standard query signal that is transmitted at periodic intervals (e.g. once a day, twice a day, once a week or once a month).
In a second step 602, at least one identifying characteristic 710 of the first device 702 is obtained. The at least one identifying characteristic may be obtained in any suitable fashion. In some examples, the identifying characteristic is transmitted by the first device. In an example, the identifying characteristic is transmitted by the first device periodically at a suitable interval. In an example, the identifying characteristic is transmitted only once to the second device. In a specific example, the first device transmits the identifying characteristic upon performing its own detection step.
In other examples, the second device 706 transmits a query 712 to the first device in response to which the first device replies by transmitting the identifying characteristic to the second device. The query, in some examples, is substantially identical to the suitable signal described above. The query may have any suitable type or format, including (but not limited to) an IP request, an ARP request, a SNMP request, a uPNP vendor string, a mDNS response, a DNS request or a MAC request.
The identifying characteristic 710 may comprise any suitable information having any suitable format. For example, the identifying characteristic may, without limitation, comprise an ICMP response; mDNS response; a uPnP response; an ARP lookup; a SNMP response; a DNS response; an HTTP response; an SMB response; a ssh response; the certificate details from a secure protocol; a ftp response; details about the local network; or a list of open IP ports and their protocols. It will be appreciated that the specific format and type of data comprised in the identifying characteristic may be dependent on a number of specific factors, including (but not limited to): type and format of the query; type and model of one or more components comprised in the unidentified device; one or more characteristics of the network; or one or more characteristics of the first device.
In a third step 603, the at least one identifying characteristic of the first device is transmitted to a remote device 714 for processing. In some examples, the at least one identifying characteristic is transmitted by way of a communication connection (e.g. a wired or wireless connection). Such a connection may utilise any suitable transmission protocols or data formats, including encryption and/or encoding. Alternatively, the at least one identifying characteristic may be transmitted by way of a suitable storage medium, e.g. a USB storage medium or a Flash drive.
The remote device may be any suitable device. In some examples, the remote device is a server operated by a trusted party.
A third exemplary method in accordance with the present invention will now be described with reference to Figures 8 and 9.
In a first step 801, at least one identifying characteristic 902 of a first device 904 is received by a receiving entity 906. The first device may be any suitable device. In an example, the first device is located in a network 908 to which the receiving entity is connected (either directly or indirectly). In an example, the first device in the present example is substantially identical to the first device in any one of the examples described above.
In an example, the receiving entity is a remote processing device (e.g. a server) that is owned by a trusted party. In another example, however, the receiving entity is a processing device located remotely from the first device, but operated by the owner of the first device.
The at least one identifying characteristic may be received in a suitable manner. In some examples, the at least one identifying characteristic is received by way of a communication connection (e.g. a wired or wireless connection). Such a connection may utilise any suitable transmission protocols or data formats, including encryption and/or encoding. Alternatively, the at least one identifying characteristic may be received by way of a suitable storage medium, e.g. a USB storage medium or a Flash drive.
In a second step 802, an identity of the first device 904 is determined, based on the at least one identifying characteristic 902. The determination may be performed in any suitable fashion. In some examples, the specific implementation of the determination may be dependent on the format and/or type of the at least one identifying characteristic.
In one example, the determining step comprises deriving at least one probability of a first identity of the first device, wherein the first probability is derived based on the at least one identifying characteristic. It will be appreciated the first probability may be derived in any suitable fashion and using a suitable deriving algorithm, either in isolation or as part of a submethod with one or more steps. The first probability may be derived based on any suitable amount of data from any suitable number of sources. In an example, the first probability is derived solely based on the at least one identifying characteristic. In another example, however, the first probability is additionally based on data stored in a first database 910. The database may be located within the network, or it may be a remote database to which the first device is connected via a suitable connection.
As described above, the derivation step may be performed in any suitable fashion. In one example, the derivation step is performed in a substantially identical manner to that described above with reference to Figure 5. Nevertheless, it will be appreciated that modifications and alternative implementations of the derivation step may be envisaged within the scope of the present invention.
In the foregoing examples, the identity of the unidentified device has been determined based on one or more identifying characteristics (which may, collectively, be referred to as a fingerprint). In some situations, mere identification of one or more devices in a network may sufficiently highlight any potential problems or issues within the network.
However, in most situations, it may be advantageous to determine a measure of the vulnerability for each detected device, the measure of vulnerability providing an indication of the vulnerability of the device to one or more specified types of malicious behaviour or attack. Such measures of vulnerability can subsequently be used to either automatically or manually take corrective and protective action to prevent harm to the network.
A fourth exemplary method in accordance with the present invention will now be described with reference to Figures 10 and 11.
In a first step 1001, at least a first fingerprint 1102 of a first device 1104 is obtained. The fingerprint may comprise any suitable data with any suitable format or encoding. In some examples, the fingerprint comprises a plurality of identifying characteristics 1106. In some examples, the fingerprint comprises a plurality of identifying characteristics, wherein each of the identifying characteristics has been weighted by one or more weighting factors.
In yet other examples, the fingerprint comprises at least a first identifying characteristic, wherein the first identifying characteristic has been obtained a plurality of times. In a specific example, the plurality of first identifying characteristics has been obtained at one or more specific intervals. The intervals may have any suitable length. In some examples, the intervals are dependent on one or more of: the characteristics of the first device; characteristics of a network to which the first device is connected; or the characteristics of at least one other device in the network. In some examples, the identifying characteristics are obtained at periodic intervals.
In a specific example, all of the identifying characteristics are obtained at a particular frequency (which will be referred to, in the following, as a “fingerprint frequency”). The fingerprint frequency may have any suitable value, including (but not limited to); one hour; two hours; four hours; eight hours; twelve hours; one day; two days; one week; or one month. The fingerprint frequency may in some examples be variable, wherein the variability is dependent on one or more factors (e.g. the frequency of use of one or more devices in the network or the characteristics of the network or use thereof).
It should be noted that the fingerprint frequency may be controlled by any suitable entity; e.g. the user or operator of the network, the user or operator of the second device, or a remote processing device. The fingerprint frequency may be set such that there is a statistical likelihood that a majority of devices within the network are either in use or at least connected to the network. Additionally or alternatively, the fingerprint frequency may be set such that the network is interrogated when a minority of devices are typically connected, thereby enabling potentially aberrant device behaviour to be more easily identified.
In other examples, the fingerprint comprises a plurality of identifying characteristics, wherein at least one of the identifying characteristics has been obtained a plurality of times. In a specific example, the fingerprint comprises a plurality of identifying characteristics, each of the identifying characteristics having been obtained a plurality of times. Each of the plurality of identifying characteristics comprised in the fingerprint may have been obtained substantially simultaneously, or at different times. In a specific example, each of the plurality of identifying characteristics are obtained at the fingerprint frequency.
The fingerprint, and by extension the identifying characteristics, may be obtained in any suitable fashion. In some examples, the specific method each of the identifying characteristics are obtained may be dependent on the format and/or specific details of the identifying characteristics. In an example, the fingerprint is obtained in a manner substantially identical to that described with reference to Figures 4 or 5 above. In an example, the fingerprint is obtained by a second device 1108 located in the same network 1110 as the first device as substantially described above. The second device may be any suitable device, e.g. a mobile device, a router/hub or a personal computer. It should be noted that the fingerprint frequency may in some examples be dependent on the use pattern of the second device. For example, a router/hub is typically connected to the network constantly, which enables the fingerprint frequency to be very high. By contrast, a personal computer or a mobile device may only be connected to the network at specific times, which enables only a lower fingerprint frequency to be used. It will, of course, be appreciated that, while described only with respect to the second device in the above, the obtaining step could be performed by a plurality of devices connected to the network. For example, both of the mobile device and the router/hub could be used to obtain fingerprints.
In a second step 1002, the first device 1102 is identified 1114 based on the first fingerprint. The identification step may be carried out in any suitable fashion, using any suitable methodology. In an example, an identification substantially identical to that described above with reference to Figures 4 and 5 is utilised to identify the first device. In other examples, a different methodology is utilised.
The identification step may be performed by any suitable entity. In the present example, the fingerprint is transmitted to a processing device 1112 located remotely from the network 1110. The processing device may, for example, be a server owned by a trusted party. In such examples, the fingerprint is transmitted in a suitable fashion. In some examples, the fingerprint is transmitted by way of a communication connection (e.g. a wired or wireless connection). Such a connection may utilise any suitable transmission protocols or data formats, including encryption and/or encoding. Alternatively, the fingerprint may be transmitted by way of a suitable storage medium, e.g. a USB storage medium or a Flash drive.
In a third step 1003, a first characteristic 1116 of the first device is determined. Any suitable or relevant first characteristic may be determined. In an example, the first characteristic is a vulnerability score. The vulnerability score may be obtained in a suitable fashion. In some examples, the vulnerability score is calculated based on one or more factors. In other examples, the vulnerability score has been previously calculated and has been stored in a suitable fashion for subsequent use. In a specific example, the vulnerability score is derived from at least a first source. In another example, the vulnerability score is derived from a plurality of scores originating with a plurality of sources. In such an example, each of the plurality of scores may be weighted in a suitable fashion.
The vulnerability score may be obtained directly or indirectly from any suitable source. In the present example, the vulnerability score is based on a vulnerability score obtained from a first trusted source 1120. The first trusted source may be any suitable source. For example, the vulnerability score may originate from a standards organisation, or a non-governmental organisation, or another third party (e.g. for product recalls). In some examples, the vulnerability score may originate from a vendor of software or hardware. In yet other examples, the vulnerability score may originate from an academic institution (e.g. a university).
In a fourth step 1004, a measure of the vulnerability 1118 of the first device is derived. The measure of vulnerability may be derived in a suitable fashion. In an example, the measure of vulnerability depends on a single parameter, whereas in another example, the measure of vulnerability depends on a plurality of parameters. In an example, the measure of vulnerability is based on one or more of: the first characteristic, the identity of the first device; the fingerprint of the first device; or the fingerprint frequency. In some examples, one or more of the parameters may be weighted in a suitable manner.
Once the measure of vulnerability has been derived, a number of actions may be taken by either one of the: system; the first device; a user of the system; or an administrator of the system. One or more of the actions may be carried out automatically. In some examples, if a critical vulnerability has been identified, the system may issue a notice to a controlling entity of the network. The controlling entity may then take appropriate action, such as (but not limited to) disconnecting the first device, updating the security systems located on the first device or disconnecting the network from any outside networks to which it is connected. Alternatively, the system may issue a notification to a user or administrator of the system. In such an instance, it is up to the user or administrator to take any corrective action.
In some examples, the system may re-derive the measure of vulnerability after a given time has elapsed. This is to, for example, allow the user or administrator to deal with the cause of the vulnerability.
It will be appreciated that the above-described methods may be implemented in any suitable network or network system. Further, it will be appreciated that, while described above only in relation to a single device within a network, the method could easily be applied to any number of devices within the network.
In some examples, each device in a network may be dealt with as described above, either sequentially or simultaneously. This allows a network to be evaluated for vulnerabilities in a timely and efficient manner. Furthermore, in some examples, each device is evaluated periodically (e.g. once per week). This allows for continuous monitoring of devices.
In the above-described examples, the devices under evaluation have been connected directly to a network. Under such circumstances, if a vulnerability is detected, the device may already have been used for malicious purposes. Accordingly, it would be advantageous if particularly vulnerable devices could be evaluated prior to being connected to a particular network. Additionally or alternatively, it would be advantageous to at least notify an owner or operator of such a device of the said vulnerability.
A fifth exemplary method in accordance with the present invention will now be described with reference to Figures 12 and 13.
In a first step 1201, a vulnerability score for a first device 1302 is determined, wherein the first device is unconnected to a network 1304. The vulnerability score may be determined in any suitable fashion and using a suitable means. For example, the vulnerability score may be determined based on one or more characteristics of the first device. In an example, the vulnerability score is determined by the remote processing device 1306 described above with reference to Figure 10 and Figure 11.
In an illustrative example, the first device is a television. The television may be able to connect to a network (i.e. it may be a “smart television”). However, in this example, it is unconnected to a network. This could, for example, be because the owner of the network has yet to connect it, or because the owner of the network is somehow hesitant to connect it. As such, it is not possible to directly scan the device for vulnerabilities using the methods described above, nor is it possible to detect the device within the network as described in some of the foregoing examples. However, the first device may still have one or more vulnerabilities that, if the first device was connected to the network at a later stage, could allow malicious or unauthorised access to the network.
In a second step 1202, an alert 1308 is transmitted to the first device by way of a secondary transmission means 1310. The alert may be transmitted in any suitable fashion, using any suitable secondary transmission means. In some examples, the secondary transmission means utilises one or more transmission signals using frequencies that the first device is capable of receiving. In an example, the secondary transmission means is a transmitter operable to transmit television broadcast signals or signals at television broadcast frequencies. In a specific example, the secondary transmission means is a television broadcast transmitter, and the one or more transmission signals are television broadcast signals. In the present example, the alert is comprised in the one or more transmission signals, either in addition to or alternative to television broadcast programme data.
The alert may comprise any suitable or relevant data. In an example, the alert comprises vulnerability data that may be read by a processing element in the first device. Subsequently, the processing element may cause a warning to a user to be shown on a display of the first device, or in another suitable fashion (e.g. using an audio output element comprised in the first device).
In the above-described examples, at least some of the derivations and determinations have been carried out based on one or more values (e.g. vulnerability scores). These values are in some examples stored in one or more databases. Such values may be calculated from other data, which may be submitted to the databases by relevant parties or sources. Such databases may, as described in the above, be maintained by nongovernmental organisations, standards organisations and/or academic institutions. In other examples, a database may be maintained by a vendor or provider of the above-described methods.
Commonly, such databases are updated at specific intervals. Any suitable of updates may be utilised by such databases. Traditionally, database updates have been issued centrally or from a number of trusted sources. Whilst this guarantees a certain quality of updates, it also reduces update frequency and/or amount. It is therefore becoming increasingly common to at least partially use update or data sources that are not centrally controlled. For example, a first vulnerability database may allow certain users or operators to issue updates or to input data to be used in updates. Such users or operators may, in some examples, be trusted users or operators. In other examples, any user, or at least a subset thereof, may submit updates or input data to the database. In such examples, it is common for such updates to be reviewed or vetted before being entered into the database. The disadvantage of such requirements, however, is that the update speed and volume of a database is reduced compared with a database wherein updates may be made without vetting or review.
However, a major disadvantage of allowing a majority of users or operators to issue updates or input data is that the quality and consistency of updates or data may be difficult to maintain or control. Further, it is possible that some users or operators may abuse such a system to introduce malicious updates or data into the database (e.g. listing devices that are secure as insecure or adding false vulnerabilities). Furthermore, some users may supply incorrect information. This may in turn lead to vulnerabilities being either incorrectly categorised, or in some circumstances not even identified.
An exemplary method in accordance with the present invention will now be described with reference to Figures 14 and 15.
In a first step 1401, a first communication 1502 is received from a first source 1504. The first communication may comprise any suitable information or data content. In an example, the first communication comprises at least one vulnerability update for a first database 1506. The database may, in some examples, be substantially identical to one of the databases described above. In one example, the first database is maintained and operated by the same entity that manages and operates the first device. In other examples, the first database is operated by a trusted source (e.g. a non-governmental organisation or an academic institution or another third party).
The first source may comprise any suitable source. In an example, the first source is a first user of the first database who is at least able to submit updates to the first database. In another example, the first source is a second database operated by a second entity. In yet another example, the first source is a third party, such as a news agency or information broker.
In a second step 1402, a first confidence factor for the first communication is determined based on a first set of requirements. Any suitable set of requirements may be used to perform the determination. In some examples, the first set of requirements comprises a plurality of specific requirements.
The confidence factor may be determined in a suitable fashion. In an example, the first set of requirements comprises a first set of thresholds, each value of in the first set of thresholds being associated with a corresponding one of one or more characteristics of the first communication. It will be appreciated that many specific implementations of the determination of the confidence factor may be envisaged within the scope of the present invention.
In a third step 1403, the first communication is processed based on the first confidence factor. The first communication may be processed in any suitable fashion. Additional or alternative factors may in some examples be utilised to process the first communication. In one example, if the confidence factor has a certain value or is within a certain range of values, the first communication is entered into a first database. In another example, if the confidence factor is outside a certain range of values, the first communication is rejected as being untrustworthy. In yet another example, the originator of the first communication is added to a list of untrusted sources if the confidence factor has a certain value or is within a certain range of values.
By suitably processing the first communication based on the first confidence factor, as well as any other communications based on respective confidence factors, it becomes possible to manage the integrity and accuracy of information stored in a particular database. Data that does not conform to the requirements is not entered into the database,
Further, the source of the data may be evaluated for quality of the data. If the quality of the data does not meet a set of requirements, in some examples, the source of the data may be prevented from submitting further data.
The descriptions above are intended to be illustrative, not limiting. Thus, it will be apparent to one skilled in the art that modifications may be made to the invention as described without departing from the scope of the claims set out below.
Claims (40)
1. A method for determining an identity of a device, the device being connected to a first network, the method comprising detecting a first device;
obtaining at least one identifying characteristic from the first device; and determining an identity of the first device based on the at least one identifying characteristic.
2. A method according to claim 1, wherein the step of determining comprises:
deriving at least one probability of a first identity of the first device, wherein the first probability is derived based on the at least one identifying characteristic.
3. A method according to claim 2, wherein the first probability is further derived based on data stored in a first database.
4. A method according to claim 3, wherein the deriving step comprises:
obtaining a fingerprint of the first device based on the at least one identifying characteristic;
deriving at least a one probability of a match between the fingerprint and at least one of a plurality of stored fingerprints; and selecting one of the at least one derived probabilities based on a first selection criterion.
5. A method according to claim 4, wherein a plurality of identifying characteristics are obtained.
6. A method according to claim 5, wherein the fingerprint is obtained based on a plurality of identifying characteristics.
7. A method according to any preceding claim, wherein the step of obtaining the at least one identifying characteristic comprises:
transmitting at least a first query to the first device; and receiving a response to the at least first query from the first device, the response comprising the at least one identifying characteristic.
8. A method according to claim 7, wherein the at least first query comprises one or more of: an ICMP request; mDNS broadcast; a uPnP broadcast; an ARP lookup; a SNMP request; a DNS request; an HTTP request; an SMB request; a ssh request; a certificate request; a ftp banner; local network settings request; or a list of open IP ports.
9. A computer system comprising at least a first computing device, the first computing device being operable to connect to a network, wherein the first computing device comprises:
a detection element for performing detection step of any of claims 1 to 8; and a communication element for performing the obtaining step of any of claims 1 to 8.
10. The computer system of claim 9, further comprising a processing device, the processing device being located remotely from the first computing device, wherein the processing device comprises:
a processing element for performing the determining step of any of claims 1 to 8.
11. A method of scanning a network, comprising:
detecting a first device;
obtaining at least one identifying characteristic of the first device; and transmitting the at least one identifying characteristic to a remote device for processing.
12. A method according to claim 11, wherein the step of obtaining the at least one identifying characteristic comprises:
transmitting at least a first query to the first device; and receiving a response to the at least first query from the first device, the response comprising the at least one identifying characteristic.
13. A method according to claim 12, wherein the at least first query comprises one or more of: an ICMP request; mDNS broadcast; a uPnP broadcast; an ARP lookup; a SNMP request; a DNS request; an HTTP request; an SMB request; a ssh request; a certificate request; a ftp banner; local network settings request; or a list of open IP ports.
14. A computing device, the computing device being operable to connect to a network, wherein the computing device comprises:
a detection element for performing detection step of any of claims 11 to 13; and a communication element for performing the obtaining step of any of claims 11 to 13.
15. A method of identifying a first device, the method comprising:
receiving at least one identifying characteristic of a first device; and determining an identity of the first device based on the at least one identifying characteristic.
16. A method according to claim 15, wherein the step of determining comprises:
deriving at least one probability of a first identity of the first device, wherein the first probability is derived based on the at least one identifying characteristic.
17. A method according to claim 16, wherein the first probability is further derived based on data stored in a first database.
18. A method according to claim 17, wherein the deriving step comprises:
obtaining a fingerprint of the first device based on the at least one identifying characteristic;
deriving at least a one probability of a match between the fingerprint and at least one of a plurality of stored fingerprints; and selecting one of the at least one derived probabilities based on a first selection parameter.
19. A method according to claim 18, wherein a plurality of identifying characteristics are obtained.
20. A method according to claim 19, wherein the fingerprint is obtained based on a plurality of identifying characteristics.
21. A processing device, the processing device being connected to a network, wherein the processing device comprises:
a communication receiving element for performing the receiving step of any of claims 15 to 21; and a processing component for performing the determining step of any of claims 15 to 21.
22. A method of determining vulnerability of a first device, the method comprising:
obtaining at least a first fingerprint of the first device; identifying the first device based on the first fingerprint; determining a first characteristic of the first device; and deriving a measure of the vulnerability of the first device.
23. A method according to claim 22, wherein the first fingerprint comprises at least one identifying characteristic of the first device.
24. A method according to claim 22 or 23, wherein the at least one identifying characteristic comprises at least one of: DNS information an ICMP response; mDNS response; a uPnP response; an ARP lookup; a SNMP response; a DNS response; an HTTP response; an SMB response; a ssh response; the certificate details from a secure protocol; a ftp response; details about the local network; or a list of open IP ports and their protocols.
25. A method according to any of claims 22 to 24, wherein the first fingerprint comprises a plurality of identifying characteristics of the first device.
26. A method according to any of claims 22 to 25, wherein the first characteristic is determined based on the first fingerprint.
27. A method according to claim 26, wherein the first characteristic is a vulnerability score.
28. A method according to claim 27, wherein the vulnerability score is obtained from at least a first trusted source.
29. A method according to any of claims 22 to 28, further comprising obtaining a plurality of fingerprints of the first device.
30. A method according to claim 29, wherein each of the plurality of fingerprints of the first device are obtained at least at a first frequency.
31. A method according to claim 30, further comprising recording the at least first frequency of obtaining the plurality of fingerprints of the first device.
32. A method according to any of claims 22 to 31, wherein the measure of vulnerability is derived based on at least one of the first characteristic, first fingerprint or the first frequency.
33. A computer system comprising at least a first computing device, the first computing device being operable to connect to a network, wherein the first computing device comprises:
a communication element for performing the obtaining step of any of claims 22 to 32.
34. The computer system of claim 33, further comprising a processing device, the processing device being located remotely from the first computing device, wherein the processing device comprises:
a processing element for performing at least some of the identification, determining or derivation steps of any of claims 22 to 32.
35. A method for a computer system connected to a network of issuing notifications to devices, the devices being unconnected to the network, the method comprising;
determining a vulnerability score for a device, said device being unconnected to a network; and transmitting an alert to the device by way of a secondary transmission means.
36. A computer system comprising at least a first processing device, wherein the first processing device comprises:
a processing element for performing the method of claim 35.
37. A method for a computer system, the method comprising receiving a first communication from a first source; determining a first confidence factor for the first communication based on a first set of requirements; and processing the first communication based on the first confidence factor.
38. A method according to claim 37, wherein the first communication comprises at least one vulnerability update for a first database.
39. A computer system comprising at least a first processing device, the processing device being operable to connect to a network, wherein the processing device comprises:
a communication element for performing the receiving step 5 of claim 37 or claim 38; and a processing element for performing the determining and processing steps of claim 37 or 38.
40. A computer program product comprising machine-readable io instructions which, when executed by a computer, cause the computer to carry out the method of any of claims 1 to 8, 11 to 13, 15 to 20, 22 to 32, 35 or 37 to 38.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB1713588.0A GB2566010A (en) | 2017-08-24 | 2017-08-24 | Method and system for network devices |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB1713588.0A GB2566010A (en) | 2017-08-24 | 2017-08-24 | Method and system for network devices |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| GB201713588D0 GB201713588D0 (en) | 2017-10-11 |
| GB2566010A true GB2566010A (en) | 2019-03-06 |
Family
ID=60037066
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB1713588.0A Withdrawn GB2566010A (en) | 2017-08-24 | 2017-08-24 | Method and system for network devices |
Country Status (1)
| Country | Link |
|---|---|
| GB (1) | GB2566010A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210279565A1 (en) * | 2020-03-04 | 2021-09-09 | WootCloud Inc. | Systems And Methods For Device Fingerprinting |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100257158A1 (en) * | 2008-09-22 | 2010-10-07 | Optim Corporation | Information processing device, method and server for determining type of electric appliance |
| US20140080478A1 (en) * | 2012-09-14 | 2014-03-20 | Tektronix, Inc. | Identification of Communication Devices in Telecommunication Networks |
| JP2014081742A (en) * | 2012-10-15 | 2014-05-08 | Ntt Comware Corp | Device identification apparatus, device identification method, and device identification program |
| US20160323387A1 (en) * | 2011-12-30 | 2016-11-03 | Akamai Technologies, Inc. | Systems and methods for identifying and characterizing client devices |
| WO2017167836A1 (en) * | 2016-03-31 | 2017-10-05 | Bitdefender Ipr Management Ltd | System and methods for automatic device detection |
-
2017
- 2017-08-24 GB GB1713588.0A patent/GB2566010A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100257158A1 (en) * | 2008-09-22 | 2010-10-07 | Optim Corporation | Information processing device, method and server for determining type of electric appliance |
| US20160323387A1 (en) * | 2011-12-30 | 2016-11-03 | Akamai Technologies, Inc. | Systems and methods for identifying and characterizing client devices |
| US20140080478A1 (en) * | 2012-09-14 | 2014-03-20 | Tektronix, Inc. | Identification of Communication Devices in Telecommunication Networks |
| JP2014081742A (en) * | 2012-10-15 | 2014-05-08 | Ntt Comware Corp | Device identification apparatus, device identification method, and device identification program |
| WO2017167836A1 (en) * | 2016-03-31 | 2017-10-05 | Bitdefender Ipr Management Ltd | System and methods for automatic device detection |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210279565A1 (en) * | 2020-03-04 | 2021-09-09 | WootCloud Inc. | Systems And Methods For Device Fingerprinting |
Also Published As
| Publication number | Publication date |
|---|---|
| GB201713588D0 (en) | 2017-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10644949B2 (en) | Systems and methods for automatic device detection | |
| Kumar et al. | All things considered: An analysis of {IoT} devices on home networks | |
| KR102146034B1 (en) | User Interface For Security Protection And Remote Management Of Network Endpoints | |
| US11539717B2 (en) | System, method, and computer program product for securing a computer system from threats introduced by malicious transparent network devices | |
| US20220038454A1 (en) | Non-intrusive / agentless network device identification | |
| US11936660B2 (en) | Self-training classification | |
| US20230179619A1 (en) | System and Method for Device Context and Device Security | |
| US11848954B2 (en) | Network assessment systems and methods thereof | |
| CN115550049A (en) | Vulnerability detection method and system for Internet of things equipment | |
| US10462141B2 (en) | Network device information validation for access control and information security | |
| US20190036879A1 (en) | Port Authentication Control For Access Control and Information Security | |
| GB2566010A (en) | Method and system for network devices | |
| WO2019047693A1 (en) | Method and device for carrying out wifi network security monitoring | |
| CN113812125A (en) | Login behavior verification method, device and system, storage medium and electronic device | |
| US20230291759A1 (en) | Evaluating an it infrastructure's vulnerability to a network attack | |
| US20180268034A1 (en) | Triggered scanning using provided configuration information | |
| GB2588905A (en) | Device classification based network security | |
| US20220407884A1 (en) | Device communication class based network security | |
| CN116938504A (en) | System and method for protecting internet of things devices through gateway | |
| GB2545894A (en) | Network service abuse prevention |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |