Abstract: Systems, methods, and related technologies for classification are described. Network traffic from a network may be accessed and an entity may be selected. One or more values associated with one or more properties associated with the entity may be determined. The one or more values may be accessed from the network traffic. A first model associated with a first level of granularity is accessed. A first classification result of the entity based on the first model is determined by a processing device. A second model associated with a second level of granularity is accessed. The second level of granularity is higher than the first level of granularity and the second model is accessed based on the first classification result. A second classification result of the entity based on the second model is determined. At least one of the first classification result or the second classification result is stored.

Abstract: Systems, methods, and related technologies for classification are described. Network traffic transmitted by a first device is obtained. A set of features is determined based on the network traffic. A first classification for the device is determine a first classification for the first device based on the set of features. The first classification is associated with a first classification level. A second machine learning model is identified based on the first classification. The second machine learning model is associated with the first classification. A second classification for the first device is determined based on the second machine learning model. The second classification is associated with a second classification level. At least one of the first classification and the second classification is stored.

Abstract: Systems, methods, and related technologies for increasing data availability. The determining of one or more recommendations to improve classification may include accessing network traffic from a network and selecting an entity. One or more values associated with one or more properties associated with the entity may be determined. The one or more values may be accessed from the network traffic. The entity may be classified and in response to the classification meeting a condition, one or more properties that are unavailable in the network traffic may be determined. A data source associated with the one or more properties for which a value is not present in the network traffic may be determined and the data source associated with the one or more properties that are unavailable in the network traffic may be stored.

Abstract: Systems, methods, and related technologies for segmentation management are described. In certain aspects, an entity communicatively coupled to a network is selected and one or more characteristics of the entity may be determined. A segmentation policy may be selected based on the one or more characteristics of the entity and one or more tags to be assigned to the entity based on the segmentation policy may be determined. A zone for the entity based on the one or more tags may be determined and one or more enforcement points associated with the zone for the entity may be determined. One or more enforcement actions may then be assigned to the one or more enforcement points based on the zone associated with the entity.

Abstract: A method of detecting anomalous behaviour in data traffic on a data communication network having a first host and a second host being connected to the data communication network in which the data traffic on the data communication network forms a link between the first host and the second host.

Abstract: Systems, methods, and related technologies for clustering are described. Network traffic is accessed from a network and the network may be associated with a plurality of entities. Behavior associated with each entity of the plurality of entities may be determined. The behavior may be determined based one or more communications associated with each entity. A processing device may be used to determine one or more clusters of entities based on entities having similar behavior. A cluster may comprise one or more entities with similar behavior. One or more anomalies may be determined based on the one or more clusters and storing data associated with at least one of the one or more clusters and the one or more anomalies may be stored.

Abstract: Adaptive scanning is described. The adaptive scanning may include performing a passive scan of communications associated with a device, where the passive scan comprises observing one or more communications of the device over a network. One or more attributes associated with the device based on the passive scan are determined and an active scan of the device is performed based on the one or more attributes based on the passive scan. The active scan is customized for the device based on the one or more attributes determined based on the passive scan and the active scan comprises sending one or more requests to the device. One or more attributes associated with the device may be determined based on the active scan. The one or more attributes based on the passive scan and the one or more results based on the active scan associated with the device are stored.

Abstract: Systems, methods, and related technologies for device compliance monitoring are described. In certain aspects, one or more compliance rules associated with a device classification are used to determine a compliance level of a device. The one or more compliance rules may be based on a standard. An action can be initiated based on the compliance level.

Abstract: Systems, methods, and related technologies for device software monitoring and device software updating are described. In certain aspects, a device is selected based on being a smart device and a software version of associated with the software of the device is determined. The device software may then be automatically updated if newer software is available.

Abstract: Systems, methods, and related technologies for access control management are described. The access control management may be customized for an entity and be configured on an enforcement point closest to the entity. In certain aspects, an entity communicatively coupled to a network is selected and one or more characteristics of the entity determined. An access policy may be selected based on the one or more characteristics of the entity and one or more enforcement points closest to the entity determined. One or more access rules to be assigned to the one or more enforcement points based on the access policy may be determined and the one or more access rules assigned to or configured on the one or more enforcement points closest to the entity.

Abstract: Systems, methods, and related technologies for parsing network traffic are described. Network traffic transmitted by a set of devices communicatively coupled to a network is obtained. A set of protocol fields for parsing the network traffic is determined. The set of protocol fields are associated with a set of processing engines. The network traffic is parsed to determine a set of field values from the network traffic based on the set of protocol fields. The set of field values are transmitted to the set of processing engines.

Abstract: Systems, methods, and related technologies for improving classification use multiple classification resources. Network traffic from a network may be accessed and an entity may be selected. One or more values associated with one or more properties associated with the entity may be determined. The one or more values may be accessed from the network traffic. A first classification result of the entity based on accessing one or more local profiles is determined by a processing device. In response to the first classification result meeting a condition, one or more values associated with one or more properties associated with the entity may be sent (e.g., to a cloud based classification resource). A second classification result may be received. The second classification result may be determined based one accessing at least one remote profile. At least one of the first classification result or the second classification result may be stored.

Abstract: Systems, methods, and related technologies for segmentation management are described. The segmentation management may include visualization, configuration including translation, simulation, or a combination thereof of one or more segmentation policies. In certain aspects, a segmentation policy is accessed and a segmentation rule is determined based on the segmentation policy. An enforcement point associated with the segmentation rule may be determined, where the enforcement point is communicatively coupled to a network. The segmentation rule may be translated into a configuration associated with the enforcement point and the configuration communicated to the enforcement point.

Abstract: A network access control (NAC) device detects a connection of an endpoint device at a network switch coupled to a network and restricts access of the endpoint device to prevent the endpoint device from accessing resources of the network. The NAC device establishes a connection with the endpoint device, validates a client certificate corresponding to the endpoint device to authenticate the endpoint device as a corporate device and grants the endpoint device access to the resources of the network.

Abstract: Systems, methods, and related technologies for device classification are described. In certain aspects, one or more properties are selected based on associated respective ranks. The selected one or more properties are used with information associated with the device to determine a classification. The classification may then be stored.

Abstract: Systems, methods, and related technologies including media access control (MAC) address spoofing detection are described. The MAC address spoofing detection and response may include accessing a first MAC address associated with a first communication on a first port of a first network device and accessing a second MAC address associated with a second communication on a second port of a second network device. Whether the first MAC address and the second MAC address match may be determined. Information associated with a third communication associated with the first MAC address on the first port of the first network device and information associated with a fourth communication associated with the second MAC address on the second port of the second network device may be accessed. An action may be performed associated with the second port of the second network device based on the second MAC address matching the first MAC address.

Abstract: Systems, methods, and related technologies for self-training classification are described. In certain aspects, a plurality of device classification methods with associated models are accessed. Each of the classification methods have an associated reliability level. The models of classification methods with a higher reliability level than other classifications methods are used to train the models associated with lower reliability level. The trained models and associated classification methods are thus improved.

Abstract: Systems, methods, and related technologies for determining a risk associated with a network portion are described. The determination of risk associated with a network portion may include accessing network traffic from a network and determining an entity type associated with at least one entity communicatively coupled to the network. A network portion associated with the at least one entity can be determined. A risk associated with the at least one entity can be determined. A risk associated with the network portion associated with the at least one entity can be determined based on the risk associated with the at least one entity. The risk associated with the network portion can then be stored.

Abstract: Systems, methods, and related technologies for determining a comprehensive risk score or value are described. The risk score determination may include selecting an entity communicatively coupled to a network and determining a cyber-attack likelihood value and a cyber-attack impact value associated with the entity. A cyber-attack risk may then be determined based on the cyber-attack likelihood value and a cyber-attack impact value associated with the entity. An operational failure likelihood value and an operational failure impact value associated with the entity can be determined. An operational failure risk based on the operational failure likelihood value and the operational failure impact value associated with the entity can be determined. A risk value may then be determined for the entity based on the cyber-attack risk and the operational failure risk and the risk value for the entity can be stored.

Abstract: Systems, methods, and related technologies for segmentation management are described. The segmentation management may include visualization, configuration, simulation, or a combination thereof of one or more segmentation policies. In certain aspects, a plurality of segmentation rules are accessed and one or more characteristics of a plurality of entities communicatively coupled to a network are determined. A plurality of groups may be determined based on at least one characteristic of the one or more characteristics, where each group comprises at least one entity of the plurality of entities. A first group and a second group from the plurality of groups may be selected and one or more segmentation rules associated with the first group determined. One or more segmentation rules associated with the second group may be determined.