NETWORK SEGMENTATION

US 20150236935A1
Filed: 02/17/2015
Published: 08/20/2015
Est. Priority Date: 02/19/2014
Status: Active Grant

First Claim

Patent Images

1. A system for automatically generating segments in a network, the system comprising:

a plurality of hosts configured to generate network activity information, at least a portion of the hosts belonging to an organization and connected via the network;

an analyzer server configured to analyze the network activity information, the analyzer server comprising;

memory that stores computer-executable instructions; and

at least one processor configured to access the memory and execute the computer-executable instructions to at least;

receive a portion of the network activity information, the portion of the network activity information describing interactions of the plurality of hosts on the network;

identify one or more metrics based in part on at least the portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts;

determine a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and corresponding to individual hosts of the plurality of hosts;

generate a plurality of clusters based at least in part on the plurality of observation vectors, each cluster of the plurality of clusters including at least some hosts of the plurality of hosts;

in response to generating the plurality of clusters, identify a profile for at least one cluster of the plurality of clusters, the profile representative of at least a potential system of the network; and

determine at least one segment within the network, the at least one segment including or excluding the potential system with respect to interactions on the network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for segmenting a network including a plurality of hosts is disclosed. In an example embodiment, the network is a provider network. The method receives network activity information describing network traffic between hosts of the plurality. The method generates observations from the network activity information and organizes the observations into clusters. The method determines a profile for each cluster that corresponds to a potential system type implemented by one or more of the hosts of the medical provider network. The method determines segments within the provider network based on the profiled system types.

57 Citations

View as Search Results

20 Claims

1. A system for automatically generating segments in a network, the system comprising:
- a plurality of hosts configured to generate network activity information, at least a portion of the hosts belonging to an organization and connected via the network;
  
  an analyzer server configured to analyze the network activity information, the analyzer server comprising;
  
  memory that stores computer-executable instructions; and
  
  at least one processor configured to access the memory and execute the computer-executable instructions to at least;
  
  receive a portion of the network activity information, the portion of the network activity information describing interactions of the plurality of hosts on the network;
  
  identify one or more metrics based in part on at least the portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts;
  
  determine a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and corresponding to individual hosts of the plurality of hosts;
  
  generate a plurality of clusters based at least in part on the plurality of observation vectors, each cluster of the plurality of clusters including at least some hosts of the plurality of hosts;
  
  in response to generating the plurality of clusters, identify a profile for at least one cluster of the plurality of clusters, the profile representative of at least a potential system of the network; and
  
  determine at least one segment within the network, the at least one segment including or excluding the potential system with respect to interactions on the network.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, further comprising a collector server, the collector server configured to at least:
    - collect the network activity information generated by the plurality of hosts; and
      
      save the network activity information in association with a data store;
      
      provide the portion of the network activity information to the activity analyzer server.
  - 3. The system of claim 1, wherein the at least one processor is further configured to access the memory and execute the computer-executable instructions to at least:
    - verify the potential system using outside information, the outside information comprising information other than the network activity information and being associated with at least a portion of the plurality of hosts.
  - 4. The system of claim 1, wherein the at least one processor is further configured to access the memory and execute the computer-executable instructions to at least:
    - receive a request to add a new host to the network; and
      
      assign the new host to a cluster of the plurality of clusters by comparing characteristics of the new host with characteristics of a first portion of hosts belonging to the cluster.

5. A computer-implemented method for automatically generating segments in a network, the method comprising:
- receiving, by a computer system, network activity information, the network activity information describing interactions of a plurality of hosts on the network;
  
  identifying one or more metrics based in part on at least a portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts;
  
  determining a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and being associated with individual hosts of the plurality of hosts;
  
  generating, by the computer system, a plurality of clusters based in part on the plurality of observation vectors, each cluster of the plurality of clusters including at least some hosts of the plurality of hosts;
  
  in response to generating the plurality of clusters, identifying a profile for at least one cluster of the plurality of clusters, the profile representative of at least a potential system of the network; and
  
  determining, by the computer system, a segment within the network, the segment including or excluding the potential system with respect to interactions on the network.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 6. The computer-implemented method of claim 5, further comprising:
    - collecting the network activity information generated by the plurality of hosts; and
      
      saving the network activity information in association with a data store.
  - 7. The computer-implemented method of claim 5, wherein the network activity information is collected using third-party collection software, the network activity information provided in at least one of the following formats:
    - Netflow v5, Netflow v9, Internet Protocol Flow Information Exchange, Domain Name System (DNS) records, web proxy records or packet capture.
  - 8. The computer-implemented method of claim 5, further comprising:
    - receiving a request to add a new host to the network; and
      
      assigning the new host to a cluster of the plurality of clusters by comparing characteristics of the new host with characteristics of a first portion of hosts belonging to the cluster.
  - 9. The computer-implemented method of claim 5, further comprising:
    - in response to generating the plurality of clusters, identifying a target host belonging to the at least one cluster at a first time when the profile is identified; and
      
      determining a host profile for the target host with respect to a comparison of the cluster profile and a subset of network activity information for the target host.
  - 10. The computer-implemented method of claim 9, further comprising:
    - after determining the host profile, monitoring network interactions of the target host; and
      
      providing an indication to an authorized user when a portion of the network interactions indicate that the target host is operating outside of the host profile.
  - 11. The computer-implemented method of claim 5, further comprising:
    - in response to generating the plurality of clusters, identifying a compromised profile for a second cluster of the plurality of clusters, the compromised profile representative of compromised hosts; and
      
      comparing network interactions of the plurality of hosts with the compromised profile to determine whether a particular host of the plurality of hosts has been compromised.
  - 12. The computer-implemented method of claim 5, wherein identifying the profile for the at least one cluster of the plurality of clusters comprises:
    - receiving a plurality of profiles from a third party, the profile included in the plurality of profiles; and
      
      selecting the profile from among the plurality of profiles based at least in part on characteristics of the at least one cluster.
  - 13. The computer-implemented method of claim 5, wherein determining the segment within the network comprises determining a plurality of segments, each segment of the plurality of segments including or excluding at least one potential system.
  - 14. The computer-implemented method of claim 13, wherein the plurality of segments comprises at least one of a device segment, an application segment, a user segment, a clinical segment, a profile user segment, a department segment, a medical device segment, or a control system segment.
  - 15. The computer-implemented method of claim 13, wherein the at least one potential system corresponds to a list of actual systems including one or more hosts of the plurality of hosts connected to the network.
  - 16. The computer-implemented method of claim 5, wherein the plurality of clusters are generated using one or more clustering techniques, the one or more clustering techniques comprising at least one of a k-means clustering technique, a hierarchal clustering technique, an expectation maximization clustering technique, a density-based special clustering of applications with noise technique, or a self-organizing map clustering technique.

17. A computer-implemented method for identifying compromised profiles using probability profiles, the method comprising:
- receiving, by a computer system, network activity information, the network activity information describing interactions of a user with a plurality of hosts on a network;
  
  determining a client profile based at least in part on the network activity information corresponding to the interactions of the user with at least a portion of the plurality of hosts on the network;
  
  determining, by the computer system and based on the client profile, a probability profile for the user, the probability profile including a prediction that the user will interact with a first host of the plurality of hosts;
  
  identifying a particular interaction of the user with a second host of the plurality of hosts, the particular interaction falling outside the probability profile for the user; and
  
  providing an indication to an authorized user including the probability profile.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-implemented method of claim 17, wherein the client profile comprises an identified state path for the user, the identified state path indicating the portion of the plurality of hosts of the network and an order according to which the user has previously visited the plurality of hosts.
  - 19. The computer-implemented method of claim 18, wherein the probability profile comprise a probabilistic determination for subsequent hosts of the portion of the plurality of hosts, given a current host selected from the portion of the plurality of hosts.
  - 20. The computer-implemented method of claim 17, wherein the client profile comprises a state machine representative of the network activity information corresponding to the interactions of the user with the portion of the plurality of hosts on the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
C-HCA, Inc.
Original Assignee
HCA Holdings Incorporated (HCA Healthcare, Inc.)
Inventors
Bassett, Gabriel David

Granted Patent

US 10,021,116 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/08   Configuration management of...

H04L 41/14   Network analysis or design

H04L 43/18   Protocol analysers

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

NETWORK SEGMENTATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK SEGMENTATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links