System and method for discovery of network entities
First Claim
Patent Images
1. In a network having a plurality network entities, including network users and network assets, a method of discovering network entities, comprising:
- monitoring network traffic, wherein monitoring includes finding network entities in the network traffic;
if the network entities are network assets, determining if the network entities are critical network assets; and
if the network entities are network users, classifying the network users automatically into user groups; and
displaying the network traffic as a function of the critical network assets and the user groups.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method of discovering network entities. Network traffic is monitored, wherein monitoring includes finding network entities in the network traffic. If the network entities are network assets, the system determines if the network entities are critical network assets. If the network entities are network users, the system classifies the network users automatically into user groups. The network traffic is then displayed as a function of the critical network assets and the user groups.
-
Citations
41 Claims
-
1. In a network having a plurality network entities, including network users and network assets, a method of discovering network entities, comprising:
-
monitoring network traffic, wherein monitoring includes finding network entities in the network traffic; if the network entities are network assets, determining if the network entities are critical network assets; and if the network entities are network users, classifying the network users automatically into user groups; and displaying the network traffic as a function of the critical network assets and the user groups.
-
-
2. The method of claim 1, wherein classifying the network users into user groups automatically, comprising:
-
assigning clients to user groups, wherein assigning clients to user groups includes assigning one or more clients to multiple user groups; sorting the groups; and processing the groups so that each client is a member of a single group.
-
-
3. The method of claim 2, wherein sorting the groups includes sorting clients into mainstream groups and outlier groups.
-
4. The method of claim 3, wherein sorting the groups includes applying a client representation algorithm to the groups.
-
5. The method of claim 3, wherein sorting the groups includes applying a group representation algorithm to the groups.
-
6. The method of claim 2, wherein sorting the groups includes:
-
determining, for each group, a percentage of active users; sorting the groups in descending order of percentage of active users; and assigning each client to a single group, giving priority to the groups with the highest percentage of active users.
-
-
7. The method of claim 1, wherein determining if the network entities are critical network assets includes:
-
determining, for each of the network assets, events, packets and users per network asset; for each network asset found in the network traffic, if the events per asset of the asset are greater than the events per asset of a first percentile of all assets found in the network traffic and if the packets per asset of the asset are greater than the packets per asset of a second percentile of all assets found in the network traffic, designating said asset as a critical asset; and for each network asset found in the network traffic, if the users per asset of the asset are greater than the users per asset of a third percentile of all assets found in the network traffic and if the packets per asset of the asset are greater than the packets per asset of a fourth percentile of all assets found in the network traffic, designating said asset as a critical asset.
-
-
8. In a network having a plurality network entities, including network users and network assets, a network monitor, comprising:
-
a data collector, wherein the data collector captures information indicative of network traffic; and a data analyzer connected to the data collector, wherein the data analyzer decodes and analyzes the information captured by the data collector; a processor connected to the data analyzer, wherein the processor finds network entities in the network traffic and wherein; if the network entities are network assets, the processor determines if the network entities are critical network assets; and if the network entities are network users, classifying the network users automatically into user groups; and a user interface connected to the processor, wherein the user interface displays the network traffic as a function of the critical network assets and the user groups.
-
-
9. A method of discovering a network policy, comprising:
-
selecting a timeframe for traffic analysis; selecting a critical business system for which additional policy controls are desirable; selecting a service offered by the CBS; displaying user group assignments associated with the service; and creating policy controls for the service, wherein creating policy controls for the service includes; automatically classifying user groups as mainstream or outlier based on the group representation algorithm; and if there are no outlier groups, creating policy controls automatically for the mainstream groups.
-
-
10. The method of claim 9, wherein creating policy controls includes checking access controls to similar service on other critical business systems to substantiate the created policy controls.
-
11. The method of claim 9, wherein the method further comprises:
-
if there are outlier groups and mainstream groups, determining, based on the client representation algorithm, whether there are one or more groups that cover the client set without any one group being overly broad and, if so, creating policy controls associated with the one or more groups; and if there are outlier groups and mainstream groups and one cannot cover the client set without any one group being overly broad, adding new user groups.
-
-
12. A method of displaying identity-based network behavior, comprising:
-
creating a grid having a first and a second axis; assigning client groups to the first axis; assigning critical business systems to the second axis; monitoring network traffic; displaying the network traffic on the grid as a function of client group and critical business system, wherein displaying includes associating a point on the first axis with each client group, associating a point on the second axis with each critical business system and displaying a shape at intersections in the grid between points on the first and second axes, wherein the shape varies in size as a function of network traffic associated with a particular client group and a particular critical business system; and displaying the network traffic graphically as an extended timeline of trend data, wherein the timeline of trend data includes clear gradations of time periods, wherein the clear gradations of time periods are used to select data sets associated with the time periods for display on the grid.
-
-
13. The method of claim 12, wherein displaying a shape includes filtering network traffic that is not likely to be a problem.
-
14. The method of claim 12, wherein displaying a shape includes filtering by one or more services observed in the network traffic.
-
15. The method of claim 14, wherein filtering can be constrained by the user to retain information on critical business systems.
-
16. The method of claim 12, wherein displaying the network traffic includes displaying points on each axis with labeled tabs such that selection of a tab results in dynamic display of corresponding data in a separate window on the same screen.
-
17. The method of claim 12, wherein displaying a shape at intersections in the grid between points on the first and second axes includes responding to selection of the bubble by displaying in separate windows, on the same screen as the grid, data corresponding to the critical business system associated with the intersection and data corresponding to the user group associated with the intersection.
-
18. The method of claim 17, wherein the critical business system window and the user group window both highlight data relating to the intersection.
-
19. The method of claim 12, wherein assigning client groups to the first axis includes performing user discovery automatically to derive the client groups.
-
20. The method of claim 12, wherein assigning critical business systems to the second axis includes performing asset discovery automatically to determine the critical business systems.
-
21. The method of claim 12, wherein the size of the shape is a function of the number of unique users associated with a particular client group and a particular critical business system.
-
22. The method of claim 12, wherein the dynamic display of corresponding data in a separate window includes display of policy controls, wherein the policy controls are associated with a specific service used by a particular group within a particular system and wherein the policy controls are displayed as an entity that can be selected for subsequent monitoring and control of the policy.
-
23. The method of claim 12, wherein the dynamic display of corresponding data in a separate window includes display of outlier threshold controls, wherein the outlier threshold controls are associated with a specific service within a particular system and wherein the outlier threshold controls can be actuated to dynamically adjust the outlier threshold.
-
24. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed by a machine, create a system for executing the method of claim 12.
-
25. A method of displaying identity-based network behavior, comprising:
-
creating a grid having a first, second and third axis; assigning client groups to the first axis; assigning critical business systems to the second axis; assigning services to a third axis; monitoring network traffic; displaying network traffic on the grid as a function of client group, service and critical business system, wherein displaying includes associating a point on the first axis with each client group, associating a point on the second axis with each critical business system, associating a point on the third axis with each service and displaying a shape at intersections in the grid between points on the first, second and third axes, wherein the shape varies in size as a function of network traffic associated with a particular client group, a particular service and a particular critical business system.
-
-
26. The method of claim 25, wherein displaying a shape includes filtering network traffic that is not likely to be a problem.
-
27. The method of claim 25, wherein displaying a shape includes filtering by one or more services observed in the network traffic.
-
28. The method of claim 27, wherein filtering can be constrained by the user to retain information on critical business systems.
-
29. A method of controlling a network, comprising:
-
storing information on network traffic; displaying the information as identity-based network behavior, wherein displaying includes; determining if network assets are critical network assets; classifying the network users automatically into user groups; and displaying the network traffic as a function of the critical network assets and the user groups.
-
-
30. The method of claim 29, wherein storing includes applying heuristics to filter network traffic.
-
31. The method of claim 29, wherein classifying the network users automatically into user groups includes classifying user groups as mainstream or outlier.
-
32. A method of classifying clients into user groups automatically, comprising:
-
assigning clients to user groups, wherein assigning clients to user groups includes assigning one or more clients to multiple user groups; sorting the groups; and processing the groups so that each client is a member of a single group.
-
-
33. The method of claim 32, wherein sorting the groups includes sorting clients into mainstream groups and outlier groups.
-
34. The method of claim 32, wherein sorting the groups includes:
-
determining, for each group, a percentage of active users; identifying mainstream groups, wherein mainstream groups are client groups with percentages of active users above a pre-defined threshold; eliminating mainstream groups whose clients are all members of a larger mainstream group; and sorting the remaining mainstream groups in descending order of percentage of active users; and wherein processing the groups so that each client is a member of a single group includes; assigning each client in one or more mainstream groups to a single mainstream group, giving priority to the mainstream groups with the highest percentage of active users; determining if any of the client groups have a percentage of active users below the pre-defined threshold; if any of the client groups have a percentage of active users below the pre-defined threshold, reclassifying those client groups as outlier groups; removing from the outlier groups all clients that are members of one of the remaining mainstream groups; sorting the outlier groups in descending order of percentage of active users; and assigning each client in one or more outlier groups to a single outlier group, giving priority to the outlier groups with the highest percentage of active users.
-
-
35. The method of claim 32, wherein sorting the groups includes:
-
calculating, for each group, the ratio of clients that are members of the group to the total number of clients; mapping each group to an aggregation level as a function of the ratio calculated for each group; selecting and processing a selected aggregation level, wherein selecting and processing includes; a) selecting all the groups whose aggregation level is the same as the selected aggregation level; b) sorting the selected groups in decreasing order of percentage of clients; c) within the selected groups in the selected aggregation level, assign each client to one and only one group, giving priority to the groups with the highest percentage of clients; d) if the aggregation level of a group within the selected group falls below the selected aggregation level after clients are removed, mapping the group to its appropriate aggregation level. e) removing all the clients assigned to the selected groups in the selected aggregation level from the remaining groups; and f) selecting and processing another aggregation level until each client is assigned to only one group.
-
-
36. The method of claim 35, wherein selecting and processing another aggregation level includes;
-
determining if the highest level aggregation level has been selected and processed; if the highest level aggregation level has not been selected and processed, determining if the most recent aggregation level selected is the highest level aggregation level; if the highest level aggregation level has not been selected and processed and if the most recent aggregation level selected is not the highest level aggregation level, selecting and processing the aggregation level that is one higher than the most recent aggregation level as the selected aggregation level, selecting all the groups whose aggregation level is the same as the selected aggregation level and repeating a-f; and if the highest level aggregation level has been selected and processed, selecting and processing the aggregation level that is one lower than the most recent aggregation level as the selected aggregation level, selecting all the groups whose aggregation level is the same as the selected aggregation level and repeating a-f.
-
-
37. The method of claim 32, wherein sorting the groups includes:
-
determining, for each group, a percentage of active users; sorting the groups in descending order of percentage of active users; and assigning each client to a single group, giving priority to the groups with the highest percentage of active users.
-
-
38. A method of discovering critical assets in a computer network having a plurality of assets, comprising:
-
monitoring network traffic, wherein monitoring includes finding assets in the network traffic; determining, for each of the assets found in the network traffic, events, packets and users per asset; for each asset found in the network traffic, if the events per asset of the asset are greater than the events per asset of a first percentile of all assets found in the network traffic and if the packets per asset of the asset are greater than the packets per asset of a second percentile of all assets found in the network traffic, designating said asset as a critical asset; and for each asset found in the network traffic, if the users per asset of the asset are greater than the users per asset of a third percentile of all assets found in the network traffic and if the packets per asset of the asset are greater than the packets per asset of a fourth percentile of all assets found in the network traffic, designating said asset as a critical asset.
-
-
39. The method of claim 38, wherein the first and second percentiles are set at the 90 percentile while the third and fourth percentiles are set at the 75th percentile.
-
40. The method of claim 38, wherein determining includes computing histograms for the number of events, the number of packets, and the number of clients.
-
41. The method of claim 38, wherein monitoring further includes storing monitored network traffic over predefined periods of time as data sets and wherein finding includes determining if subsequent data sets introduce new assets to be considered as critical assets.
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeMcAfee, Inc. (McAfee, LLC)
-
Original AssigneeMcAfee, Inc. (McAfee, LLC)
-
InventorsCooper, Geoffrey Howard, Pereira Valente, Luis Filipe, Pearcy, Derek Patton, Sherlock, Kieran Gerard
-
Application NumberUS12/454,773Publication NumberTime in Patent OfficeDaysField of SearchUS Class Current370/252CPC Class CodesG06F 21/554 involving event detection a...H04L 41/0893 Assignment of logical group...H04L 41/22 comprising specially adapte...H04L 43/045 for graphical visualisation...H04L 63/104 Grouping of entitiesH04L 63/20 for managing network securi...
