Abstract: A system and method for determining device attributes based on host configuration protocols. A method includes applying at least one machine learning model to a test data set extracted from host configuration protocol data including at least one test options sequence, wherein each test options sequence is an ordered series of options requested by a first device, wherein each of the at least one machine learning model is trained based on a train data set including a plurality of training options sequences and a plurality of device attributes, wherein each training options sequence and each device attribute of the train data set corresponds to a respective second device; and determining, based on the output of the at least one machine learning model, at least one device attribute for the first device.

Abstract: Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.

Abstract: A system and method for inferring an operating system version for a device based on communications security data. A method includes identifying a plurality of sequences in communications security data sent by the device; determining an operating system type of an operating system used by the device based on the identified plurality of sequences; applying a version-identifying model to the identified plurality of sequences, wherein the version-identifying model is a machine learning model trained to output a version identifier, wherein the applied version-identifying model is associated with the determined operating system type; and determining the operating system version of the device based on the output of the version-identifying model.

Abstract: A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.

Abstract: A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.

Abstract: A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.

Abstract: A system and method for inferring an operating system version for a device based on communications security data. A method includes identifying a plurality of sequences in communications security data sent by the device; determining an operating system type of an operating system used by the device based on the identified plurality of sequences; applying a version-identifying model to the identified plurality of sequences, wherein the version-identifying model is a machine learning model trained to output a version identifier, wherein the applied version-identifying model is associated with the determined operating system type; and determining the operating system version of the device based on the output of the version-identifying model.

Abstract: A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.

Abstract: A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.

Abstract: A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein each sub-model includes a plurality of classifiers, wherein each sub-model outputs a class when applied to at least a portion of the plurality of features, wherein each class is a classifier output representing a device attribute, wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy; and determining a device attribute based on the class output by the last sub-model.

Abstract: A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.

Abstract: A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.

Abstract: A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.

Abstract: Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein each sub-model includes a plurality of classifiers, wherein each sub-model outputs a class when applied to at least a portion of the plurality of features, wherein each class is a classifier output representing a device attribute, wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy; and determining a device attribute based on the class output by the last sub-model.

Abstract: Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.

Abstract: A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein each sub-model includes a plurality of classifiers, wherein each sub-model outputs a class when applied to at least a portion of the plurality of features, wherein each class is a classifier output representing a device attribute, wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy; and determining a device attribute based on the class output by the last sub-model.

Abstract: A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.