Real-time configuration discovery and management

US 10,263,863 B2
Filed: 08/11/2017
Issued: 04/16/2019
Est. Priority Date: 08/11/2017
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic in a network, wherein one or more processors execute instructions to perform the method, comprising:

employing a network monitoring computer to execute instructions that perform actions, including;

executing a network monitoring engine to perform further actions, including;

passively monitoring the network to collect a plurality of characteristics associated with one or more network flows, wherein an efficiency of the monitoring of network packets corresponding to the one or more network flows is improved by passively monitoring these network flows to avoid decryption of encrypted network packets and foregoing expensive participation in one or more of a deep packet inspection or an associated communication protocol;

identifying one or more entities on the network based on one or more of the plurality of characteristics associated with the one or more network flows; and

providing one or more entity profiles based on the identified entities and the one or more characteristics; and

executing a configuration management engine to perform actions, including;

comparing the one or more entity profiles with one or more configuration item (CI) entries in a database are based on one or more previously identified entities that are included in a particular infrastructure; and

providing one or more discrepancy notices based on differences in the comparison, wherein each discrepancy notice is associated with one or more differences between the one or more entity profiles and corresponding CI entries; and

wherein the network monitoring engine executes one or more policies to perform one or more additional actions based on the one or more discrepancies notices.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic in a network. A network monitoring engine may monitor networks to collect characteristics associated with network flows. The network monitoring engine may be arranged to identify entities on the network based on characteristics associated with the network flows. The network monitoring engine may provide entity profiles based on the identified entities and the characteristics. A configuration management engine may compare the entity profiles with configuration item (CI) entries in a database. The configuration management engine may provide discrepancy notices based on differences discovered during the comparison. Accordingly, the network monitoring engine may execute one or more policies to perform one or more additional actions based on the one or more discrepancies notices. Also, the configuration management engine may perform audits of an organization'"'"'s information technology infrastructure to identify one or more violations of compliance policies.

Citations

30 Claims

1. A method for monitoring network traffic in a network, wherein one or more processors execute instructions to perform the method, comprising:
- employing a network monitoring computer to execute instructions that perform actions, including;
  
  executing a network monitoring engine to perform further actions, including;
  
  passively monitoring the network to collect a plurality of characteristics associated with one or more network flows, wherein an efficiency of the monitoring of network packets corresponding to the one or more network flows is improved by passively monitoring these network flows to avoid decryption of encrypted network packets and foregoing expensive participation in one or more of a deep packet inspection or an associated communication protocol;
  
  identifying one or more entities on the network based on one or more of the plurality of characteristics associated with the one or more network flows; and
  
  providing one or more entity profiles based on the identified entities and the one or more characteristics; and
  
  executing a configuration management engine to perform actions, including;
  
  comparing the one or more entity profiles with one or more configuration item (CI) entries in a database are based on one or more previously identified entities that are included in a particular infrastructure; and
  
  providing one or more discrepancy notices based on differences in the comparison, wherein each discrepancy notice is associated with one or more differences between the one or more entity profiles and corresponding CI entries; and
  
  wherein the network monitoring engine executes one or more policies to perform one or more additional actions based on the one or more discrepancies notices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein providing the one or more entity profiles, further comprises:
    - providing one or more device profiles that correspond to one or more network devices that are identified based on the monitoring of the network;
      
      providing one or more application profiles that correspond to one or more applications that are identified based on the monitoring of the network; and
      
      providing the one or more entity profiles based on associating the one or more device profiles with the one or more application profiles.
  - 3. The method of claim 1, wherein comparing the one or more entity profiles with the one or more CI item entries, further comprises:
    - identifying each CI entry in the database that is unassociated with the one or more entity profiles; and
      
      identifying each entity profile that is unassociated with the one or more CI entries.
  - 4. The method of claim 1, wherein identifying the one or more entities, further comprises:
    - employing one or more metrics collected by the network monitoring engine to identify the one or more entities, wherein the one or more collected metrics include number of connections, traffic rate, traffic direction information, duration of connections, security credentials, secure cipher suites used, types of protocols, or errors.
  - 5. The method of claim 1, further comprising, employing the configuration management engine to perform further actions including:
    - performing one or more audits of an organization'"'"'s information technology infrastructure, wherein the one or more audits include one or more of software license audits, device license audits, inventory audits, security audits, or entities relationship audits; and
      
      employing the one or more audits to identify one or more violations of compliance policies.
  - 6. The method claim 1, wherein identifying the one or more entities, further comprises,identifying one or more network devices or one or more network applications based on a network footprint, wherein the network footprint is comprised of one or more metrics collected without having to perform deep inspection of network packets in the one or more network flows.
  - 7. The method of claim 1, wherein monitoring the network, further comprises, passively monitoring network traffic on the network, wherein the network monitoring engine is separate from the one or more identified entities.
  - 8. The method of claim 1, wherein identifying the one or more entities, further comprises:
    - identifying one or more network devices on the network based on their associated network traffic; and
      
      identifying one or more applications on the network based on network traffic associated with the one or more applications.

9. A system for monitoring network traffic in a network:
- one or more network monitoring computers (NMCs), comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  executing a network monitoring engine to perform further actions, including;
  
  passively monitoring the network to collect a plurality of characteristics associated with one or more network flows, wherein an efficiency of the monitoring of network packets corresponding to the one or more network flows is improved by passively monitoring these network flows to avoid decryption of encrypted network packets and foregoing expensive participation in one or more of a deep packet inspection or an associated communication protocol;
  
  identifying one or more entities on the network based on one or more of the plurality of characteristics associated with the one or more network flows; and
  
  providing one or more entity profiles based on the identified entities and the one or more characteristics; and
  
  executing a configuration management engine to perform actions, including;
  
  comparing the one or more entity profiles with one or more configuration item (CI) entries in a database are based on one or more previously identified entities that are included in a particular infrastructure; and
  
  providing one or more discrepancy notices based on differences in the comparison, wherein each discrepancy notice is associated with one or more differences between the one or more entity profiles and corresponding CI entries; and
  
  wherein the network monitoring engine executes one or more policies to perform one or more additional actions based on the one or more discrepancies notices; and
  
  one or more client computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more portions of the one or more network flows.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein providing the one or more entity profiles, further comprises:
    - providing one or more device profiles that correspond to one or more network devices that are identified based on the monitoring of the network;
      
      providing one or more application profiles that correspond to one or more applications that re identified based on the monitoring of the network; and
      
      providing the one or more entity profiles based on associating the one or more device profiles with the one or more application profiles.
  - 11. The system of claim 9, wherein comparing the one or more entity profiles with the one or more CI item entries, further comprises:
    - identifying each CI entry in the database that is unassociated with the one or more entity profiles; and
      
      identifying each entity profile that is unassociated with the one or more CI entries.
  - 12. The system of claim 9, wherein identifying the one or more entities, further comprises:
    - employing one or more metrics collected by the network monitoring engine to identify the one or more entities, wherein the one or more collected metrics include number of connections, traffic rate, traffic direction information, duration of connections, security credentials, secure cipher suites used, types of protocols, or errors.
  - 13. The system of claim 9, further comprising, employing the configuration management engine to perform further actions including:
    - performing one or more audits of an organization'"'"'s information technology infrastructure, wherein the one or more audits include one or more of software license audits, device license audits, inventory audits, security audits, or entities relationship audits; and
      
      employing the one or more audits to identify one or more violations of compliance policies.
  - 14. The system of claim 9, wherein identifying the one or more entities, further comprises,identifying one or more network devices or one or more network applications based on a network footprint, wherein the network footprint is comprised of one or more metrics collected without having to perform deep inspection of network packets in the one or more network flows.
  - 15. The system of claim 9, wherein monitoring the network, further comprises, passively monitoring network traffic on the network, wherein the network monitoring engine is separate from the one or more identified entities.
  - 16. The system of claim 9, wherein identifying the one or more entities, further comprises:
    - identifying one or more network devices on the network based on their associated network traffic; and
      
      identifying one or more applications on the network based on network traffic associated with the one or more applications.

17. A processor readable non-transitory storage media that includes instructions for monitoring network traffic over a network between one or more computers, wherein execution of the instructions by one or more processors on one or more network monitoring computers (NMCs) performs actions, comprising:
- executing a network monitoring engine to perform further actions, including;
  
  passively monitoring the network to collect a plurality of characteristics associated with one or more network flows, wherein an efficiency of the monitoring of network packets corresponding to the one or more network flows is improved by passively monitoring these network flows to avoid decryption of encrypted network packets and foregoing expensive participation in one or more of a deep packet inspection or an associated communication protocol;
  
  identifying one or more entities on the network based on one or more of the plurality of characteristics associated with the one or more network flows; and
  
  providing one or more entity profiles based on the identified entities and the one or more characteristics; and
  
  executing a configuration management engine to perform actions, including;
  
  comparing the one or more entity profiles with one or more configuration item (CI) entries in a database are based on one or more previously identified entities that are included in a particular infrastructure; and
  
  providing one or more discrepancy notices based on differences in the comparison, wherein each discrepancy notice is associated with one or more differences between the one or more entity profiles and corresponding CI entries; and
  
  wherein the network monitoring engine executes one or more policies to perform one or more additional actions based on the one or more discrepancies notices.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The media of claim 17, wherein providing the one or more entity profiles, further comprises:
    - providing one or more device profiles that correspond to one or more network devices that are identified based on the monitoring of the network;
      
      providing one or more application profiles that correspond to one or more applications that are identified based on the monitoring of the network; and
      
      providing the one or more entity profiles based on associating the one or more device profiles with the one or more application profiles.
  - 19. The media of claim 17, wherein comparing the one or more entity profiles with the one or more CI item entries, further comprises:
    - identifying each CI entry in the database that is unassociated with the one or more entity profiles; and
      
      identifying each entity profile that is unassociated with the one or more CI entries.
  - 20. The media of claim 17, wherein identifying the one or more entities, further comprises:
    - employing one or more metrics collected by the network monitoring engine to identify the one or more entities, wherein the one or more collected metrics include number of connections, traffic rate, traffic direction information, duration of connections, security credentials, secure cipher suites used, types of protocols, or errors.
  - 21. The media of claim 17, further comprising, employing the configuration management engine to perform further actions including:
    - performing one or more audits of an organization'"'"'s information technology infrastructure, wherein the one or more audits include one or more of software license audits, device license audits, inventory audits, security audits, or entities relationship audits; and
      
      employing the one or more audits to identify one or more violations of compliance policies.
  - 22. The media of claim 17, wherein identifying the one or more entities, further comprises,identifying one or more network devices or one or more network applications based on a network footprint, wherein the network footprint is comprised of one or more metrics collected without having to perform deep inspection of network packets in the one or more network flows.
  - 23. The media of claim 17, wherein monitoring the network, further comprises, passively monitoring network traffic on the network, wherein the network monitoring engine is separate from the one or more identified entities.

24. A network monitoring computer (NMC) for monitoring communication over a network between one or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  executing a network monitoring engine to perform further actions, including;
  
  passively monitoring the network to collect a plurality of characteristics associated with one or more network flows, wherein an efficiency of the monitoring of network packets corresponding to the one or more network flows is improved by passively monitoring these network flows to avoid decryption of encrypted network packets and foregoing expensive participation in one or more of a deep packet inspection or an associated communication protocol;
  
  identifying one or more entities on the network based on one or more of the plurality of characteristics associated with the one or more network flows; and
  
  providing one or more entity profiles based on the identified entities and the one or more characteristics; and
  
  executing a configuration management engine to perform actions, including;
  
  comparing the one or more entity profiles with one or more configuration item (CI) entries in a database are based on one or more previously identified entities that are included in a particular infrastructure; and
  
  providing one or more discrepancy notices based on differences in the comparison, wherein each discrepancy notice is associated with one or more differences between the one or more entity profiles and corresponding CI entries; and
  
  wherein the network monitoring engine executes one or more policies to perform one or more additional actions based on the one or more discrepancies notices.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The network monitoring computer of claim 24, wherein providing the one or more entity profiles, further comprises:
    - providing one or more device profiles that correspond to one or more network devices that are identified based on the monitoring of the network;
      
      providing one or more application profiles that correspond to one or more applications that are identified based on the monitoring of the network; and
      
      providing the one or more entity profiles based on associating the one or more device profiles with the one or more application profiles.
  - 26. The network monitoring computer of claim 24, wherein comparing the one or more entity profiles with the one or more CI item entries, further comprises:
    - identifying each CI entry in the database that is unassociated with the one or more entity profiles; and
      
      identifying each entity profile that is unassociated with the one or more CI entries.
  - 27. The network monitoring computer of claim 24, wherein identifying the one or more entities, further comprises:
    - employing one or more metrics collected by the network monitoring engine to identify the one or more entities, wherein the one or more collected metrics include number of connections, traffic rate, traffic direction information, duration of connections, security credentials, secure cipher suites used, types of protocols, or errors.
  - 28. The network monitoring computer of claim 24, further comprising, employing the configuration management engine to perform further actions including:
    - performing one or more audits of an organization'"'"'s information technology infrastructure, wherein the one or more audits include one or more of software license audits, device license audits, inventory audits, security audits, or entities relationship audits; and
      
      employing the one or more audits to identify one or more violations of compliance policies.
  - 29. The network monitoring computer of claim 24, wherein identifying the one or more entities, further comprises,identifying one or more network devices or one or more network applications based on a network footprint, wherein the network footprint is comprised of one or more metrics collected without having to perform deep inspection of network packets in the one or more network flows.
  - 30. The network monitoring computer of claim 24, wherein monitoring the network, further comprises, passively monitoring network traffic on the network, wherein the network monitoring engine is separate from the one or more identified entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated, Reel/Frame 043271/0705
Inventors
Mukerji, Arindum, Fry, Jeffery Bradford
Primary Examiner(s)
Kim, Hee Soo

Application Number

US15/675,216
Publication Number

US 20190052554A1
Time in Patent Office

613 Days
Field of Search

709224
US Class Current
CPC Class Codes

H04L 41/0813   characterised by the condit...

H04L 41/0853   by actively collecting conf...

H04L 41/0869   Validating the configuratio...

H04L 41/0873   Checking configuration conf...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/06   Generation of reports

H04L 43/08   Monitoring or testing based...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 67/51   Discovery or management the...

Real-time configuration discovery and management

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time configuration discovery and management

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links