Using Trust Profiles for Network Breach Detection

US 20150288709A1
Filed: 03/10/2015
Published: 10/08/2015
Est. Priority Date: 04/04/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a network monitor analyzing data packets transmitted through a network;

a trust profile module in communication with the network monitor that includes a trust profile, the trust profile module configured for determining permissible use that includes at least one of;

whether the at least one port transmitting the data packets matches a permissible port identified in the trust profile; and

whether the at least one protocol generating the data packets matches a permissible protocol identified in the trust profile.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Actions of servers and other network devices within a network are monitored to detect whether the servers and network devices are performing tasks, using protocols, and communicating through ports that are consistent with legitimate (or “permissible”) purposes. That is, rather than attempting to belatedly identify malware signatures and screen all traffic into and out of a network for these signatures, embodiments of the present invention scrutinize devices (such as servers and other network infrastructure elements) for malware behavior that is inconsistent with an identified set of actions known to be consistent with legitimate tasks performed by the network device.

Citations

21 Claims

1. A system comprising:
- a network monitor analyzing data packets transmitted through a network;
  
  a trust profile module in communication with the network monitor that includes a trust profile, the trust profile module configured for determining permissible use that includes at least one of;
  
  whether the at least one port transmitting the data packets matches a permissible port identified in the trust profile; and
  
  whether the at least one protocol generating the data packets matches a permissible protocol identified in the trust profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the network monitor further comprises a server.
  - 3. The system of claim 1, wherein the permissible port comprises at least one of a local port and a remote port.
  - 4. The system of claim 1, wherein the trust profile module is further configured for generating an alert indicating violation of the trust profile.
  - 5. The system of claim 1, wherein the trust profile further comprises a set of allowable exceptions to the permissible use.
  - 6. The system of claim 5, wherein the set of allowable exceptions includes identifying a server and allowing the server to operate as a client for obtaining software updates from an update server.
  - 7. The system of claim 1, wherein the trust profile further comprises acceptable business practices that refine the permissible use.
  - 8. The system of claim 7, further comprising:
    - performing, by the network monitor, a packet inspection on transmitted data packets; and
      
      responsive to the packet inspection, determining whether the inspected packets comply with the acceptable business practices of the trust profile.
  - 9. The system of claim 7, wherein the acceptable business practices comprise identifying as legitimate at least one of a time-of-day access, a data volume transmission limit, and protocol tunneling.

10. A computer-implemented method comprising:
- receiving a trust profile corresponding to a first network device, the trust profile identifying at least one of (1) a permissible port and (2) a permissible protocol for transceiving legitimate network traffic by the first network device;
  
  storing the trust profile at a second network device that monitors network traffic corresponding to the first network device;
  
  identifying, by the second network device, at least one of (1) an actual port used to transceive network traffic by the first network device and (2) an actual protocol used to generate network traffic by the first network device; and
  
  determining, by the second network device, whether the at least one of (1) the actual port and (2) the actual protocol matches the at least one of (1) the permissible port and (2) the permissible protocol of the trust profile.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The computer-implemented method of claim 10, further comprising:
    - responsive to determining that the at least one of (1) the actual port and (2) the actual protocol do not match a corresponding one of the at least one of (1) the permissible port and (2) the permissible protocol of the trust profile, preventing the first network device from transceiving the network traffic.
  - 12. The computer-implemented method of claim 10, wherein receiving the trust profile comprises receiving a usage profile, the received usage profile generated by:
    - monitoring traffic corresponding to the first network device during a discovery phase;
      
      receiving an identification of at least one of (1) a set of actual ports used by the first network device to transceive network traffic and (2) a set of actual protocols used by the first network device to generate network traffic; and
      
      receiving an identification of at least one of (1) the permissible port from the set of actual ports and (2) the permissible protocol from the set of actual protocols for inclusion in the trust profile.
  - 13. The computer-implemented method of claim 10, wherein the trust profile further comprises at least one permitted IP address.
  - 14. The computer-implemented method of claim 10, wherein the received trust profile further comprises receiving allowable exceptions corresponding to the first network device for permitting network traffic not otherwise identified in the trust profile as legitimate.
  - 15. The computer-implemented method of claim 14, wherein the received identified allowable exceptions includes identifying a server operating as a client for obtaining software updates from an update server.
  - 16. The computer-implemented method of claim 10, wherein the received trust profile further comprises receiving acceptable business practices corresponding to the first network device.
  - 17. The computer-implemented method of claim 16, further comprising performing, by the second network device, a packet inspection on the network traffic corresponding to the first network device to determine whether the traffic complies with the acceptable business practices.
  - 18. The computer-implemented method of claim 17, wherein the acceptable business practices includes at least one of a time-of-day access, a data volume transmission limit, and protocol tunneling that are identified as legitimate.
  - 19. The computer-implemented method of claim 17, wherein the acceptable business practices include whitelist tags corresponding to the network traffic that are identified as legitimate.
  - 20. The computer-implemented method of claim 16, wherein the acceptable business practices include associating legitimate user credentials with a server.

21. A computer-implemented method comprising:
- storing a trust profile at a network monitor, the trust profile identifying legitimate traffic by at least one of (1) a permissible port and (2) a permissible protocol;
  
  identifying, by the network monitor, at least one of (1) an actual port used to transceive network traffic and (2) an actual protocol used to generate network traffic; and
  
  determining, by the network monitor, whether the at least one of (1) the actual port and (2) the actual protocol matches the at least one of (1) the permissible port and (2) the permissible protocol of the trust profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetScout Systems Incorporated
Original Assignee
NetScout Systems Incorporated
Inventors
Singhal, Anil K., Nakamoto, Shu, Briggs, Deborah

Granted Patent

US 9,306,964 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Using Trust Profiles for Network Breach Detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Using Trust Profiles for Network Breach Detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links