SYSTEM AND METHOD FOR AUTOMATIC SERVICE DISCOVERY AND PROTECTION

US 20160285847A1
Filed: 03/21/2016
Published: 09/29/2016
Est. Priority Date: 03/23/2015
Status: Active Grant

First Claim

Patent Images

1. A system for automatically discovering services operating on a network, the system comprising:

a service discovery database configured to store expected service behavioral characteristics and service identities of the services operating on the network, each service identity associated with a set of the expected service behavioral characteristics in the service discovery database;

A set of service discovery modules, the set of service discovery modules configured to collect service behavioral data of the services operating on the network; and

A service discovery module controller communicatively coupled to the service discovery module database and the set of service discovery modules, the service discovery module controller configured to;

generate a first set of service behavioral characteristics from the service behavioral data;

analyze the first set of service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis; and

identify a first service identity of at least one service operating on the network, from the first behavioral analysis and an association of the first service identity and a first set of the expected service behavioral characteristics.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automatically discovering services operating on a network including a service discovery database configured to store expected service behavioral characteristics and service identities of the services operating on the network, a set of service discovery modules configured to collect service behavioral data of the services operating on the network, and a service discovery module controller communicatively coupled to the service discovery module database and the set of service discovery modules, the service discovery module controller configured to generate service behavioral characteristics from the service behavioral data, analyze the service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis, identify a first service identity of at least one service operating on the network from the first behavioral analysis and an association of the first service identity and the expected service behavioral characteristics.

Citations

26 Claims

1. A system for automatically discovering services operating on a network, the system comprising:
- a service discovery database configured to store expected service behavioral characteristics and service identities of the services operating on the network, each service identity associated with a set of the expected service behavioral characteristics in the service discovery database;
  
  A set of service discovery modules, the set of service discovery modules configured to collect service behavioral data of the services operating on the network; and
  
  A service discovery module controller communicatively coupled to the service discovery module database and the set of service discovery modules, the service discovery module controller configured to;
  
  generate a first set of service behavioral characteristics from the service behavioral data;
  
  analyze the first set of service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis; and
  
  identify a first service identity of at least one service operating on the network, from the first behavioral analysis and an association of the first service identity and a first set of the expected service behavioral characteristics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The system of claim 1, wherein the set of service discovery modules comprises a DNS service discovery module configured to:
    - receive a hostname to query;
      
      query a DNS server with the hostname; and
      
      receive a DNS response;
      
      wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the DNS response.
  - 3. The system of claim 2, wherein the DNS service module is configured to:
    - transmit an HTTP request to an address identified in the DNS response; and
      
      receive an HTTP response from the address;
      
      wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the HTTP response.
  - 4. The system of claim 1, wherein the set of service discovery modules comprises an identity provider service discovery module configured to:
    - monitor authentication attempts to an identity provider service; and
      
      generate a log of authentication attempt data associated with the authentication attempts;
      
      wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the log of authentication attempt data.
  - 5. The system of claim 4, wherein the identity provider service discovery module is a plugin to the identity provider service, and wherein the identity provider service is an Active Directory service.
  - 6. The system of claim 1, wherein the set of service discovery modules comprises a network traffic service discovery module configured to:
    - monitor network traffic of the network; and
      
      generate a log of network traffic data associated with the network traffic, wherein the network traffic data comprises at least two of;
      
      packet source, packet destination, packet content, and transmission time;
      
      wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the log of network traffic data.
  - 7. The system of claim 6, wherein the network traffic service discovery module is a plugin to network traffic monitoring software.
  - 8. The system of claim 1, wherein the set of service discovery modules comprises at least two of:
    - a DNS service discovery module, an identity provider service discovery module, and a network traffic service discovery module,wherein the DNS service discovery module is configured to transmit HTTP requests to identified addresses and collect HTTP response data,wherein the identity provider service discovery module is configured to collect authentication attempt data associated with authentication attempts to an identity provider service on the network,wherein the network traffic service discovery module is configured to collect network traffic data associated with the network, andwherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on data collected from both a first and a second service discovery module of the set of service discovery modules.
  - 9. The system of claim 1, wherein the set of service behavioral characteristics comprises the service behavioral data and an analysis of the service behavioral data.
  - 10. The system of claim 9, wherein the analysis of the service behavioral data comprises at least one of:
    - a HTTP response metric, an authentication attempt metric, and a network traffic metric,wherein the HTTP response metric is generated based on an HTTP response analysis of HTTP headers of an HTTP response,wherein the authentication attempt metric is generated based on a comparison between authentication attempts to an identity provider service on the network over a baseline timeframe and authentication attempts to the identity provider service over a later timeframe, wherein the baseline timeframe is associated with a known baseline state of the services operating on the network.
  - 11. The system of claim 10, wherein the network traffic metric is generated based on bandwidth usage of the at least one service operating on the network.
  - 12. The system of claim 1, wherein the service discovery module controller is further configured to:
    - generate a second set of service behavioral characteristics from the service behavioral data;
      
      analyze the second set of service behavioral characteristics using the expected service behavioral characteristics, resulting in a second behavioral analysis; and
      
      identify a second service identity of at least one service operating on the network from the second behavioral analysis and an association of the second service identity and a second set of expected service behavioral characteristics.
  - 13. The system of claim 12, wherein the first and the second sets of expected service behavioral characteristics share at least one service behavioral characteristic.
  - 14. The system of claim 1, wherein a service discovery module of the set of service discovery modules is integrated with the service discovery module controller, and wherein the service discovery module is executed by the service discovery module controller.
  - 15. The system of claim 1, wherein the service discovery module controller is further configured to:
    - control the service discovery module to transmit a service behavioral data probe configured to request service behavioral data; and
      
      receive the requested service behavioral data, wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the requested service behavioral data.
  - 16. The system of claim 1, wherein the first behavioral analysis comprises a similarity score generated from a comparison of the first set of service behavioral characteristics and the first set of expected service behavioral characteristics.
  - 17. The system of claim 1, wherein the service discovery module controller is configured to assign weights to service behavioral characteristics of the first set of service behavioral characteristics, wherein analyzing the first set of service behavioral characteristics comprises generating a digital fingerprint from the first set of service behavioral characteristics and the weights.
  - 18. The system of claim 17, wherein the service discovery module is configured to identify the first service identity from a comparison of the digital fingerprint and an expected digital fingerprint associated with the first service identity.
  - 19. The system of claim 1, wherein the first behavioral analysis comprises evaluating the first set of service behavioral characteristics using a model generated from the expected service behavioral characteristics.
  - 20. The system of claim 19, wherein the model is configured to be updated with the first set of service behavioral characteristics, wherein the first set of service behavioral characteristics has a link to the first service identity.
  - 21. The system of claim 20, wherein the model is updated only after verification of the link between the first set of service behavioral characteristics and the first service identity.
  - 22. The system of claim 1 wherein the service discovery module controller is configured to:
    - generate a service discovery notification comprising the first service identity; and
      
      notify an administrator of the network with the service discovery notification.
  - 23. The system of claim 1, wherein the service discovery module controller is configured to generate a service discovery notification comprising the first service identity;
    - wherein the service discovery notification comprises an option to verify accuracy of service identification, and wherein the service discovery module database is configured to store a response to the service discovery notification and an association between the response and the first set of service behavioral characteristics.
  - 24. The system of claim 1, wherein the service discovery module is configured to automatically implement a security measure after identifying the first service identity.
  - 25. The system of claim 24, wherein automatically implementing the security measure comprises configuring the at least one service to require two-factor authentication in response to identifying the first service identity.

26. A method for automatically discovering services operating on a network, the method comprising:
- storing expected service behavioral characteristics and service identities of the services operating on the network, each service identity associated with a set of the expected service behavioral characteristics;
  
  collecting service behavioral data of the services operating on the network;
  
  generating service behavioral characteristics from the the service behavioral data; and
  
  analyzing the service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis; and
  
  identifying a first service identity of at least one service operating on the network, from the first behavioral analysis and an association of the first service identity and a first set of the expected service behavioral characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Dug

Granted Patent

US 9,930,025 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6281   at program execution time, ...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/00   Arrangements for program co...

H04L 61/4511   using domain name system [DNS]

H04L 61/4541   Directories for service dis...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/02   based on web technology, e....

H04L 67/51   Discovery or management the...

SYSTEM AND METHOD FOR AUTOMATIC SERVICE DISCOVERY AND PROTECTION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR AUTOMATIC SERVICE DISCOVERY AND PROTECTION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links