GB2629040A - Methods and systems for matching agents using time-based synchronisation patterns to identify unique devices - Google Patents
Methods and systems for matching agents using time-based synchronisation patterns to identify unique devices Download PDFInfo
- Publication number
- GB2629040A GB2629040A GB2317335.4A GB202317335A GB2629040A GB 2629040 A GB2629040 A GB 2629040A GB 202317335 A GB202317335 A GB 202317335A GB 2629040 A GB2629040 A GB 2629040A
- Authority
- GB
- United Kingdom
- Prior art keywords
- time
- agent
- devices
- agents
- fingerprints
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 89
- 230000000694 effects Effects 0.000 claims abstract description 11
- 238000010801 machine learning Methods 0.000 claims description 8
- 238000012800 visualization Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 claims description 6
- 239000003795 chemical substances by application Substances 0.000 description 89
- 230000008520 organization Effects 0.000 description 20
- 230000008569 process Effects 0.000 description 8
- 230000000007 visual effect Effects 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 3
- 230000004931 aggregating effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 239000003086 colorant Substances 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/046—Network management architectures or arrangements comprising network management agents or mobile agents therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/065—Generation of reports related to network devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/14—Arrangements for monitoring or testing data switching networks using software, i.e. software packages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
- H04L43/045—Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0817—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Power Engineering (AREA)
- Environmental & Geological Engineering (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
Abstract
A method for matching agents deployed to computing devices, wherein time-based synchronisation patterns are used to identify unique devices. The API of a management platform (e.g. a security or threat management platform) is queried to extract records for at least one associated agent 102. The records each comprise a unique identifier for the agent and the last synchronization time of the agent with the management platform. A probability that a device that the agent is deployed on was online is assessed based on the recentness of the last synchronization relative to the query time 104, and a time fingerprint for the agent is constructed based on accumulated assessments of online activity over a specified time frame (e.g. a week or a month) 106. Time fingerprints are compared to probabilistically determine if multiple fingerprints for multiple agents originated from the same device 108. The time fingerprints may be generated by multiple management platforms, and the time fingerprints may be graphs of time against whether the device the agent is deployed on is online.
Description
METHODS AND SYSTEMS FOR MATCHING AGENTS USING TIME-BASED
SYNCHRONISATION PATTERNS TO IDENTIFY UNIQUE DEVICES
TECHNICAL FIELD
The invention relates to methods and systems for matching agents using time-based synchronisation patterns to identify unique devices.
BACKGROUND
The realm of information technology (IT) management and security has witnessed substantial progress in recent years, particularly with respect to device management within organizations. The surge in digital devices within corporate environments has necessitated the evolution of complex IT infrastructure and security measures. These measures often involve the use of multiple IT and security platforms, each of which necessitate the deployment of an agent on each device. The agents report to each management platform respectively to each form an inventory of devices for the organization. However, the process of managing and safeguarding these devices presents several challenges.
Use of the term "agent" herein refers to an autonomous computer program deployed on computer systems or devices with the primary purpose of protecting, monitoring, collecting, and communicating security-related data to a centralized management platform. These agents are designed to provide real-time insights, facilitate the implementation of security measures, and enable swift responses to potential vulnerabilities.
One of the primary challenges is the variability in deployment strategies and the imperfect nature of deployment processes. This often results in significant discrepancies in the inventories reported by different management platforms. The inventories may vary in terms of the number of devices identified and the agents deployed on each device. To gain an accurate understanding of the number of devices within a corporate IT environment and to ensure that the necessary agents are deployed on each device, it is crucial to compare the inventories reported by different management platforms.
The process of comparing inventories typically involves matching each record from each management platform with the corresponding records from other management platforms. This is typically achieved by exporting the information, often as a manual process, though in more sophisticated implementations by querying the information from the management platforms via an application programming interface (API) and analysing the properties of each device returned by respective agent APIs. However, the properties available from each agent and management platform can vary widely, and the limitations of these properties can significantly impact the accuracy of the matching process.
For instance, while device names, MAC addresses, IP addresses, and serial numbers are commonly used for matching, these identifiers have several limitations. Device names can be shared among devices, reported differently across platforms, or changed on a management platform independently of the actual device name (often then referred to as an alias). MAC addresses are not universally available, can be virtualized, and cannot distinguish between dual boot operating systems. IP addresses change frequently and are not always reported accurately by all integrations. Serial numbers, while useful, are not widely available and also cannot distinguish between dual boot operating systems.
These limitations can lead to inaccuracies in the matching process, resulting in agents being incorrectly matched or not matched at all. This can cause IT and security teams to form a misrepresentative picture of the devices within their IT estate, leading to gaps in IT and security tool agent deployment. This not only increases workloads but also leaves organizations vulnerable to attacks and compliance failures.
Therefore, improvements are desired to overcome the shortcomings of existing implementations.
SUMMARY
In general terms, the present disclosure is directed to a method for matching agents using time-based synchronisation patterns to identify unique devices. This method involves querying a management platform's API to extract records for associated agents, assessing the probability of a linked device being online based on the last synchronization time, constructing a time fingerprint for each agent based on online activity assessments, and comparing these fingerprints to determine if multiple agent fingerprints originated from the same device. Advantageously, the invention solves the problem of inaccurately identifying and managing devices across an organization's IT infrastructure due to limitations in the properties used for matching, by implementing a novel method of matching devices based on their unique time fingerprints.
According to an aspect of the invention, there is provided a method for matching agents using time-based synchronisation patterns to identify unique devices. The method comprises the steps of: a) querying the API of a management platform on a regular basis to extract records for at least one associated agent, wherein said records comprise a unique identifier for the agent and the last synchronization time of the agent with the management platform; b) assessing, for the agent, a probability that a linked device was online based on the recentness of the last synchronization relative to the query time; c) constructing a time fingerprint for the agent based on accumulated assessments of online activity over a specified time frame; and d) comparing said time fingerprints to probabilistically determine if multiple device fingerprints originated from the same device.
In one embodiment, the time fingerprint is a graph of time against whether the linked agent is inferred to be online or offline.
In one embodiment, the specified time frame for the synchronization patterns is at least one week.
In one embodiment, the management platform comprises a plurality of independent management platforms that are queried individually and at least one agent is associated with each management platform.
The method may further comprise comparing the time fingerprints of multiple platforms.
The method may further comprise the step of obtaining the unique identifier for each agent, and wherein the unique identifiers for multiple agents which are deduced to refer to the same linked device are aggregated.
The unique identifier of each agent may be stored in an inventory hosted by the management platform.
The method may further comprise identifying each agent deployed to the linked device and identifying any agents that have not been deployed.
The method may further comprise generating for display on a network diagram the unique identifier for each device.
According to an aspect of the invention, there is provided a system for matching agents using time-based synchronisation patterns to identify unique devices. The system comprises a querying module, an inference module, a visualization module, and a machine learning module. The querying module is adapted to extract records of individual agents, wherein each record may include a unique identifier for the agent, the device name, and the last synchronisation time of the agent with its associated platform; and store such synchronization times, unique identifiers, and the time the query was executed. The inference module is adapted to assess, probabilistically, based on the recentness of the last synchronization relative to the query time, if an agent's linked device was online. The visualization module is constructed to craft a time fingerprint for each agent of a management platform, illustrating online activity over time. The machine learning module is adapted to contrast time fingerprints amidst agents and across management platforms; and compare time fingerprints to probabilistically determine if multiple time fingerprints have arisen from an identical device.
BRIEF DESCRIPTION OF THE DRAWINGS
The above and other objects and advantages of the invention of the disclosures will be apparent upon consideration of the following detailed description, taken in conjunction with the accompanying drawings in which: Figure 1 illustratively shows a flowchart for performing a method according to the present disclosure.
Figure 2 illustratively shows example time fingerprints according to the present disclosure.
DETAILED DESCRIPTION
Figure 1 illustratively shows a flowchart for performing a method according to the present disclosure. The method includes four steps: querying the API of a management platform, assessing the probability that a linked device was online, constructing a time fingerprint for the agent, and comparing said time fingerprints. In step (a), records are extracted from the API of the management platform which include a unique identifier for the agent and the last synchronization time of the agent with the management platform. In step (b), a probability that a linked device was online is assessed based on the recentness of the last synchronization relative to the query time. In step (c), a time fingerprint is constructed for the agent based on accumulated assessments of online activity over a specified time frame. Finally, in step (d), said time fingerprints are compared to probabilistically determine if multiple agent fingerprints originated from the same device.
Advantageously, this method provides a comprehensive solution to the complex problem of managing and protecting devices across an organization. In today's digital age, IT teams are tasked with the monumental responsibility of deploying IT infrastructure and security agents across all required devices. This includes a wide range of devices such as desktop computers, laptops, tablets, servers and virtual machines, each with their own unique characteristics and requirements. The method described herein simplifies this task by leveraging a common property that is returned by almost every single platform for each device -the last synchronization time of the agent with the management platform.
The last synchronization time is a critical piece of information that can provide valuable insights into the status of a device. For instance, if an agent has recently synchronized with the management platform, it is highly likely that the device is switched on and connected to the network. Conversely, if an agent has not synchronized with the management platform for an extended period of time, the device may be offline or disconnected from the network. By assessing the recentness of the last synchronization relative to the query time, the method can infer probabilistically whether a device is online or offline.
This probabilistic inference is a powerful tool that can provide a more accurate inventory of devices within an organization. Traditional methods of device inventory often rely on static properties such as name, MAC address, IP address, and serial number. However, these properties are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices. For example, a device's name can be easily changed by the user, a MAC address can be spoofed or virtualized, an IP address can change depending on the network the device is connected to, and a serial number is not always readily available or accessible.
In contrast, the last synchronization time is a dynamic property that is constantly updated and is less susceptible to manipulation. Furthermore, it is a property that is returned by almost every single platform for each device, making it a universally applicable metric for device management. By leveraging this property, the method can overcome the limitations of other properties and provide a more accurate and reliable inventory of devices.
Moreover, the method is not limited to a single snapshot in time. Instead, it constructs a time fingerprint for each agent based on accumulated assessments of online activity over a specified time frame. This time fingerprint provides a historical record of a device's online status, allowing for trend analysis and predictive modelling. For example, if a device consistently synchronizes with the management platform during business hours but not during non-business hours, it can be inferred that the device is likely a work device used by an employee. Such insights can be invaluable for IT teams in managing and protecting devices across an organization.
Finally, the method allows for the comparison of time fingerprints across multiple platforms. This is particularly useful in large organizations that use multiple management platforms. By comparing time fingerprints, the method can probabilistically determine if multiple device fingerprints originated from the same device, thereby further enhancing the accuracy of the device inventory. This cross-platform comparison also allows for the detection of anomalies and potential security threats. For instance, if a device is simultaneously reporting different online statuses on different platforms, it may indicate that one or more agents have ceased functioning, a potential issue that requires further investigation.
The method may include steps for collecting data on the time-based synchronization patterns of the linked devices, and then generating a time fingerprint which is a graph of time against whether the linked device is inferred to be online or offline.
Advantageously, this method provides a visual representation of the online status of devices over a specified time frame. The time fingerprint is constructed based on the last synchronization time of the agent with the management platform, which is a property that is returned by almost every single platform for each device. This method allows for a more accurate assessment of the online status of devices, which is crucial for managing and protecting devices across an organization. The time fingerprint also overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
The method may include deducing the online status of devices using time-based synchronization patterns, wherein the specified time frame is at least one week.
Advantageously, this method allows for a more accurate assessment of the online status of devices over a longer time frame. The longer time frame allows for the accumulation of more data on the time-based synchronization patterns of the linked devices, thereby providing a more accurate time fingerprint. This method is particularly useful for managing and protecting devices across an organization, where it is crucial to have an accurate inventory of devices. The method also overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
The management platform may comprise a plurality of independent management platforms that are queried individually. Additionally, an agent is associated with each management platform.
Advantageously, this method allows for the querying of multiple independent management platforms, thereby providing a more comprehensive assessment of the online status of devices across an organization. The method also allows for the association of an agent with each management platform, thereby providing a more accurate inventory of devices. The method overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
The method may include steps for matching agents using time-based synchronisation patterns to identify unique devices. Specifically, the method includes comparing the time fingerprints of multiple platforms.
In some embodiments, the method involves querying the API of each management platform frequently and extracting records for every agent. The last synchronization time for each agent is stored alongside the unique identifier for the agent, and the time the query was performed. This information is used to infer probabilistically whether a device is switched on and connected to the network, based on whether the device synchronized recently prior to the query. This process is repeated over a long period, such as a month, to construct a time fingerprint for each agent in each platform. The time fingerprint is a graph showing whether the agent is reporting that the device is online or not, with time along the x-axis and a Boolean property, online status, on the y-axis.
Advantageously, this method allows for the comparison of time fingerprints across multiple platforms to infer whether any two records are likely to have originated from the same device. This method of matching devices is free from the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
The method may include assigning a unique identifier to each agent, and aggregating the unique identifiers for multiple agents which are deduced to refer to the same linked device. This allows for the online status of devices to be deduced using time-based synchronization patterns.
In some embodiments, the method involves assigning a unique identifier to each agent. The unique identifiers for multiple agents are then aggregated, which are deduced to refer to the same linked device based on the comparison of their time fingerprints.
Advantageously, this method allows for the accurate identification of devices across an organization, even when the devices are reported by different management platforms. By assigning a unique identifier to each agent and aggregating the unique identifiers for multiple agents that are deduced to refer to the same linked device, the method provides a more accurate inventory of devices within an organization. This method also overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
The method may include steps such as collecting data from agents, analysing the data, and deducing the online status of devices. Additionally, the unique identifier of each agent is stored in an inventory hosted by the management platform.
In some embodiments, the method involves collecting data from agents, analysing the data, and deducing the online status of devices based on the time fingerprints. The unique identifier of each agent is stored in an inventory hosted by the management platform, which is updated frequently to reflect the most recent synchronization times of the agents.
Advantageously, this method allows for the accurate tracking of the online status of devices across an organization. By storing the unique identifier of each agent in an inventory hosted by the management platform, the method provides a more accurate inventory of devices within an organization. This method also overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
The method may include identifying each agent deployed to the linked device and identifying any agents that have not been deployed or have ceased functioning. Additionally, the method further comprises deducing the online status of devices using time-based synchronization patterns.
In some embodiments, the method involves identifying each agent deployed to the linked device and identifying any agents that have not been deployed. The online status of devices is deduced using time-based synchronization patterns, which are constructed based on the last synchronization time of the agent with the management platform.
Advantageously, this method allows for the accurate tracking of the deployment status of agents across an organization. By identifying each agent deployed to the linked device, and identifying any agents that have not been deployed, the method provides a more accurate inventory of devices within an organization. This method also overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
The method may include steps for deducing the online status of devices using time-based synchronization patterns. Additionally, the method further comprises generating for display on a network diagram the unique identifier for each device.
In some embodiments, the method involves deducing the online status of devices using time-based synchronization patterns and generating for display on a network diagram the unique identifier for each device. The network diagram provides a visual representation of the online status of devices across an organization.
Advantageously, this method allows for the visual tracking of the online status of devices across an organization. By generating for display on a network diagram the unique identifier for each device, the method provides a more accurate inventory of devices within an organization. This method also overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
Figure 2 illustratively shows two separate time fingerprints as derived from embodiments of the invention.
The invention may further comprise a system for deducing the online status of devices using time-based synchronization patterns according to the present disclosure. The system comprises a querying module, an inference module, a visualization module, and a machine learning module. The querying module is adapted to extract records of individual agents, wherein each record may include a unique identifier for the agent, the device name, and the last synchronisation time of the agent with its associated platform. The inference module is adapted to assess, probabilistically, based on the recentness of the last synchronization relative to the query time, if an agent's linked device was online. The visualization module is constructed to craft a time fingerprint for each agent of a management platform, illustrating online activity over time. Lastly, the machine learning module is adapted to contrast time fingerprints amidst agents and across management platforms; and compare time fingerprints to probabilistically determine if multiple time fingerprints have arisen from the same device.
In some embodiments, the querying module is designed to interact with the API of each management platform, extracting records for every agent. This process is performed frequently to ensure the most recent data is captured, and to increase the resolution of the time fingerprint to improve matching accuracy. The records extracted include a unique identifier for the agent, the device name, and the last synchronisation time of the agent with its associated platform. This information is crucial in assessing the online status of the device. The querying module is designed to handle the varying properties reported by different platforms, focusing on the universally reported properties such as the unique identifier and the last synchronisation time.
Advantageously, the querying module allows for a comprehensive and up-to-date inventory of devices across an organization. By focusing on universally reported properties, the querying module overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
The inference module, in some embodiments, is designed to assess the probability of a device being online based on the recentness of the last synchronization relative to the query time. This assessment is made from the perspective of each platform, considering the varying synchronization intervals of different platforms, which typically range from seconds to 4 hours.
Advantageously, the inference module provides a probabilistic assessment of the online status of devices, overcoming the limitations of direct determination. By considering the recentness of the last synchronization, the inference module provides a more accurate assessment of the online status of devices, crucial for managing and protecting devices across an organization.
In some embodiments, the visualization module is designed to construct a time fingerprint for each agent of a management platform. The time fingerprint is a graph showing whether the agent is reporting that the device is online or not, with time along the x-axis and a Boolean property, online status, on the y-axis. The time fingerprint is constructed over a long period, such as a month, to accumulate sufficient data on the time-based synchronization patterns of the linked devices.
Advantageously, the visualization module provides a visual representation of the online status of devices over a specified time frame. The time fingerprint overcomes the limitations of other properties such as name, MAC address, IP address, and serial number, which are not universally reported across platforms and have various limitations that can lead to inaccurate matching of devices.
In some embodiments, the machine learning module is designed to compare time fingerprints amidst agents and across management platforms. Using machine learning techniques, the module can infer whether any two records are likely, or unlikely, to have originated from the same device.
Advantageously, the machine learning module provides a sophisticated method of matching devices, free from the limitations of other properties. By comparing time fingerprints, the module can probabilistically determine if multiple time fingerprints have arisen from the same device, thereby providing a more accurate inventory of devices within an organization.
Using the time fingerprint graph, a probability algorithm calculates the likelihood of the device being "on" or "off" at any given time. This algorithm considers factors like the frequency, duration, and intensity of the activity peaks, as well as patterns in the data (e.g., recurring daily activity at specific times). For ease of interpretation. the probability values can be visualized on a heatmap overlaying the time fingerprint graph. Warm colours (e.g., red) indicate high probabilities of the device being "on", while cooler colours (e.g., blue) suggest low probabilities.
Where multiple devices have the same name, or when different agents report on the same device, it can be incredibly difficult to determine which devices are actively connected to a network. On the left-hand side, it can be seen that several devices are being reported multiple times using the identifiers LAPTOP-01, LAPTOP08-1, and LAPTOP08-2. It is not possible to determine if these are separate devices with the same name or if they represent the same device being reported multiple times. On the right-hand side, the devices have been assessed with duplicate entries being merged where appropriate and new identifiers assigned where multiple devices are being reported on.
The foregoing disclosure provides illustration and description but is not intended to be exhaustive or to limit the implementations to the precise form disclosed. Modifications may be made considering the above disclosure or may be acquired from practice of the implementations. As used herein, the term "component" is intended to be broadly construed as hardware, firmware, or a combination of hardware and software. It will be apparent that systems and/or methods described herein may be implemented in different forms of hardware, firmware, and/or a combination of hardware and software. The actual specialized control hardware or software code used to implement these systems and/or methods is not limiting of the implementations. Thus, the operation and behaviour of the systems and/or methods are described herein without reference to specific software code -it being understood that software and hardware can be used to implement the systems and/or methods based on the description herein. As used herein, satisfying a threshold may, depending on the context, refer to a value being greater than the threshold, greater than or equal to the threshold, less than the threshold, less than or equal to the threshold, equal to the threshold, and/or the like, depending on the context. Although combinations of features are recited in the claims and/or disclosed in the specification, these combinations are not intended to limit the disclosure of various implementations. In fact, many of these features may be combined in ways not specifically recited in the claims and/or disclosed in the specification.
Although each dependent claim listed below may directly depend on only one claim, the disclosure of various implementations includes each dependent claim in combination with every other claim in the claim set. No element, act, or instruction used herein should be construed as critical or essential unless explicitly described as such. Also, as used herein, the articles "a" and "an" are intended to include one or more items and may be used interchangeably with "one or more." Further, as used herein, the article "the" is intended to include one or more items referenced in connection with the article "the" and may be used interchangeably with "the one or more." Furthermore, as used herein, the term "set" is intended to include one or more items (e.g., related items, unrelated items, a combination of related and unrelated items, and/or the like), and may be used interchangeably with "one or more." Where only one item is intended, the phrase "only one" or similar language is used. Also, as used herein, the terms "has," "have," "having," or the like are intended to be open-ended terms. Further, the phrase "based on" is intended to mean "based, at least in part, on" unless explicitly stated otherwise. Also, as used herein, the term "or" is intended to be inclusive when used in a series and may be used interchangeably with "and/or," unless explicitly stated otherwise (e.g., if used in combination with "either" or "only one of').
Claims (10)
- CLAIMS1. A method for matching agents using time-based synchronisation patterns to identify unique devices, the method comprising the steps of: a. querying the API of a management platform to extract records for at least one associated agent, wherein said records comprise: i. a unique identifier for the agent; and H. the last synchronization time of the agent with the management platform; b. assessing, for the agent, a probability that a linked device was online based on the recentness of the last synchronization relative to the query time; c. constructing a time fingerprint for the agent based on accumulated assessments of online activity over a specified time frame; and d. comparing said time fingerprints to probabilistically determine if multiple device fingerprints originated from the same device.
- 2. A method for matching agents using time-based synchronisation patterns to identify unique devices, wherein the time fingerprint is a graph of time against whether the linked device is inferred to be online or offline.
- 3. A method for matching agents using time-based synchronisation patterns to identify unique devices, wherein the specified time frame is at least one week.
- 4. A method for matching agents using time-based synchronisation patterns to identify unique devices, wherein the management platform comprises a plurality of independent management platforms that are queried individually and an agent is associated with each management platform.
- 5. A method for matching agents using time-based synchronisation patterns to identify unique devices, wherein the method further comprises comparing the time fingerprints of multiple platforms.
- 6. A method for matching agents using time-based synchronisation patterns to identify unique devices, wherein the method further comprises assigning a unique identifier to each agent, and wherein the unique identifiers for multiple agents which are deduced to refer to the same linked device are aggregated.
- 7. A method for matching agents using time-based synchronisation patterns to identify unique devices, wherein the unique identifier of each agent is stored in an inventory hosted by the management platform.
- 8. A method for matching agents using time-based synchronisation patterns to identify unique devices, wherein the method further comprises identifying each agent deployed to the linked device, and identifying any agents that have not been deployed or have ceased functioning.
- 9. A method for matching agents using time-based synchronisation patterns to identify unique devices, wherein the method further comprises generated for display on a network diagram the unique identifier for each device.
- 10.A system for matching agents using time-based synchronisation patterns to identify unique devices the system comprising: a. a querying module adapted to extract records of individual agents, wherein each record may include a unique identifier for the agent, the device name, and the last synchronisation time of the agent with its associated platform; and store such synchronization times, unique identifiers, and the time the query was executed; b. an inference module adapted to: i. assess, probalistically, based on the recentness of the last synchronization relative to the query time, if an agent's linked device was online; c. a visualization module constructed to craft a time fingerprint for each agent of a management platform, illustrating online activity over time.d. a machine learning module adapted to: i. contrast time fingerprints amidst agents and across management platforms; and ii. compare time fingerprints to probabilistically determine if multiple time fingerprints have arisen from an identical device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB2317335.4A GB2629040A (en) | 2023-11-13 | 2023-11-13 | Methods and systems for matching agents using time-based synchronisation patterns to identify unique devices |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB2317335.4A GB2629040A (en) | 2023-11-13 | 2023-11-13 | Methods and systems for matching agents using time-based synchronisation patterns to identify unique devices |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| GB202317335D0 GB202317335D0 (en) | 2023-12-27 |
| GB2629040A true GB2629040A (en) | 2024-10-16 |
Family
ID=89225223
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB2317335.4A Pending GB2629040A (en) | 2023-11-13 | 2023-11-13 | Methods and systems for matching agents using time-based synchronisation patterns to identify unique devices |
Country Status (1)
| Country | Link |
|---|---|
| GB (1) | GB2629040A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160036663A1 (en) * | 2009-08-14 | 2016-02-04 | Microsoft Technology Licensing, Llc | Methods and computer program products for generating a model of network application health |
| US20160241595A1 (en) * | 2015-02-17 | 2016-08-18 | Qualys, Inc. | Advanced asset tracking and correlation |
-
2023
- 2023-11-13 GB GB2317335.4A patent/GB2629040A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160036663A1 (en) * | 2009-08-14 | 2016-02-04 | Microsoft Technology Licensing, Llc | Methods and computer program products for generating a model of network application health |
| US20160241595A1 (en) * | 2015-02-17 | 2016-08-18 | Qualys, Inc. | Advanced asset tracking and correlation |
Also Published As
| Publication number | Publication date |
|---|---|
| GB202317335D0 (en) | 2023-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210281601A1 (en) | Providing action recommendations based on action effectiveness across information technology environments | |
| US11657309B2 (en) | Behavior analysis and visualization for a computer infrastructure | |
| US11151014B2 (en) | System operational analytics using additional features for health score computation | |
| US11888602B2 (en) | System and method for predictive platforms in identity management artificial intelligence systems using analysis of network identity graphs | |
| US9921937B2 (en) | Behavior clustering analysis and alerting system for computer applications | |
| US10592308B2 (en) | Aggregation based event identification | |
| US9459942B2 (en) | Correlation of metrics monitored from a virtual environment | |
| US9424157B2 (en) | Early detection of failing computers | |
| Sharma et al. | Fault detection and localization in distributed systems using invariant relationships | |
| CA2998749A1 (en) | Systems and methods for security and risk assessment and testing of applications | |
| US10567557B2 (en) | Automatically adjusting timestamps from remote systems based on time zone differences | |
| Lim et al. | Identifying recurrent and unknown performance issues | |
| CN109063066B (en) | Data query method and device and data management system | |
| US10439876B2 (en) | System and method for determining information technology component dependencies in enterprise applications by analyzing configuration data | |
| JP2019028891A (en) | Information processing device, information processing method and information processing program | |
| WO2015110873A1 (en) | Computer performance prediction using search technologies | |
| US10623428B2 (en) | Method and system for detecting suspicious administrative activity | |
| GB2629040A (en) | Methods and systems for matching agents using time-based synchronisation patterns to identify unique devices | |
| Guan et al. | Efficient and accurate anomaly identification using reduced metric space in utility clouds | |
| US20190121686A1 (en) | Method and system for evaluation of a faulty behaviour of at least one event data generating machine and/or monitoring the regular operation of at least one event data generating machine | |
| AU2013399629A1 (en) | Apparatus and method for model adaptation | |
| Cheng et al. | Communication network anomaly detection based on log file analysis | |
| CN114726756A (en) | Configuration monitoring method and equipment | |
| WO2020230436A1 (en) | Diagnosis device, diagnosis method, and machining device | |
| WO2022180863A1 (en) | User operation recording device and user operation recording method |