NETWORK PORT PROFILING
First Claim
1. A method for determining unauthorized usage of a data communication network, comprising the steps of:
- receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
storing information associating a service that is associated with a determined (C/S) flow with at least one of the hosts that is associated with the determined (C/S) flow, said service comprising an observed service;
determining if an observed service associated with a particular host is out of profile by comparing the service to a prestored allowed network services profile for the particular host; and
in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile.
12 Assignments
0 Petitions
Accused Products
Abstract
A port profiling system detects unauthorized network usage. The port profiling system analyzes network communications to determine the service ports being used. The system collects flow data from packet headers between two hosts or Internet Protocol (IP) addresses. The collected flow data is analyzed to determine the associated network service provided. A host data structure is maintained containing a profile of the network services normally associated with the host. If the observed network service is not one of the normal network services performed as defined by the port profile for that host, an alarm signal is generated and action can be taken based upon the detection of an Out of Profile network service. An Out of Profile operation can indicate the operation of a Trojan Horse program on the host, or the existence of a non-approved network application that has been installed.
-
Citations
43 Claims
-
1. A method for determining unauthorized usage of a data communication network, comprising the steps of:
-
receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
storing information associating a service that is associated with a determined (C/S) flow with at least one of the hosts that is associated with the determined (C/S) flow, said service comprising an observed service;
determining if an observed service associated with a particular host is out of profile by comparing the service to a prestored allowed network services profile for the particular host; and
in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
9. A method for determining unauthorized usage of a data communication network, comprising the steps of:
-
receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
storing information associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
determining an allowed network services profile comprising information indicating particular network services that are authorized for use by each one of a plurality of hosts in a predefined group of hosts; and
generating an alarm in response to determination that an observed network service for a particular host in the group of hosts is not included in the allowed network services profile.
-
-
10. A method for determining unauthorized usage of a data communication network, comprising the steps of:
-
receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
storing information associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
storing an allowed network services port profile for each one of a plurality of hosts in a predefined host group, said profile including information identifying port numbers that are authorized for use by each host in the host group;
determining the port numbers of observed network services used by each host in the predefined host group for each determined C/S flow;
comparing the allowed network services port profile with observed network service port numbers; and
generating an alarm when an observed network service port number is not included in the allowed network services port profile. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system for determining unauthorized usage of a data communication network, comprising:
a monitoring device including a processor operative to carry out the steps of;
receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic storing information associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
determining if an observed service associated with a particular host is out of profile by comparing the service to a prestored allowed network services profile for the particular host; and
in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile. - View Dependent Claims (18, 19, 20, 21, 22)
-
23. A system for analyzing network communication traffic and determining unauthorized use, comprising:
-
a processor operative to;
a) receive information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
b) maintain a host data structure for storing an allowed network services profile for at least one host;
c) analyze the information corresponding to a determined client/server (C/S) flow in the flow data structure in order to determine if an observed service associated with a particular host is out of profile by comparing the service to the allowed network services profile for the particular host; and
d) in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile;
a memory coupled to the processor and operative to store the flow data structure and the host data structure; and
a network interface coupled to the processor operative to receive packets on the data communications network.
-
Specification