METHOD AND SYSTEM FOR DETECTING OPERATING SYSTEMS RUNNING ON NODES IN COMMUNICATION NETWORK

US 20130332456A1
Filed: 11/10/2011
Published: 12/12/2013
Est. Priority Date: 11/11/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting an operating system (OS) running on a node in a communication network, the method comprising:

(a) responsive to obtaining an event to be analyzed with respect to a given node, generating a group of two or more OS profiles matching the event;

(b) generating a sufficient set of one or more events to be obtained in order to identify, among the matching OS profiles in the generated group, the OS profile uniquely characterizing the OS running on the given node, to yield the sufficient set of significant events;

(c) upon obtaining a significant event with respect to the given node, generating a new group of one or more matching OS profiles, wherein said new group is generated in accordance with said obtained significant event and at least, with one event previously analyzed with respect to the given node; and

(d) identifying the OS running on the given node with the help of said generated new group of one or more matching OS profiles.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Fingerprinting operating systems running on nodes in a communication network. Responsive to obtaining an event to be analyzed with respect to a given node, generating a group of two or more OS profiles matching the event; generating a sufficient set of one or more significant events, i.e. events obtained in order to identify, among the matching OS profiles in the generated group, the OS profile uniquely characterizing the OS running on the given node; upon obtaining a significant event from the given node, generating a new group of one or more matching OS profiles, wherein said new group is generated in accordance with said obtained significant event and at least, with one event previously analyzed with respect to the given node; and identifying the OS running on the given node with the help of said generated new group of one or more matching OS profiles.

69 Citations

View as Search Results

39 Claims

1. A method of detecting an operating system (OS) running on a node in a communication network, the method comprising:
- (a) responsive to obtaining an event to be analyzed with respect to a given node, generating a group of two or more OS profiles matching the event;
  
  (b) generating a sufficient set of one or more events to be obtained in order to identify, among the matching OS profiles in the generated group, the OS profile uniquely characterizing the OS running on the given node, to yield the sufficient set of significant events;
  
  (c) upon obtaining a significant event with respect to the given node, generating a new group of one or more matching OS profiles, wherein said new group is generated in accordance with said obtained significant event and at least, with one event previously analyzed with respect to the given node; and
  
  (d) identifying the OS running on the given node with the help of said generated new group of one or more matching OS profiles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 38, 39)
- - 2. The method of claim 1 wherein said generated new group of matching OS profiles comprises a single OS profile, the method further comprising identifying the OS running on the given node as corresponding to said single profile.
  - 3. The method of claim 1 wherein said generated new group of matching OS profiles comprises two or more matching OS profile, the method further comprising:
    - repeating operations b) and c) until generating a new group of matching OS profiles with a single OS profile, and identifying the OS running on the given node as corresponding to said single profile.
  - 4. The method of claim 3 wherein a generated sufficient set of significant events does not constitute a subset of a previously generated sufficient set of significant events.
  - 5. The method of claim 3 wherein a generated sufficient set of significant events constitutes a subset of a previously generated sufficient set of significant events.
  - 6. The method of any one of claims 1-5, wherein the significant event is a passive event.
  - 7. The method of any one of claims 1-6, wherein the significant event is an active event.
  - 8. The method of any one of claims 1-7, wherein the sufficient set of significant events comprises at least two alternative significant events.
  - 9. The method of any one of claims 1-8 wherein a new group of matching OS profiles is generated by comparing properties corresponding to the obtained significant event with OS profiles comprised in a previously generated group of matching OS profiles.
  - 10. The method of any one of claims 1-9 wherein a generated new group of matching OS profiles comprises OS profiles matching the obtained significant event and all events previously analyzed with respect to the given node.
  - 11. The method of any one of claims 1-10 wherein a generated new group of matching OS profiles comprises all OS profiles matching the obtained significant event and all events previously analyzed with respect to the given node.
  - 12. The method of any one of claims 1-11 wherein a generated new group of matching OS profiles comprises a part of OS profiles matching the obtained significant event and, at least, one event previously analyzed with respect to the given node.
  - 13. The method of claim 12 further comprising comparing properties corresponding to the obtained significant event with OS profiles comprised in a database of OS profiles if the generated new group of matching OS profiles does not comprise an OS profile matching the obtained significant event.
  - 14. The method of any one of claims 1-13 wherein the generated sufficient set of significant events is optimized in accordance with predefined criteria.
  - 15. The method of claim 14 wherein the predefined criteria is related to a minimal number of events to be obtained and/or minimal number of certain type of events to be obtained and/or minimal time of OS detecting process.
  - 16. The method of any one of claims 1-15, wherein a generated new group of matching OS profiles comprises two or more matching OS profile, the method further comprising discontinuing operations b) and c) before identifying the OS running on the given node if a certain significant event has not been obtained during a predefined time.
  - 17. The method of any one of claims 1-15 further comprising re-generating a sufficient set of significant events if a certain active significant event has not been obtained during a predefined time, whilst excluding said non-obtained significant event from the re-generated sufficient set of significant events.
  - 18. The method of any one of claims 1-17, further comprising:
    - (a) monitoring events related to a given node and detecting deviations in inferred properties of repeating events related to the given node; and
      
      (b) initiating OS detecting for the given node upon detecting a pre-defined deviation.
  - 38. A computer program comprising computer program code means for performing all the stages of any one of claims 1-18 when said program is run on a computer.
  - 39. A computer program as claimed in claim 38 embodied on a computer readable medium.

19. An OS detector operable to detect an operating system (OS) running on a node in a communication network, the OS detector comprises:
- an OS profiles database accommodating OS profiles characterizing respective operating systems;
  
  an events interface configured to obtain events in a passive and/or in an active mode; and
  
  an analyzing and managing unit (A&
  
  M unit) operatively coupled to the OS database and to the events interface, the A&
  
  M unit operable;
  
  (a) responsive to obtaining an event to be analyzed with respect to a given node, to generate a group of two or more OS profiles matching the event;
  
  (b) to generate a sufficient set of one or more events to be obtained in order to identify, among the matching OS profiles in the generated group, the OS profile uniquely characterizing the OS running on the given node, to yield the sufficient set of significant events;
  
  (c) upon obtaining a significant event with respect to the given node, to generate a new group of one or more matching OS profiles, wherein said new group is generated in accordance with said obtained significant event and, at least, with one event previously analyzed with respect to the given node; and
  
  (d) to identify the OS running on the given node with the help of said generated new group of one or more matching OS profiles.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 20. The OS detector of claim 19 wherein said generated new group of matching OS profiles comprises a single OS profile, and wherein the A&
    - M unit is further operable to identify the OS running on the given node as corresponding to said single profile.
  - 21. The OS detector of claim 19 wherein said generated new group of matching OS profiles comprises two or more matching OS profile, and wherein the A&
    - M unit further operable to;
      
      repeat operations b) and c) until generating a new group of matching OS profiles with a single OS profile, and to identify the OS running on the given node as corresponding to said single profile.
  - 22. The OS detector of any one of claims 19-21, wherein the significant event is a passive event received by sniffing provided with the help of the events interface.
  - 23. The OS detector of any one of claims 19-22, wherein the significant event is an active event obtained in response to a probe generated and sent with the help of the events interface in accordance with in instructions received from the A&
    - M unit.
  - 24. The OS detector of any one of claims 19-23, wherein the sufficient set of significant events comprises at least two alternative significant events.
  - 25. The OS detector of any one of claims 19-24 wherein the A&
    - M unit is operable to generate a new group of matching OS profiles by comparing properties corresponding to the obtained significant event with OS profiles comprised in a previously generated group of matching OS profiles.
  - 26. The OS detector of any one of claims 19-25 wherein a generated new group of matching OS profiles comprises OS profiles matching the obtained significant event and all events previously analyzed with respect to the given node.
  - 27. The OS detector of any one of claims 19-26 wherein a generated new group of matching OS profiles comprises all OS profiles matching the obtained significant event and all events previously analyzed with respect to the given node.
  - 28. The OS detector of any one of claims 19-25 wherein a generated new group of matching OS profiles comprises a part of OS profiles matching the obtained significant event and, at least, one event previously analyzed with respect to the given node.
  - 29. The OS detector of claim 28, wherein the A&
    - M unit is further operable to compare properties corresponding to the obtained significant event with OS profiles comprised in the OS profiles database if the generated new group of matching OS profiles does not comprise an OS profile matching the obtained significant event.
  - 30. The OS detector of any one of claims 19-28, wherein the A&
    - M unit is further operable to optimized the sufficient set of significant events in accordance with predefined criteria.
  - 31. The OS detector of claim 30 wherein the predefined criteria is related to a minimal number of events to be obtained and/or minimal number of certain type of events to be obtained and/or minimal time of OS detecting process.
  - 32. The OS detector of any one of claims 19-31, wherein the A&
    - M unit is further operable to re-generate a sufficient set of significant events if during a predefined time a certain active significant events has not been obtained, wherein said non-obtained significant event is excluded from the re-generated sufficient set of significant events.
  - 33. The OS detector of any one of claims 19-32 further comprising a nodes database operatively coupled to the A&
    - M unit, wherein the nodes database is operable to accommodate events related to one or more given nodes.
  - 34. The OS detector of claim 33 wherein the nodes database is operable to maintain for each given node a list of events and/or derivatives thereof related to the respective node, and wherein said list comprises, at least, events which have been analyzed with respect to the respective node.
  - 35. The OS detector of any one of claims 19-34 wherein the A&
    - M unit is operable to generate the sufficient set in a form of a decision matrix comprising one or more passive events to be obtained and/or one or more active events to be obtained.
  - 36. The OS detector of any one of claims 19-35 further operable:
    - (a) to monitor events related to a given node and to detect deviations in inferred properties of repeating events related to the given node; and
      
      (b) to initiate OS detecting for the given node upon detecting a pre-defined deviation.
  - 37. The OS detector of any one of claims 19-35 further operable to initiate, upon obtaining information related to a node newly attached to the network, OS detecting for said new node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Arkin, Ofir

Application Number

US13/885,120
Publication Number

US 20130332456A1
Time in Patent Office

Days
Field of Search
US Class Current

707/737
CPC Class Codes

G06F 16/285 Clustering or classification

H04L 41/12 Discovery or management of ...

METHOD AND SYSTEM FOR DETECTING OPERATING SYSTEMS RUNNING ON NODES IN COMMUNICATION NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DETECTING OPERATING SYSTEMS RUNNING ON NODES IN COMMUNICATION NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links