Assessment tool

US 20040103315A1
Filed: 07/18/2003
Published: 05/27/2004
Est. Priority Date: 06/07/2001
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus for adding network usage to an assessment framework by providing ability to capture and classify large volumes of network traffic efficiently based on a formal policy specification describing said traffic, said apparatus comprising:

means for identifying network services;

means for identifying usage patterns of critical machines on said network;

means for analyzing routing patterns; and

thereby reducing errors and omissions during an assessment process.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for allowing a technique for continuously assessing the security of a network to be applicable to network assessment, by capturing and classifying large volumes of network traffic based on a formal policy, and applying such to both long-term and short-term network assessment.

155 Citations

29 Claims

1. An apparatus for adding network usage to an assessment framework by providing ability to capture and classify large volumes of network traffic efficiently based on a formal policy specification describing said traffic, said apparatus comprising:
- means for identifying network services;
  
  means for identifying usage patterns of critical machines on said network;
  
  means for analyzing routing patterns; and
  
  thereby reducing errors and omissions during an assessment process.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, further comprising identifying services and/or data points not previously identified by system administration staff of said network.
  - 3. The apparatus of claim 1, wherein subnets are discovered by analyzing routing patterns, without the need to scan for subnets.
  - 4. The apparatus of claim 1, wherein said means for analyzing is based on a dynamic recording of said network traffic over time.
  - 5. The apparatus of claim 1, wherein said capturing network traffic is performed in a passive way.
  - 6. The apparatus of claim 1, wherein said capturing traffic is performed during normal operation or production.

7. A method for an end user to add network usage to a network assessment process, said method comprising:
- attaching a monitoring station to a network, wherein said station is nonintrusive to said network;
  
  said station receiving network packets over a period of time;
  
  removing undesirable network events of said received network packets;
  
  performing data analysis on remaining network events; and
  
  determining a list of network events from said analyzed remaining network events to use in said network assessment process.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 8. The method of claim 7, wherein said removing undesirable network events uses a policy specification.
  - 9. The method of claim 7, wherein said monitoring station is portable.
  - 10. The method of claim 7, wherein said station is attached at a critical bottleneck of said network.
  - 11. The method of claim 7, wherein said receiving said network packets is done at any time, including, but not limited to at peak production time and at a quiescent state of said network.
  - 12. The method of claim 7, wherein said period of time is of any length including, but not limited to long or short.
  - 13. The method of claim 7 further comprising:
    - using a query tool to filter said undesirable network events.
  - 14. The method of claim 7, further comprising:
    - storing said received network packets in full-packet form or compressed form.
  - 15. The method of claim 14, wherein said compressed form removes confidential information.
  - 16. The method of claim 7, further comprising:
    - incorporating iterative methodology.
  - 17. The method of claim 16, further comprising:
    - developing a short policy as a result of a first iteration; and
      
      using said short policy in a subsequent iteration.
  - 18. The method of claim 16, further comprising:
    - capturing said received network packets in a full-packet form over a significantly short duration of time;
      
      performing brief analysis on said captured packets; and
      
      subsequently capturing more network packets in compressed form over a significantly long duration of time.
  - 19. The method of claim 16, said iterative methodology further comprising:
    - using said received network packets or a compressed file multiple times.
  - 20. The method of claim 8, wherein said policy specification is edited using a policy generator tool.
  - 21. The method of claim 7, wherein said performing data analysis takes place at a location different from said network and/or at a time subsequent to said period of time.
  - 22. The method of claim 8, said performing data analysis further comprising:
    - creating a null policy denying all protocol actions of said network events;
      
      setting said policy specification to said null policy;
      
      running a policy engine over received network packets using said policy specification, and storing said results in a database;
      
      examining said stored results using a query tool, and determining from said examined results network events in violation of said policy specification;
      
      categorizing most frequent traffic from said violating network events based on predetermined input; and
      
      repeating from running a policy engine with said categorized most frequent traffic until a small and manageable number of events remain.
  - 23. The method of claim 22, said categorizing further comprising:
    - if said traffic matches predetermined patterns, adding said traffic to said policy specification with an OK disposition; and
      
      if said traffic does not match predetermined patterns, but has high volume, adding said traffic to said policy specification with an OK, monitor disposition.
  - 24. The method of claim 22, further comprising:
    - setting said policy specification to an initial policy, said initial policy comprising predetermined requirements and predetermined network credentials of said network.
  - 25. The method of claim 22, further comprising:
    - setting said policy specification to an initial best policy, said initial best policy comprising a predetermined set of credential and rules, setting all dispositions to DENY, and monitoring said network to determine ultimate dispositions.

26. A method for performing data analysis on a network packet or on a compressed file of network events, said method comprising:
- creating a null policy denying all protocol actions of said network events;
  
  setting a policy specification to said null policy;
  
  running a policy engine over said network packet or said compressed file using said policy specification, and storing said results in a database;
  
  examining said stored results using a query tool, and determining from said examined results network events in violation of said policy specification;
  
  categorizing most frequent traffic from said violating network events based on predetermined input; and
  
  repeating from running a policy engine with said categorized most frequent traffic until a small and manageable number of events remain.
- View Dependent Claims (27, 28, 29)
- - 27. The method of claim 26, said categorizing further comprising:
    - if said traffic matches predetermined patterns, adding said traffic to said policy specification with an OK disposition; and
      
      if said traffic does not match predetermined patterns, but has high volume, adding said traffic to said policy specification with an OK, monitor disposition.
  - 28. The method of claim 26, further comprising:
    - setting said policy specification to an initial policy, said initial policy comprising predetermined requirements and predetermined network credentials of said network.
  - 29. The method of claim 26, further comprising:
    - setting said policy specification to an initial best policy, said initial best policy comprising a predetermined set of credential and rules, setting all dispositions to DENY, and monitoring said network to determine ultimate dispositions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Securify, Inc. (McAfee, LLC)
Original Assignee
Securify, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey, Sherlock, Kieran Gerard, Shaw, Robert Allen, Valente, Luis Filipe Pereira

Application Number

US10/311,400
Publication Number

US 20040103315A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/5058   Service discovery by the se...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Assessment tool

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

155 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Assessment tool

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others