Apparatus and method to automatically collect data regarding assets of a business entity
First Claim
1. A process for using a computer to automatically discovery the existence and type of assets in an organization, comprising the steps of:
- using one or more network fingerprints to determine the existence of one or more networks and gather information about any discovered networks to determine the type and attributes thereof including the valid addresses on each discovered network, and make an entry in element and data tables recording the attributes of each discovered network;
using the valid addresses of each discovered network and one or more network interface card fingerprints, discovering all the network interface cards that exist on each discovered network and the attributes of each and making an entry in said element and data tables for each found network interface card;
for each network interface card found, using one or more fingerprints for the operating systems the process is capable of detecting, determining the operating system that is controlling each computer coupled to one of the found networks by one of the found network interface cards and making an entry for each found operating system in said element and data tables; and
for each found operating system, using one or more fingerprints for one or more elements of interest to, for each fingerprint, gather attribute data about the element corresponding to the fingerprint being used via said operating system and, using rules in or pointed to by said fingerprint, analyze the attribute data gathered about the element corresponding to the fingerprint to calculate the probability of the elements existence, and make an entry in the element and data tables regarding each found element.
10 Assignments
0 Petitions
Accused Products
Abstract
A system to automatically gather attribute data about elements such as networks, network interface cards, operating systems, device types, installed software, processes in execution, financial data, etc. in an organization or a designated subset of the organization. Fingerprint files are used, each fingerprint file corresponding to an element of a specific type and each containing a list of attributes that will be found if that element exists in the system. Each fingerprint contains or points to one or more collection instructions which control a data collector process to attempt to gather attribute data. Each fingerprint contains or points to rules that are used to analyze the attribute data gathered to calculate the probability that the element exists. The rules can be fired sequentially, in if-then-else fashion or can be incorporated in a script in loops and with mathematical manipulations, tests and branching for more sophisticated analysis. Fingerprints can be turned on and off by configuration data and can be used in a logical order to do discovery without any prior knowledge of the systems being analyzed. A refresh schedule and collection calendar control how often the fingerprints are used in some embodiments, and collected data is stored with time stamps to enable analysis of changes in the data over time.
-
Citations
21 Claims
-
1. A process for using a computer to automatically discovery the existence and type of assets in an organization, comprising the steps of:
-
using one or more network fingerprints to determine the existence of one or more networks and gather information about any discovered networks to determine the type and attributes thereof including the valid addresses on each discovered network, and make an entry in element and data tables recording the attributes of each discovered network;
using the valid addresses of each discovered network and one or more network interface card fingerprints, discovering all the network interface cards that exist on each discovered network and the attributes of each and making an entry in said element and data tables for each found network interface card;
for each network interface card found, using one or more fingerprints for the operating systems the process is capable of detecting, determining the operating system that is controlling each computer coupled to one of the found networks by one of the found network interface cards and making an entry for each found operating system in said element and data tables; and
for each found operating system, using one or more fingerprints for one or more elements of interest to, for each fingerprint, gather attribute data about the element corresponding to the fingerprint being used via said operating system and, using rules in or pointed to by said fingerprint, analyze the attribute data gathered about the element corresponding to the fingerprint to calculate the probability of the elements existence, and make an entry in the element and data tables regarding each found element. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A process for discovering the existence of elements in an organization without having any prior knowledge about the structure of the organization, said elements each being defined by a fingerprint that defines the attributes the element will have and includes a pointer to a set of collection instructions to collect attribute data that define an instance of the element , comprising the steps of:
-
1) starting with a network fingerprint for a possible network that might exist in the organization, executing a collection instruction contained in or pointed to by said network fingerprint to attempt to collect network attribute data for the type of network defined by said network fingerprint;
2) using one or more rules pointed to by the network fingerprint rule selected in step 1 to process any attribute data collected using said network fingerprint collection instructions, and calculating the probability that each type of network element exists, and making an entry in element and data structures at least for each network type element that is found to exist and storing the collected attribute data of any network element found to exist including the range of its valid addresses;
3) repeating this process of steps 1 and 2 for each other network fingerprint available 4) next, using a fingerprint for a network interface card element, executing a collection instruction(s) for each valid address on a first one of the networks found in steps 1 through 3 to attempt to collect network interface card (hereafter NIC) attribute data for the type of network interface card defined by said network interface card fingerprint at each valid address of a first network, said collection instruction being contained in the fingerprint or pointed to thereby;
5) for each NIC that responded and from which attribute data was collected, using one or more fingerprint rules in said network interface card fingerprint to process the collected attribute data to calculate the probability that a network interface card of the type defined by said NIC fingerprint exists at each valid address of the network probed in step 4 from which a response was received and making a NIC instance entry in the element and data tables for each NIC found by steps 4 and 5 ; and
recording the attribute data of each said NIC in the instance record thereof;
6) repeating steps 4 and 5 for every other network interface card fingerprint available at every valid network address of the same network probed in step 4, and then repeat steps 4, 5 and 6 for each other network found in steps 1 through 3;
7) for each NIC found in steps 4 through 6, select an operating system fingerprint from the operating system fingerprints and execute a collection instruction contained in said fingerprint or pointed to thereby to attempt to determine what type of operating system is being executed by the computer to which said NIC is coupled;
8) repeating step 7 for every other type of operating system fingerprint for each NIC for which the operating system of the NIC'"'"'s host computer is unknown until all operating systems are known or no further knowledge about the type of operating system can be gained;
9) for each different type of operating system found, use the appropriate fingerprints for each different type of element of interest about the computer or files or applications programs thereon and execute collection instructions to invoke the proper function calls of the operating system to collect the attribute data of the elements of interest;
10) then, for each set of gathered attribute data for a particular element of interest gathered from a particular computer, apply the appropriate fingerprint rule or rules for elements of that type on a computer of the type of said particular computer executing the type operating system said particular computer is executing to calculate the probability of existence of an element of that type on said particular computer from which the attribute data was collected, and make an instance entry for an element of that type including its attribute data in a data table showing the proper relationship to the network, NIC and operating system instance entries for the computer on which the element was found. - View Dependent Claims (8, 9, 10)
-
-
11. A process for discovering the existence of elements in an organization'"'"'s networks or designated subset of networks, said elements each being defined by a fingerprint that defines the attributes the element will have and includes a pointer to a set of collection instructions to collect attribute data that define an instance of the element, comprising the steps of:
-
1) making a manual entry for each network instance in an organization in a data table including some or all of the attribute data of the network;
2) using the valid addresses of each network and one or more network interface card fingerprints which are indicated as active by configuration data, discovering all the network interface cards that exist on each network and the attributes of each and making an entry in a data table for each found network interface card which indicates its attributes such as its type, to which network it is coupled and which address on said network has been assigned to it;
3) for each network interface card found, using one or more fingerprints which are indicated as active in by configuration data for the operating systems the process is capable of detecting, determining the operating system that is controlling each device coupled to one of the found networks by one of the found network interface cards and making an entry for each found operating system in a data table in such a way as to indicate on which network and which device, as identified by the attributes of the device'"'"'s network interface card, the operating system is executing; and
4) for each found operating system, using one or more fingerprints indicated as active by configuration data and which correspond to one or more elements of interest to gather information via said operating system about the existence and attributes of said one or more elements of interest, and making an entry in a data table regarding each found element in such a way to indicate on which device each said element exists. - View Dependent Claims (12)
-
-
13. An article of manufacture comprising:
-
a computer useable medium having computer readable program code embodied therein for automatically using fingerprint files in a logical sequence to control the automated collection of attribute data about elements of an organization without having any pre-knowledge about the existence or structure of the computer networks in an organization and analyze said attribute data to determine the probability of existence or nonexistence of various elements and record the attributes thereof, the computer readable program code comprising;
a computer readable program code segment to control a computer to use one or more network fingerprints to determine the existence of one or more networks and gather information about any discovered networks to determine the type and attributes thereof including the valid addresses on each discovered network, and to make an entry in a data table recording the attributes of each discovered network;
a computer readable program code segment to control a computer to use the valid addresses of each discovered network and one or more network interface card fingerprints, and discover all the network interface cards that exist on each discovered network and the attributes of each and making an entry in said data table for each found network interface card indicating upon which network it was found and the attributes thereof such as its assigned network address;
a computer readable program code segment to control a computer to, for each network interface card found, use one or more fingerprints for the operating systems the article of manufacture is capable of detecting, and determine the operating system that is controlling each device coupled to one of the found networks by one of the found network interface cards and make an entry for each found operating system in said data table; and
a computer readable program code segment for controlling a computer to, for each found operating system, use one or more fingerprints for one or more elements of interest the attribute data of which is capable of being gathered by invocation of function calls or the giving of commands to the operating system controlling the computer upon which the element of interest resides, to, for each said fingerprint, gather attribute data about the element corresponding to the fingerprint via said operating system, and analyze said attribute data using one or more rules in or pointed to by the fingerprint used to gather the attribute data to calculate the probability of existence of the element and make an entry in said data table regarding each found element. - View Dependent Claims (14, 15, 16)
-
-
17. An article of manufacture comprising:
a computer useable medium having computer readable program code embodied therein for automatically using fingerprint files in a logical sequence to control the automated collection of attribute data about elements of an organization without having any prior knowledge about the existence or structure of the computer networks in an organization and analyze said attribute data to determine the probability of existence or nonexistence of various elements and record the attributes thereof, the computer readable program code comprising;
1) a computer readable program code segment for controlling a computer to select a network fingerprint for a possible network that might exist in the organization, and execute a collection instruction contained in or pointed to by said network fingerprint to attempt to collect network attribute data for the type of network defined by said network fingerprint;
2) a computer readable program code segment for controlling a computer to use one or more rules pointed to by the network fingerprint rule selected by code segment 1 to process any attribute data collected using said network fingerprint collection instructions, and calculate the probability that each type of network element exists, and make an entry in the element and data structures at least for each network type element that is found to exist and store the collected attribute data of any network element found to exist including the range of its valid addresses in a data table;
3) a computer readable program code segment for controlling a computer to repeat the processing of code segments 1 and 2 for each other network fingerprint available;
4) a computer readable program code segment for controlling a computer to, after finding all or a designated subset of networks that exist in the organization, select a fingerprint for a network interface card element (hereafter NIC), and execute a collection instruction(s) for each valid address on a first one of the networks found by code segments 1 through 3 to attempt to collect network interface card attribute data for the type of network interface card defined by said network interface card fingerprint at each valid address of a first network, said collection instruction being contained in the fingerprint or pointed to thereby;
5) computer readable program code segment for controlling a computer to, for each NIC that responded and from which attribute data was collected in response to processing carried out by code segment 4, use one or more fingerprint rules in said network interface card fingerprint to process the collected attribute data to calculate the probability that a network interface card of the type defined by said NIC fingerprint exists at each valid address of the network probed by code segment 4 from which a response was received and make a NIC instance entry in a data table for each NIC found by code segments 4 and 5, and record the attribute data of each said NIC in the instance record thereof in said data table;
6) a computer readable program code segment for controlling a computer to repeat the processing of code segments 4 and 5 for every other network interface card fingerprint available at every valid network address of the same network probed by code segment 4, and then cause the repeating of the processing of code segments 4, 5 and 6 for each other network found by code segments 1 through 3;
7) a computer readable program code segment for controlling a computer to, for each NIC found by code segments 4 through 6, select an operating system fingerprint from the operating system fingerprints available and execute a collection instruction contained in said fingerprint or pointed to thereby to attempt to determine what type of operating system is being executed by the computer to which said NIC is coupled;
8) a computer readable program code segment for controlling a computer to cause the repeating of code segment 7 for every other type of operating system fingerprint available for each NIC for which the operating system of the NIC'"'"'s host device is unknown until all operating systems are known or no further knowledge about the type of operating system can be gained;
9) a computer readable program code segment for controlling a computer to, for each different type of operating system found, use the appropriate fingerprints for each different type of element of interest about the device or files or applications programs thereon and execute collection instructions to invoke the proper function calls of the operating system or give the proper commands to the operating system to collect the attribute data of the elements of interest;
10) a computer readable program code segment for controlling a computer to, for each set of gathered attribute data for a particular element of interest gathered from a particular device, apply the appropriate fingerprint rule or rules for elements of that type to calculate the probability of existence of an element of that type on said particular device from which the attribute data was collected, and make an instance entry for an element of that type including its attribute data in a data table showing the proper relationship to the network, NIC and operating system instance entries for the computer on which the element was found. - View Dependent Claims (18, 19, 20)
-
21. An apparatus for automatically discovering the elements which are present in a company having one or more wired or wireless networks, comprising:
-
a computing device coupled to one or more networks of a company;
a data structure containing data defining elements the system can recognize by the attributes each element has and data defining collections instructions on how to collect attribute data for each type of element the system can recognize and definitions of which protocols to use to collect said attribute data, and data defining at least one fingerprint rule for each element the system can recognize and that can be used to analyze collected attribute data and draw conclusions regarding the probability of existence or non existence of an element;
one or more programs controlling said computer to implement said protocols and to use said collection instructions and protocols to collect said attribute data and to use said fingerprint rules to analyze said attribute data and at least make an entry in said data structure for each element found.
-
Specification