Network port profiling

US 20020144156A1
Filed: 01/31/2002
Published: 10/03/2002
Est. Priority Date: 01/31/2001
Status: Active Grant

First Claim

Patent Images

1. A method for determining unauthorized network usage, comprising the steps of:

capturing packet header information from communications on a network;

determining valid connections or data flows;

determining hosts on the network that act as a client and server for each valid connection or data flow; and

determining network services being used by every host in a predefined group of hosts.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A port profiling system detects unauthorized network usage. The port profiling system analyzes network communications to determine the service ports being used. The system collects flow data from packet headers between two hosts or Internet Protocol (IP) addresses. The collected flow data is analyzed to determine the associated network service provided. A host data structure is maintained containing a profile of the network services normally associated with the host. If the observed network service is not one of the normal network services performed as defined by the port profile for that host, an alarm signal is generated and action can be taken based upon the detection of an Out of Profile network service. An Out of Profile operation can indicate the operation of a Trojan Horse program on the host, or the existence of a non-approved network application that has been installed.

Citations

22 Claims

1. A method for determining unauthorized network usage, comprising the steps of:
- capturing packet header information from communications on a network;
  
  determining valid connections or data flows;
  
  determining hosts on the network that act as a client and server for each valid connection or data flow; and
  
  determining network services being used by every host in a predefined group of hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising the step of displaying indicia indicating observed network services during a monitoring period.
  - 3. The method of claim 2, further comprising the step of displaying an indication of the observed network services which were previously seen during the presentment period.
  - 4. The method of claim 1, further comprising the steps of:
    - storing an allowed network services profile;
      
      comparing allowed network services with observed network services; and
      
      generating an alarm when an observed network service is not an allowed network service.
  - 5. The method of claim 3, further comprising the step of displaying indicia indicating whether the observed network services is not an allowed network service.
  - 6. The method of claim 4, further comprising the step of building a network service profile based upon network services observed during a profile generation time period.
  - 7. The method of claim 4, further comprising editing the allowed network services profile.
  - 8. The method of claim 4, further comprising the step of editing the allowed network services profile for a block of network address.

9. A method for determining unauthorized network usage, comprising the steps of:
- capturing packet header information from communications on a network;
  
  determining hosts on the network that act as a client and server for each valid connection or data flow;
  
  determining network services being used by every host in a predefined group of hosts; and
  
  generating an alarm upon an observed network service not being included in a, allowed network service profile.

10. A method for determining unauthorized network usage, comprising the steps of:
- capturing packet header information from communications on a network;
  
  determining valid connections or data flows;
  
  storing an allowed network service port profile for each in a predefined host group;
  
  determining observed network service port numbers being used by every host in the predefined host group for each valid connection or data flow;
  
  comparing the allowed network service port profile with observed network service port numbers; and
  
  generating an alarm when an the observed network service port number is not included in the allowed network service port profile.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 18, 19, 20, 21, 22)
- - 11. The method of claim 10, further comprising the step of displaying indicia indicating the observed network service port numbers during a present monitoring period.
  - 12. The method of claim 11, further comprising the step of displaying an indication of the observed network service port numbers which were previously seen during the presentment period.
  - 13. The method of claim 12, further comprising the step of displaying indicia indicating whether the observed network service port numbers is included in the allowed network service port profile.
  - 14. The method of claim 10, further comprising the step of building the network service port profile based upon the observed network service ports observed during a profile generation time period.
  - 15. The method of claim 10, further comprising editing the allowed network service port profile.
  - 16. The method of claim 15, further comprising the step of editing the allowed network service port profile for a block of network addresses.
  - 18. The system of claim 17, further comprising a monitor coupled to the computer system operable to display indicia indicating observed network services during a monitoring period.
  - 19. The system of claim 18, further comprising the monitor operable to display indicia indicating whether the observed network services is not an allowed network service.
  - 20. The system of claim 17, further comprising the computer system operable to build a network service profile based upon network services observed during a profile generation time period.
  - 21. The system of claim 17, further comprising an editor couple to the computer system operable to edit the allowed network services profile.
  - 22. The system of claim 21, further comprising the editor operable to edit the allowed network services profile for a block of network address.

17. A system for determining unauthorized network usage, comprising:
- a monitoring device operable to observe communication packets on a network;
  
  a computer system operable to capture packet header information from observed communication packets;
  
  the computer system operable to determine valid connections or data flows;
  
  the computer system operable to determine hosts on the network that act as a client and server for each valid connection or data flow; and
  
  the computer system operable to determine network services being used; and
  
  the computer system operable to generate an alarm when an observed network service is not an allowed network service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Lancope, Inc. (Cisco Systems, Inc.)
Inventors
Copeland, John A. III

Granted Patent

US 7,290,283 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 2101/663   Transport layer addresses, ...

H04L 43/026   using flow identification

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

Y02D 30/50   in wire-line communication ...

Network port profiling

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Network port profiling

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links