Network devices may receive a Transport Control Protocol (TCP) segment from a user device. The TCP segment includes a TCP header and a payload, and the payload includes either a Hypertext Transfer Protocol (HTTP) plaintext message or a Secure HTTP (HTTPS) encrypted message. The network devices may extract a TCP Synchronization (SYN) signature from the TCP header and determine whether the payload of the TCP segment includes a HTTP plaintext message or a HTTPS encrypted message. When the payload includes a HTTP plaintext message, the network devices may extract contents of a HTTP User-Agent field from the HTTP plaintext message, determine a device type identifier (ID) and a category ID based on the extracted contents, and update a plurality of device signatures based on the TCP signature, the device type ID, and the category ID.