Network data analysis and characterization model for implementation of secure enclaves within large corporate networks

US 20060031472A1
Filed: 06/30/2004
Published: 02/09/2006
Est. Priority Date: 06/30/2004
Status: Active Grant

First Claim

Patent Images

1. An apparatus to analyze traffic on a network, comprising:

a database to store a plurality of packets forming said traffic;

a static traffic analyzer to identify static traffic in said plurality of packets;

a dynamic traffic analyzer to identify dynamic traffic in said plurality of packets; and

a host identifier to identify at least one host as a communication point from said static traffic and said dynamic traffic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A database stores information about known hosts, the applications or services they host, and the ports (known as confirmed ports) used by the applications/services. A static traffic analyzer analyzes traffic data and identifies packets communicating with (either sent to or received from) confirmed ports on hosts. A dynamic traffic analyzer analyzes the traffic data and identifies packets communicating with unconfirmed ports on hosts. A host identifier uses the resulting static and dynamic traffic to identify hosts for which firewall rules should be generated.

Citations

51 Claims

1. An apparatus to analyze traffic on a network, comprising:
- a database to store a plurality of packets forming said traffic;
  
  a static traffic analyzer to identify static traffic in said plurality of packets;
  
  a dynamic traffic analyzer to identify dynamic traffic in said plurality of packets; and
  
  a host identifier to identify at least one host as a communication point from said static traffic and said dynamic traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. An apparatus according to claim 1, wherein:
    - the static traffic analyzer includes a static packet identifier to identify at least one static packet in said plurality of packets as said static traffic, said static packet including an address and a static port, said address identifying a static host and said static port being a confirmed port; and
      
      the host identifier is operative to identify said static host and said static port as said communication point.
  - 3. An apparatus according to claim 2, wherein the static traffic analyzer further includes an excluder to exclude from said static traffic a packet including said address and said static port if said static host does not host an application or service associated with said confirmed port.
  - 4. An apparatus according to claim 2, wherein the static traffic analyzer further includes:
    - a static connection identifier to identify at least one static connection to said static port on said static host in said static traffic; and
      
      a static combiner to combine all of said static connections into a static connection rollup, said static connection rollup including a number of said static connections to said static port on said static host.
  - 5. An apparatus according to claim 2, wherein:
    - the dynamic traffic analyzer includes a dynamic packet identifier to identify at least one dynamic packet in the plurality of packets as said dynamic traffic, said dynamic packet including an address, a dynamic port, and a second port, said address identifying a dynamic host with a port mapper, and neither said dynamic port nor said second port being a confirmed port; and
      
      the host identifier is operative to identify said dynamic host and said dynamic port as said communication point.
  - 6. An apparatus according to claim 5, wherein the dynamic traffic analyzer further includes:
    - a dynamic connection identifier to identify at least one dynamic connection to said dynamic port on said dynamic host in said dynamic traffic; and
      
      a dynamic combiner to combine all of said dynamic connections into a dynamic connection rollup.
  - 7. An apparatus according to claim 5, wherein the dynamic traffic analyzer further includes an excluder to exclude from said dynamic traffic a packet including said address and a third port if said third port is outside a range of dynamic ports associated with said port mapper.
  - 8. An apparatus according to claim 5, wherein the dynamic traffic analyzer further includes an excluder to exclude from said dynamic traffic a packet including said address if said traffic lacks an earlier packet including said address and a confirmed port, said confirmed port associated with said port mapper.
  - 9. An apparatus according to claim 5, wherein the dynamic traffic analyzer further includes an includer to include in said dynamic traffic a packet including said address and a confirmed port if said dynamic host does not host an application or service associated with said confirmed port.
  - 10. An apparatus according to claim 5, wherein the dynamic traffic analyzer further includes an includer to include in said dynamic traffic a packet including said address, a confirmed port, and a protocol if said dynamic host hosts an application or service associated with said confirmed port that does not support said protocol.
  - 11. An apparatus according to claim 1, wherein the database includes at least one known host, a known port on said known host, and a known service on said known host that may use said known port.
  - 12. An apparatus according to claim 1, further comprising a firewall rule generator to generate a firewall rule for a firewall.
  - 13. An apparatus according to claim 12, further comprising a simulator to simulate said traffic crossing said firewall using said firewall rule.
  - 14. An apparatus according to claim 13, wherein the simulator is operative to determine a popularity for said firewall rule.
  - 15. An apparatus according to claim 13, wherein the simulator is operative to identify at least one packet in said plurality of packets not recognized by said firewall rule.
  - 16. An apparatus according to claim 1, further comprising a filter to filter from the plurality of packets a port scanning packet.
  - 17. An apparatus according to claim 1, further comprising a filter to filter from the plurality of packets a reply packet, the reply packet responsive to an earlier packet.

18. A system, comprising:
- a first network, with at least one computer coupled to the first network;
  
  a connection between the first network and a second network; and
  
  a traffic analyzer, including;
  
  a database to store a plurality of packets forming traffic crossing the connection between the first network and the second network;
  
  a static traffic analyzer to identify static traffic in said plurality of packets;
  
  a dynamic traffic analyzer to identify dynamic traffic in said plurality of packets; and
  
  a host identifier to identify at least one host as a communication point for at least a portion of said traffic from said static traffic and dynamic traffic.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. A system according to claim 18, wherein:
    - the static traffic analyzer includes a static packet identifier to identify at least one static packet in said plurality of packets as said static traffic, said static packet including an address and a static port, said address identifying a static host and said static port being a confirmed port; and
      
      the host identifier is operative to identify said static host and said static port as said communication point.
  - 20. A system according to claim 19, wherein:
    - the dynamic traffic analyzer includes a dynamic packet identifier to identify at least one dynamic packet in the plurality of packets as said dynamic traffic, said dynamic packet including an address, a dynamic port, and a second port, said address identifying a dynamic host with a port mapper, and neither said dynamic port nor said second port being a confirmed port; and
      
      the host identifier is operative to identify said dynamic host and said dynamic port as said communication point.
  - 21. A system according to claim 18, further comprising a firewall to monitor the connection between the first network and the second network.
  - 22. A system according to claim 18, further comprising a firewall rule generator to generate a firewall rule for a firewall.
  - 23. A system according to claim 18, further comprising a filter to filter from the plurality of packets a port scanning packet.
  - 24. A system according to claim 18, further comprising a filter to filter from the plurality of packets a reply packet, the reply packet responsive to an earlier packet.

25. A method for analyzing traffic on a network, comprising:
- receiving the traffic on the network as a plurality of packets;
  
  identifying static traffic from the plurality of packets;
  
  identifying dynamic traffic from the plurality of packets; and
  
  identifying at least one port on one host in the static traffic data and the dynamic traffic data as a communication point for at least a portion of the traffic.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 26. A method according to claim 25, wherein:
    - identifying static traffic includes identifying at least one static packet in the traffic as the static traffic, the static packet including an address and a static port, the address identifying a static host and the static port being a confirmed port; and
      
      identifying at least one port on one host includes identifying the static host and the static port as the communication point.
  - 27. A method according to claim 26, wherein identifying static traffic further includes excluding from the static traffic a packet including the address and the static port if the static host if the static host does not host an application or service associated with the confirmed port.
  - 28. A method according to claim 26, wherein identifying static traffic further includes:
    - identifying at least one static connection to the static port on the static host in the static traffic; and
      
      combining all of the static connections into a static connection rollup, the static connection rollup including a number of the connections to the static port on the static host.
  - 29. A method according to claim 26, wherein:
    - identifying dynamic traffic includes identifying at least one dynamic packet in the plurality of packets as the dynamic traffic, the dynamic packet including an address, a dynamic port, and a second port, the address identifying a dynamic host with a port mapper, and neither the dynamic port nor the second port being a confirmed port; and
      
      identifying at least one port on one host further includes identifying the dynamic host and the dynamic port as a second communication point.
  - 30. A method according to claim 29, wherein identifying dynamic traffic further includes:
    - identifying at least one dynamic connection to the dynamic port on the dynamic host in the dynamic traffic; and
      
      combining all of the dynamic connections into a dynamic connection rollup.
  - 31. A method according to claim 29, wherein the identifying dynamic traffic further includes excluding from the dynamic traffic a packet including the address and a third port if the third port is outside a range of dynamic ports associated with the port mapper.
  - 32. A method according to claim 29, wherein the identifying dynamic traffic further includes excluding from the dynamic traffic a packet including the address if the traffic lacks an earlier packet including the address and a confirmed port, the confirmed port associated with the port mapper.
  - 33. A method according to claim 29, wherein the identifying dynamic traffic further includes including in the dynamic traffic a packet including the address and a confirmed port if the dynamic host does not host an application or service associated with the confirmed port.
  - 34. A method according to claim 29, wherein the identifying dynamic traffic further includes including in the dynamic traffic a packet including the address, a confirmed port, and a protocol if the dynamic host hosts an application or service associated with the confirmed port that does not support the protocol.
  - 35. A method according to claim 25, wherein identifying at least one port on one host includes identifying at least one service using the port on the host in the traffic.
  - 36. A method according to claim 25, further comprising generating at least one firewall rule to control traffic across a firewall coupled to the network.
  - 37. A method according to claim 36, further comprising implementing the firewall rule in the firewall.
  - 38. A method according to claim 36, further comprising simulating the firewall rule using the traffic on the network.
  - 39. A method according to claim 38, further comprising identifying traffic not recognized by the firewall rule.
  - 40. A method according to claim 36, further comprising:
    - determining a number of connections in the traffic covered by the firewall rule; and
      
      setting a popularity for the firewall rule based on the number of connections.
  - 41. A method according to claim 25, further comprising filtering at least one filtered packet from the traffic.
  - 42. A method according to claim 41, wherein filtering at least one filtered packet includes filtering out a port scanning packet from the traffic.
  - 43. A method according to claim 41, wherein filtering at least one filtered packet includes filtering out a reply packet, the reply packet responsive to an earlier packet.

44. An article comprising:
- a storage medium, said storage medium having stored thereon instructions, that, when executed by a machine, result in;
  
  receiving the traffic on the network as a plurality of packets;
  
  identifying static traffic from the plurality of packets;
  
  identifying dynamic traffic from the plurality of packets; and
  
  identifying at least one port on one host in the static traffic data and the dynamic traffic data as a communication point for at least a portion of the traffic.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51)
- - 45. An article according to claim 44, wherein:
    - identifying static traffic includes identifying at least one static packet in the traffic as the static traffic, the static packet including an address and a static port, the address identifying a static host and the static port being a confirmed port; and
      
      identifying at least one port on one host includes identifying the static host and the static port as the communication point.
  - 46. An article according to claim 45, wherein:
    - identifying dynamic traffic includes identifying at least one dynamic packet in the plurality of packets as the dynamic traffic, the dynamic packet including an address, a dynamic port, and a second port, the address identifying a dynamic host with a port mapper, and neither the dynamic port nor the second port being a confirmed port; and
      
      identifying at least one port on one host further includes identifying the dynamic host and the dynamic port as a second communication point.
  - 47. An article according to claim 44, further comprising generating at least one firewall rule to control traffic across a firewall coupled to the network.
  - 48. An article according to claim 47, further comprising implementing the firewall rule in the firewall.
  - 49. An article according to claim 47, further comprising simulating the firewall rule using the traffic on the network.
  - 50. An article according to claim 47, further comprising:
    - determining a number of connections in the traffic covered by the firewall rule; and
      
      setting a popularity for the firewall rule based on the number of connections.
  - 51. An article according to claim 44, further comprising filtering at least one filtered packet from the traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Choi, Ben, Rajavelu, Anand, Sampat, Praveen, Wu, Haodong, McConnell, Christopher J.

Granted Patent

US 7,444,408 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 43/065   related to network devices

H04L 63/0263   Rule management

Network data analysis and characterization model for implementation of secure enclaves within large corporate networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Network data analysis and characterization model for implementation of secure enclaves within large corporate networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links