Abstract: Machine learning techniques are described for analyzing information network traffic to identify different devices connected to a network. Transmitted network packets may be passively collected and analyzed. In some cases the described techniques may be used to identify distinct devices connected to a network even though the collected and analyzed packets may lack a unique device identifier, such as a media access control (MAC) identifier, corresponding to a device that originated the packets.

Abstract: Techniques are disclosed for generating a combined visual representation of subsets of devices associated with corresponding sub-networks of a private network, where at least two devices in corresponding sub-networks share a same private internet protocol (IP) address. The system generates a separate profile for each device using a combination of elements including at least (a) a private IP address corresponding to the device and (b) a network identifier corresponding to a sub-network associated with the device. These sub-networks and their constituent devices may be visually represented in corresponding user interface elements.

Abstract: Presenting, at a graphical user interface (GUI), device photos and risk categories associated with devices in a network is described. Data packets communicated in a network are detected. Based on the detected data packets, a set of devices in the network are determined. A set of device photos associated respectively with the set of devices are determined. A GUI concurrently presents the set of device photos to indicate the set of devices detected in the network. The set of devices may be filtered, sorted, and/or grouped based on various criteria. The GUI may present the device photos according to the filtering, sorting, and/or grouping. Additionally or alternatively, risk scores associated respectively with the set of devices are determined. The set of devices are categorized into respective risk categories based on the associated risk scores. A GUI concurrently presents a set of risk categories and information associated with each risk category.

Abstract: Techniques for identifying and mapping applications to devices in a network are disclosed. A system monitors data transmitted on a network to identify a plurality of data traffic patterns in the network. Based on the plurality of data traffic patterns, the system identifies a plurality of applications associated with respective subsets of the data, the plurality of applications including a first and a second application. The system determines that a particular network infrastructure element, among the plurality of network infrastructure elements, processes data associated with the first application. The system stores a mapping between the particular network infrastructure element and the first application.

Abstract: Techniques are described for analyzing information network traffic to identify distinct devices connected to a network based on characteristics exhibited by the devices. Techniques may analyze some or all of network characteristics, device behavioral patterns, and/or device characteristics detected in network traffic. One or more of these characteristics, may be assigned to a profile associated with a device. This profile, by establishing one or more patterns of behavior and/or characteristics, may be used as a “fingerprint” to uniquely identify a device connected to a network even for devices that employ randomized identifiers, such as MAC addresses, that would otherwise obscure unique identification of the device. Profiles exhibiting similar patterns of behaviors and/or characteristics may be identified and merged to avoid duplicate identification of a same device.

Abstract: Techniques for identifying and mapping applications to devices in a network are disclosed. A system monitors data transmitted on a network to identify a plurality of data traffic patterns in the network. Based on the plurality of data traffic patterns, the system identifies a plurality of applications associated with respective subsets of the data, the plurality of applications including a first and a second application. The system determines that a particular network infrastructure element, among the plurality of network infrastructure elements, processes data associated with the first application. The system stores a mapping between the particular network infrastructure element and the first application.

Abstract: Techniques are disclosed for generating a combined visual representation of subsets of devices associated with corresponding sub-networks of a private network, where at least two devices in corresponding sub-networks share a same private internet protocol (IP) address. The system generates a separate profile for each device using a combination of elements including at least (a) a private IP address corresponding to the device and (b) a network identifier corresponding to a sub-network associated with the device. These sub-networks and their constituent devices may be visually represented in corresponding user interface elements.

Abstract: Techniques for generating and enforcing security policies for device clusters are disclosed. A security manager generates a plurality of clusters of devices for applying security policies. For each cluster of devices, the security manager trains a machine learning model to indicate whether a particular data flow associated with a device in the particular cluster of devices is allowed or denied. The security manager detects a data flow corresponding to a device. If the security manager determines that the device corresponds to a first cluster of devices, the security manager identifies a first trained machine learning model corresponding to the first cluster of devices. The security manager applies the first trained machine learning model to the first data flow to determine whether the first data flow is to be allowed or denied. The security manager allows or denies the first data flow based on the applying operation.

Abstract: Techniques are described for analyzing information network traffic to identify distinct devices connected to a network based on characteristics exhibited by the devices. Techniques may analyze some or all of network characteristics, device behavioral patterns, and/or device characteristics detected in network traffic. One or more of these characteristics, may be assigned to a profile associated with a device. This profile, by establishing one or more patterns of behavior and/or characteristics, may be used as a “fingerprint” to uniquely identify a device connected to a network even for devices that employ randomized identifiers, such as MAC addresses, that would otherwise obscure unique identification of the device. Profiles exhibiting similar patterns of behaviors and/or characteristics may be identified and merged to avoid duplicate identification of a same device.

Abstract: Machine learning techniques are described for analyzing information network traffic to identify different devices connected to a network. Transmitted network packets may be passively collected and analyzed. In some cases the described techniques may be used to identify distinct devices connected to a network even though the collected and analyzed packets may lack a unique device identifier, such as a media access control (MAC) identifier, corresponding to a device that originated the packets.

Abstract: Systems and methods described may deduce that a machine is in use for a period of time preceding and/or subsequent to a detected operation. The deduction of the usage period may be based on a type of the detected operation. The system may deduce that a machine is in-use during a period of time that spans from (a) a first point-in-time when a first type of operation was detected to (b) a second point-in-time when a second type of operation was detected.

Abstract: Presenting, at a graphical user interface (GUI), device photos and risk categories associated with devices in a network is described. Data packets communicated in a network are detected. Based on the detected data packets, a set of devices in the network are determined. A set of device photos associated respectively with the set of devices are determined. A GUI concurrently presents the set of device photos to indicate the set of devices detected in the network. The set of devices may be filtered, sorted, and/or grouped based on various criteria. The GUI may present the device photos according to the filtering, sorting, and/or grouping. Additionally or alternatively, risk scores associated respectively with the set of devices are determined. The set of devices are categorized into respective risk categories based on the associated risk scores. A GUI concurrently presents a set of risk categories and information associated with each risk category.

Abstract: Presenting, at a graphical user interface (GUI), device photos and risk categories associated with devices in a network is described. Data packets communicated in a network are detected. Based on the detected data packets, a set of devices in the network are determined. A set of device photos associated respectively with the set of devices are determined. A GUI concurrently presents the set of device photos to indicate the set of devices detected in the network. The set of devices may be filtered, sorted, and/or grouped based on various criteria. The GUI may present the device photos according to the filtering, sorting, and/or grouping. Additionally or alternatively, risk scores associated respectively with the set of devices are determined. The set of devices are categorized into respective risk categories based on the associated risk scores. A GUI concurrently presents a set of risk categories and information associated with each risk category.

Abstract: Techniques for presenting, at a graphical user interface (GUI), a constellation view of communications associated with node groups of a network disclosed. A GUI presents icons arranged on concentric rings. Icons on one ring represent device groups. Icons on another ring represent address groups. Icons on another ring represent intranet groups. Each icon is selectable to request information about the communications of the corresponding node group. Connections are drawn between the selected icon and other icons to represent the communications. Each connection is selectable to request additional information regarding the communication.

Abstract: Techniques for determining a device profile and anomalous behavior associated with a device in a network are disclosed. Attribute values associated with a target device are determined based on data packets detected from a network. A subset of a set of classifiers associated with the available attribute values are selected. The attribute values are applied to the selected classifiers to determine a respective candidate device profile. A current device profile is determined for the target device based on the candidate device profiles. The current device profile indicates expected attribute values for the target device. Current attribute values are compared to the expected attribute values to determine whether there is any anomalous behavior associated with the target device.

Abstract: Techniques for presenting, at a graphical user interface (GUI), a constellation view of communications associated with node groups of a network disclosed. A GUI presents icons arranged on concentric rings. Icons on one ring represent device groups. Icons on another ring represent address groups. Icons on another ring represent intranet groups. Each icon is selectable to request information about the communications of the corresponding node group. Connections are drawn between the selected icon and other icons to represent the communications. Each connection is selectable to request additional information regarding the communication.

Abstract: Techniques for presenting, at a graphical user interface (GUI), a constellation view of communications associated with node groups of a network disclosed. A GUI presents icons arranged on concentric rings. Icons on one ring represent device groups. Icons on another ring represent address groups. Icons on another ring represent intranet groups. Each icon is selectable to request information about the communications of the corresponding node group. Connections are drawn between the selected icon and other icons to represent the communications. Each connection is selectable to request additional information regarding the communication.