Real-Time Identification of an Asset Model and Categorization of an Asset to Assist in Computer Network Security

US 20080104276A1
Filed: 10/24/2007
Published: 05/01/2008
Est. Priority Date: 10/25/2006
Status: Active Grant

First Claim

Patent Images

1. A method for determining a unique identifier associated with a network node, comprising:

querying an Internet Protocol (IP) address lookup data structure using an IP address associated with the network node;

returning the unique identifier associated with the network node; and

performing one of;

using the returned unique identifier to obtain an asset model associated with the network node; and

using the returned unique identifier to determine whether the network node is a member of a category.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A unique identifier is assigned to a network node and is used to obtain an “asset model” corresponding to the node and to determine whether the node is a member of a particular category. An asset model is a set of information about a node (e.g., the node'"'"'s role within the enterprise, software installed on the node, and known vulnerabilities/weaknesses of the node). An identifier lookup module determines a node'"'"'s identifier based on characteristics of the node (such as IP address, host name, network zone, and/or MAC address), which are used as keys into lookup data structures. A category lookup module determines whether a particular node is a member of (i.e., within) a particular category using a transitive closure to model the categories (properties) that can be attached to an asset model. A transitive closure for a particular asset category is stored as a bitmap, similar to bitmap indexing.

Citations

18 Claims

1. A method for determining a unique identifier associated with a network node, comprising:
- querying an Internet Protocol (IP) address lookup data structure using an IP address associated with the network node;
  
  returning the unique identifier associated with the network node; and
  
  performing one of;
  
  using the returned unique identifier to obtain an asset model associated with the network node; and
  
  using the returned unique identifier to determine whether the network node is a member of a category.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the unique identifier associated with the network node is a value of the primitive data type “
    - int”
      
      (integer).
  - 3. The method of claim 1, wherein the IP address lookup data structure comprises a table comprising one or more pairs, a pair comprising an IP address associated with a particular network node and a unique identifier associated with the particular network node.
  - 4. The method of claim 3, wherein the IP address associated with the particular network node is a value of the primitive data type “
    - int”
      
      (integer).
  - 5. The method of claim 3, wherein querying the IP address lookup data structure using the IP address associated with the network node comprises determining a pair that comprises the IP address associated with the network node.
  - 6. The method of claim 3, wherein the table is an open-addressing hash map.
  - 7. The method of claim 3, wherein the table is an open-addressing hash map implemented using only one array.
  - 8. The method of claim 1, wherein the IP address lookup data structure comprises an array comprising one or more elements, an element stored at an index, the element comprising a unique identifier associated with the particular network node, the index being determined based on an IP address associated with the particular network node.
  - 9. The method of claim 8, wherein querying the IP address lookup data structure using the IP address associated with the network node comprises determining an index based on the IP address associated with the network node.
  - 10. The method of claim 1, wherein the IP address lookup data structure is configured to automatically change from a table-based implementation to an array-based implementation.
  - 11. The method of claim 1, wherein the IP address lookup data structure is configured to automatically change from an array-based implementation to a table-based implementation.
  - 12. The method of claim 1, wherein using the returned unique identifier to determine whether the network node is the member of the category comprises:
    - identifying a transitive closure, the transitive closure including one or more links between ancestor nodes and descendent nodes, an ancestor node representing a category, a descendent node representing a network node, a link indicating that a descendant node is a member of an ancestor node;
      
      querying the transitive closure using the returned unique identifier and the category; and
      
      returning a Boolean value that indicates whether the network node is the member of the category.
  - 13. The method of claim 12, wherein querying the transitive closure using the returned unique identifier and the category comprises determining whether a link exists between a descendant node associated with the returned unique identifier and an ancestor node associated with the category.
  - 14. The method of claim 1, wherein using the returned unique identifier to determine whether the network node is the member of the category comprises:
    - identifying a bitmap associated with the category, the bitmap comprising a plurality of bits, a bit value indicating whether a network node is a member of the category;
      
      querying the bitmap using the returned unique identifier; and
      
      returning a Boolean value that indicates whether the network node is the member of the category.
  - 15. The method of claim 14, wherein querying the bitmap using the returned unique identifier comprises:
    - identifying a bit within the bitmap by using the returned unique identifier as an index into the bitmap; and
      
      returning the value of the identified bit.

16. A method for determining a unique identifier associated with a network node, comprising:
- querying a first lookup table using a domain name associated with the network node, the first lookup table comprising one or more pairs, a pair comprising a domain name associated with particular network node and a reference to a second lookup table, the second lookup table comprising one or more pairs, a pair comprising a hostname associated with the particular network node and a unique identifier associated with the particular network node;
  
  querying the second lookup table using a hostname associated with the network node;
  
  returning the unique identifier associated with the network node; and
  
  performing one of;
  
  using the returned unique identifier to obtain an asset model associated with the network node; and
  
  using the returned unique identifier to determine whether the network node is a member of a category.

17. A computer program product for determining a unique identifier associated with a network node, the computer program product comprising a computer-readable medium containing computer program code for performing a method, the method comprising:
- querying an Internet Protocol (IP) address lookup table using an IP address associated with the network node, the IP address lookup table comprising one or more pairs, a pair comprising an IP address associated with a particular network node and a unique identifier associated with the particular network node;
  
  returning the unique identifier associated with the network node; and
  
  performing one of;
  
  using the returned unique identifier to obtain an asset model associated with the network node; and
  
  using the returned unique identifier to determine whether the network node is a member of a category.

18. An apparatus for determining a unique identifier associated with a network node, comprising:
- a query module configured to query an Internet Protocol (IP) address lookup table using an IP address associated with the network node, the IP address lookup table comprising one or more pairs, a pair comprising an IP address associated with a particular network node and a unique identifier associated with the particular network node;
  
  a return module configured to return the unique identifier associated with the network node; and
  
  one of;
  
  an asset model module configured to use the returned unique identifier to obtain an asset model associated with the network node; and
  
  a category module configured to use the returned unique identifier to determine whether the network node is a member of a category.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Beedgen, Christian, Huang, Hui, Lahoti, Ankur

Granted Patent

US 8,108,550 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/245
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2129   Authenticate client device ...

H04L 41/046   comprising network manageme...

H04L 41/069   using logs of notifications...

H04L 41/16   using machine learning or a...

H04L 61/10   of different types

H04L 63/1416   Event detection, e.g. attac...

H04L 69/22   Parsing or analysis of headers

Real-Time Identification of an Asset Model and Categorization of an Asset to Assist in Computer Network Security

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Real-Time Identification of an Asset Model and Categorization of an Asset to Assist in Computer Network Security

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links