Enhancing Network Security with Machine Learning: Device Classification and Anomaly Detection

In today’s network security landscape, machine learning plays a vital role in detecting anomalies and identifying potential threats by analyzing behavior patterns. Machine learning-based anomaly detection is rapidly gaining popularity as a means to safeguard our nation’s critical resources. However, the dynamic nature of technology and the ever-evolving strategies of malicious actors present continuous challenges.

Machine Learning: What’s the Problem?

As machine learning advances, bad actors are adapting too.

New methods must be implemented to continue to accurately differentiate between benign and malicious network behavior.

The increase of internet-connected devices of varying kinds introduces new elements and new vulnerabilities to the world of cybersecurity. It complicates the detection of anomalous behavior because each device has its own distinct behavior patterns. What is anomalous for a laptop may be routine for a cellphone. With many different types of devices operating on the network, new methods must be implemented to continue to accurately differentiate between benign and malicious network behavior.

Still, before even being able to do this sort of analysis, we must first know which devices are operating on our networks. However, when Computer Network Defense (CND) analysts are performing their duties, they may not have a reliable list of devices operating on the network. Furthermore, should new devices be connected without the knowledge IT administrators, CND analysts would have no idea of this occurrence. This necessary information is crucial to the securing of our networks, the identification of malicious behavior and the reduction of potential threats.

Fortunately, machine learning allows us to identify devices operating on a network using only packet capture data.

SealingTech’s Approach

The model we built to address this uses supervised learning techniques to classify new devices based on logged traffic from those same types of devices.

We selected key network traffic characteristics from hundreds of thousands of tracked sessions from IOT devices.

In our dataset, we used seven Internet of Things (IoT) device categories including general IoT, IoT cameras, smart home devices, Macbook, Android phone/Galaxy tab, servers, and routers. We selected key network traffic characteristics from hundreds of thousands of tracked sessions from these devices.

We then trained the model to recognize the device type based on the selected network traffic characteristics. Using those network session characteristics, we built a model that can classify devices into one of these categories with an accuracy of 94%.

How Can You Use It?

Knowing what devices are operating on a network enables a lot of potential uses, including:

• Policy Analysis – You can answer questions like:
  • Do I have device types that should not be communicating but are?
  • Do we have unapproved devices operating on the network?
• Validation – We can ask why a known device is behaving like another
• Anomaly detection – We can better identify anomalies in behavior patterns based on the device, which reduces false alarms

By harnessing the power of machine learning and a robust device classification model, organizations can significantly bolster their network security and proactively address potential risks and vulnerabilities.