Network port profiling
First Claim
1. A method for determining unauthorized network usage, comprising the steps of:
- capturing packet header information from communications on a network;
determining valid connections or data flows;
determining hosts on the network that act as a client and server for each valid connection or data flow; and
determining network services being used by every host in a predefined group of hosts.
12 Assignments
0 Petitions
Accused Products
Abstract
A port profiling system detects unauthorized network usage. The port profiling system analyzes network communications to determine the service ports being used. The system collects flow data from packet headers between two hosts or Internet Protocol (IP) addresses. The collected flow data is analyzed to determine the associated network service provided. A host data structure is maintained containing a profile of the network services normally associated with the host. If the observed network service is not one of the normal network services performed as defined by the port profile for that host, an alarm signal is generated and action can be taken based upon the detection of an Out of Profile network service. An Out of Profile operation can indicate the operation of a Trojan Horse program on the host, or the existence of a non-approved network application that has been installed.
-
Citations
22 Claims
-
1. A method for determining unauthorized network usage, comprising the steps of:
-
capturing packet header information from communications on a network;
determining valid connections or data flows;
determining hosts on the network that act as a client and server for each valid connection or data flow; and
determining network services being used by every host in a predefined group of hosts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for determining unauthorized network usage, comprising the steps of:
-
capturing packet header information from communications on a network;
determining hosts on the network that act as a client and server for each valid connection or data flow;
determining network services being used by every host in a predefined group of hosts; and
generating an alarm upon an observed network service not being included in a, allowed network service profile.
-
-
10. A method for determining unauthorized network usage, comprising the steps of:
-
capturing packet header information from communications on a network;
determining valid connections or data flows;
storing an allowed network service port profile for each in a predefined host group;
determining observed network service port numbers being used by every host in the predefined host group for each valid connection or data flow;
comparing the allowed network service port profile with observed network service port numbers; and
generating an alarm when an the observed network service port number is not included in the allowed network service port profile. - View Dependent Claims (11, 12, 13, 14, 15, 16, 18, 19, 20, 21, 22)
-
-
17. A system for determining unauthorized network usage, comprising:
-
a monitoring device operable to observe communication packets on a network;
a computer system operable to capture packet header information from observed communication packets;
the computer system operable to determine valid connections or data flows;
the computer system operable to determine hosts on the network that act as a client and server for each valid connection or data flow; and
the computer system operable to determine network services being used; and
the computer system operable to generate an alarm when an observed network service is not an allowed network service.
-
Specification