Rapid7, Inc.
ANOMALOUS ASSET DETECTION BASED ON OPEN PORTS

Abstract:

Disclosed herein are methods, systems, and processes to detect anomalous computing assets based on open ports. Security data associated with computing assets executing in a computing environment is received from an agent executing on the computing assets. Open port information associated with the computing assets is extracted from the security data. The open port information and a list of computing assets with the open port information is used to generate a type similarity model and an open port model. The type similarity model clusters the computing assets and the open port model determines whether a port associated with a computing asset with the open port information is likely to be open or should be open in the computing environment, permitting detection of anomalous computing assets in the computing environment.