NETWORK DATA COLLECTION AND RESPONSE SYSTEM

US 20150326594A1
Filed: 05/06/2014
Published: 11/12/2015
Est. Priority Date: 05/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device with access to a network, comprising:

local network resources accessible to the device via the network;

a connection protocol server configured to assign a network address to the device to identify the device on the network in response to a network access request received from the device;

a network data collection and response system operative to track network activity of the device including a device inventory comprising device type and configuration information for the device and a resource utilization profile for the device without utilization of a data monitoring agent installed on the device;

the network data collection and response system further operative to detect high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a monitoring agent installed on the device;

the network data collection and response system further operative to implement a response action to mitigate the high-risk or unauthorized network activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.

Citations

20 Claims

1. A computing device with access to a network, comprising:
- local network resources accessible to the device via the network;
  
  a connection protocol server configured to assign a network address to the device to identify the device on the network in response to a network access request received from the device;
  
  a network data collection and response system operative to track network activity of the device including a device inventory comprising device type and configuration information for the device and a resource utilization profile for the device without utilization of a data monitoring agent installed on the device;
  
  the network data collection and response system further operative to detect high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a monitoring agent installed on the device;
  
  the network data collection and response system further operative to implement a response action to mitigate the high-risk or unauthorized network activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computing device with access to the network of claim 1, further comprising a gateway configured in the local network to provide the device with access to external resources via the local.
  - 3. The computing device with access to the network of claim 1, wherein the passively monitored network activity includes one or more of a dynamic host configuration protocol (DHCP) request received from the device and a domain name server (DNS) request received from the device.
  - 4. The computing device with access to the network of claim 1, wherein the passively monitored network activity includes one or more of a network flow information (e.g., Netflow) derived from network packets sent and received by the device and a hypertext transfer protocol (HTTP) request sent and response received by the device.
  - 5. The computing device with access to the network of claim 1, wherein the response action comprises one or more of:
    - blocking unauthorized network activity and providing notice to a user of the device that the device has attempted to conduct unauthorized network activity;
      
      notifying a user or monitoring system of the device of malware present on the device and removal of the malware from the device; and
      
      detecting malware transmitted from the device and removal of the malware from the network.
  - 6. The computing device with access to the network of claim 1, wherein the high-risk or unauthorized network activity comprises one or more of:
    - a combination of resources accessed by the device consistent of a high-risk activity profile maintained by the system; and
      
      short response times and periodic response patterns indicative of programmatic or robot activity.
  - 7. The computing device with access to the network of claim 1, wherein the network data collection and response system tracks and profiles the resource utilization of a device.
  - 8. The computing device with access to the network of claim 1, wherein the network data collection infers one or more of the type and configuration information of the device.

9. A computer program product for providing a user-supplied computing device with access to a network comprising local network resources accessible to the device via the network, the computer program product comprising:
- a tangible storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  tracking network activity of the device through passive monitoring without utilization of a data monitoring agent installed on the device;
  
  inferring type and configuration information of the device;
  
  creating a device inventory comprising device type and one or more of configuration information for the device and a resource utilization profile for the device;
  
  detecting one or more of high-risk or unauthorized network activity involving the device; and
  
  implementing a response action to mitigate the high-risk or unauthorized network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The computer program product of claim 9, wherein tracking network activity includes one or more of detecting and recording a dynamic host configuration protocol (DHCP) request received from the device, a domain name server (DNS) request received from the device, a network flow information (e.g., Netflow) derived from network packets sent and received by the device, and a hypertext transfer protocol (HTTP) request sent and response received by the device.
  - 11. The computer program product of claim 9, wherein the response action comprises one or more of blocking unauthorized network activity and providing notice to a user of the device that the device has attempted to conduct unauthorized network activity.
  - 12. The computer program product of claim 9, wherein the response action comprises one or more of notifying a user of the device of malware present on the device and removal of the malware from the device.
  - 13. The computer program product of claim 9, wherein the response action comprises detecting malware transmitted from the device to the network and one or more of removal of the device from the network and notifying a user of the malware on the device.
  - 14. The computer program product of claim 9, wherein the high-risk or unauthorized network activity comprises a combination of resources accessed by the device consistent of a high-risk activity profile maintained by the system.
  - 15. The computer program product of claim 9, wherein the high-risk or unauthorized network activity comprises a short response times indicative of robot activity.
  - 16. The computer program product of claim 9, wherein the network data collection and response system tracks and profiles the resource utilization of a device.
  - 17. The computer program product of claim 9, wherein the network data collection infers one or more of the type and configuration information of the device.

18. A network data recording and response system for enhancing security in a computer network providing a computing device with access to the network, the system operable for:
- tracking network activity of the device through passive monitoring without utilization of a data monitoring agent installed on the device;
  
  inferring one or more of type and configuration information of the device;
  
  creating a device inventory comprising one or more of device type and configuration information for the device and a resource utilization profile for the device;
  
  detecting high-risk or unauthorized network activity involving the device; and
  
  implementing a response action to mitigate the high-risk or unauthorized network.
- View Dependent Claims (19, 20)
- - 19. The network data recording and response system of claim 18, wherein tracking network activity includes one or more of detecting and recording a dynamic host configuration protocol (DHCP) request received from the device, a domain name server (DNS) request received from the device, a network flow information (e.g., Netflow) packet received form the device, and a hypertext transfer protocol (HTTP) request received from the device.
  - 20. The network data recording and response system of claim 18, wherein the response action is selected from the group including:
    - blocking unauthorized network activity;
      
      providing notice to a user of the device that the device has attempted to conduct unauthorized network activity;
      
      notifying a user of the device of malware present on the device;
      
      removal of the malware from the device;
      
      detecting malware transmitted from the device; and
      
      removal of the malware from the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chari, Suresh N., Cheng, Pau-Chen, Hu, Xin, Koved, Lawrence, Rao, Josyula R., Sailer, Reiner, Schales, Douglas L., Singh, Kapil K., Stoecklin, Marc P.

Granted Patent

US 9,854,057 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04L 67/303   Terminal profiles

H04L 67/535   Tracking the activity of th...

NETWORK DATA COLLECTION AND RESPONSE SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK DATA COLLECTION AND RESPONSE SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links