System and method for automatic service discovery and protection

US 10,594,677 B2
Filed: 02/14/2018
Issued: 03/17/2020
Est. Priority Date: 03/23/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for discovering unknown services operating on a network and securing the network, the method comprising:

collecting known service characterization data comprising characteristics of known services operating on the network, wherein known services include services identified as having an associated service identification that is known to the network;

detecting one or more unknown services operating on the network, wherein unknown services include services without a service identification that is known to the network; and

for each of the one or more detected unknown services;

in response to detecting the unknown service operating on the network, collecting unknown service characterization data comprising characteristics of the detected unknown service operating on the network;

analyzing the unknown service characterization data based on a set of expected characteristics for the unknown service, wherein analyzing the unknown service characterization data includes evaluating the unknown service characterization data using a machine learning model trained on at least the set of expected characteristics for the unknown service as a training set;

generating a service identity probability value for the unknown service based on the analysis of the unknown service characterization data, wherein the service identity probability value indicates a likelihood that an unknown service to the network has a service identification that is known to the network; and

in response to identifying the service identity probability value for the unknown service, applying a security measure to the unknown service based at least in part on the service identity probability value generated for the unknown service and at least one particular associated service identification that is known to the network, wherein the security measure comprises at least generating one or more security recommendations for the unknown service based at least on;

the unknown service characterization data, a security measure required to be implemented by at least one service having the at least one particular associated service identification that is known to the network for the at least one service to continue operating on the network or for accessing the network at a future time, and a determination of whether the one or more security recommendations can be implemented with the unknown service.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automatically discovering services operating on a network including a service discovery database configured to store expected service behavioral characteristics and service identities of the services operating on the network, a set of service discovery modules configured to collect service behavioral data of the services operating on the network, and a service discovery module controller communicatively coupled to the service discovery module database and the set of service discovery modules, the service discovery module controller configured to generate service behavioral characteristics from the service behavioral data, analyze the service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis, identify a first service identity of at least one service operating on the network from the first behavioral analysis and an association of the first service identity and the expected service behavioral characteristics.

Citations

20 Claims

1. A computer-implemented method for discovering unknown services operating on a network and securing the network, the method comprising:
- collecting known service characterization data comprising characteristics of known services operating on the network, wherein known services include services identified as having an associated service identification that is known to the network;
  
  detecting one or more unknown services operating on the network, wherein unknown services include services without a service identification that is known to the network; and
  
  for each of the one or more detected unknown services;
  
  in response to detecting the unknown service operating on the network, collecting unknown service characterization data comprising characteristics of the detected unknown service operating on the network;
  
  analyzing the unknown service characterization data based on a set of expected characteristics for the unknown service, wherein analyzing the unknown service characterization data includes evaluating the unknown service characterization data using a machine learning model trained on at least the set of expected characteristics for the unknown service as a training set;
  
  generating a service identity probability value for the unknown service based on the analysis of the unknown service characterization data, wherein the service identity probability value indicates a likelihood that an unknown service to the network has a service identification that is known to the network; and
  
  in response to identifying the service identity probability value for the unknown service, applying a security measure to the unknown service based at least in part on the service identity probability value generated for the unknown service and at least one particular associated service identification that is known to the network, wherein the security measure comprises at least generating one or more security recommendations for the unknown service based at least on;
  
  the unknown service characterization data, a security measure required to be implemented by at least one service having the at least one particular associated service identification that is known to the network for the at least one service to continue operating on the network or for accessing the network at a future time, and a determination of whether the one or more security recommendations can be implemented with the unknown service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein:
    - the security measure comprises at least requiring that the unknown service implements multi-factor authentication to continue operating on the network or for accessing the network at a future time.
  - 3. The method of claim 1, wherein generating the service identity probability value includes:
    - determining a similarity score between each of the one or more unknown services operating on the network and the known service characterization data.
  - 4. The method of claim 1, wherein collecting unknown service characterization data includes:
    - generating a list of hostnames for each of the one or more unknown services based on a domain name associated with each of the one or more unknown services, wherein generating the list of hostnames includes modifying the domain name;
      
      submitting one or more queries to a DNS server with each hostname within the list of hostnames; and
      
      collecting responses to the one or more queries to the DNS server.
  - 5. The method of claim 4, wherein:
    - generating the service identity probability value for each of the one or more unknown services is based on the collected response to the one or more queries to the DNS server.
  - 6. The method of claim 1, wherein collecting unknown service characterization data includes:
    - monitoring authentication attempts to an identity provider by the one or more unknown services; and
      
      collecting data associated with the authentication attempts.
  - 7. The method of claim 1, wherein collecting unknown service characterization data includes:
    - monitoring authentication attempts to an identity provider by the one or more unknown services; and
      
      collecting data associated with failed authentication attempts to the identity provider.
  - 8. The method of claim 6, wherein:
    - generating the service identity probability value for each of the one or more unknown services is based on the collected data associated with the authentication attempts by the one or more unknown services.
  - 9. The method of claim 1, wherein collecting unknown service characterization data includes:
    - monitoring network traffic characteristics of the one or more unknown services; and
      
      collecting data associated with the network traffic characteristics.
  - 10. The method of claim 9, wherein:
    - generating the service identity probability value for each of the one or more unknown services is based on the collected data associated with the network traffic characteristics of the one or more unknown services.
  - 11. The method of claim 1, wherein collecting unknown service characterization data includes:
    - submitting one or more HTTP request probes to a resolved IP address of the one or more unknown services operating on the network;
      
      collecting responses to the one or more HTTP request probes.
  - 12. The method of claim 11, wherein:
    - generating the service identity probability value for each of the one or more unknown services is based on the collected response to the one or more HTTP request probes to the one or more unknown services.
  - 13. The method of claim 10, wherein collecting data associated with the network traffic characteristics includes:
    - generating a log of network traffic data associated with the network traffic, wherein the network traffic data comprises at least two of;
      
      packet source, packet destination, packet content, and transmission time.
  - 14. The method of claim 10, wherein collecting data associated with the network traffic characteristics includes:
    - collecting data associated with a bandwidth usage of each of the one or more unknown services operating on the network.

15. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform a method, the method comprising:
- collecting known service characterization data comprising characteristics of known services operating on a network, wherein known services include services identified as having an associated service identification that is known to the network;
  
  detecting one or more unknown services operating on the network, wherein unknown services include services without a service identification that is known to the network; and
  
  for each of the one or more detected unknown services;
  
  in response to detecting the unknown service operating on the network, collecting unknown service characterization data comprising characteristics of the detected unknown service operating on the network;
  
  analyzing the unknown service characterization data based on a set of expected characteristics for the unknown service, wherein analyzing the unknown service characterization data includes evaluating the unknown service characterization data using a machine learning model trained on at least the set of expected characteristics for the unknown service as a training set;
  
  generating a service identity probability value for the unknown service based on the analysis of the unknown service characterization data, wherein the service identity probability value indicates a likelihood that an unknown service to the network has a service identification that is known to the network; and
  
  in response to identifying the service identity probability value for the unknown service, applying a security measure to the unknown service based at least in part on the service identity probability value generated for the unknown service and at least one particular associated service identification that is known to the network, wherein the security measure comprises at least generating one or more security recommendations for the unknown service based at least on;
  
  the unknown service characterization data, a security measure required to be implemented by at least one service having the at least one particular associated service identification that is known to the network for the at least one service to continue operating on the network or for accessing the network at a future time, and a determination of whether the one or more security recommendations can be implemented with the unknown service.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer readable storage media of claim 15, wherein the security measure comprises at least requiring that the unknown service implements multi-factor authentication to continue operating on the network or for accessing the network at a future time.
  - 17. The non-transitory computer readable storage media of claim 15, wherein the method further comprises:
    - determining a similarity score between each of the one or more unknown services operating on the network and the known service characterization data.

18. A system for automatically discovering unknown services operating on a network and securing the network, the system comprising:
- one or more computer processors;
  
  a system controller comprising a non-transitory computer-readable storage medium comprising instructions that, when executed by the one or more computer processors, cause the system controller to perform operations including;
  
  collecting known service characterization data comprising characteristics of known services operating on the network, wherein known services include services identified as having an associated service identification that is known to the network;
  
  detecting one or more unknown services operating on the network, wherein unknown services include services without a service identification that is known to the network; and
  
  for each of the one or more detected unknown services;
  
  in response to detecting the unknown service operating on the network, collecting unknown service characterization data comprising characteristics of the detected unknown service operating on the network;
  
  analyzing the unknown service characterization data based on a set of expected characteristics for the unknown service, wherein analyzing the unknown service characterization data includes evaluating the unknown service characterization data using a machine learning model trained on at least the set of expected characteristics for the unknown service as a training set;
  
  generating a service identity probability value for the unknown service based on the analysis of the unknown service characterization data, wherein the service identity probability value indicates a likelihood that an unknown service to the network has a service identification that is known to the network; and
  
  in response to identifying the service identity probability value for the unknown service, applying a security measure to the unknown service based at least in part on the service identity probability value generated for the unknown service and at least one particular associated service identification that is known to the network, wherein the security measure comprises at least generating one or more security recommendations for the unknown service based at least on;
  
  the unknown service characterization data, a security measure required to be implemented by at least one service having the at least one particular associated service identification that is known to the network for the at least one service to continue operating on the network or for accessing the network at a future time, and a determination of whether the one or more security recommendations can be implemented with the unknown service.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the security measure comprises at least requiring that the unknown service implements multi-factor authentication to continue operating on the network or for accessing the network at a future time.
  - 20. The system of claim 18, wherein the instructions further cause the system controller to determine a similarity score between each of the one or more unknown services operating on the network and the known service characterization data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Dug
Primary Examiner(s)
Kim, Jung W
Assistant Examiner(s)
Stoica, Adrian

Application Number

US15/896,327
Publication Number

US 20180176205A1
Time in Patent Office

762 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6281   at program execution time, ...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/00   Arrangements for program co...

H04L 61/4511   using domain name system [DNS]

H04L 61/4541   Directories for service dis...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/02   based on web technology, e....

H04L 67/51   Discovery or management the...

System and method for automatic service discovery and protection

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automatic service discovery and protection

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links