Detecting unauthorized network communication

US 5,798,706 A
Filed: 06/18/1996
Issued: 08/25/1998
Est. Priority Date: 06/18/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for use with devices that are coupled by a communication medium to form an internal packet network, at least one of the devices not being an authorized conduit for communication with external devices that are not part of the internal packet network, the method comprisingobserving packets passing on the medium,based on the observation, detecting packets that pass between the internal packet network and one of the external devices via one of the devices that is part of the internal network, andfor detected packets associated with communication with the external device, determining if the one device via which the packets pass is an authorized conduit for communication with external devices.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Back door packet communication between a workstation on a network and a device outside the network is identified by detecting packets that are associated with communication involving devices outside the network, and identifying packets, among those detected packets, that are being sent or received by a device that is not authorized for communication with devices outside the network.

Citations

19 Claims

1. A method for use with devices that are coupled by a communication medium to form an internal packet network, at least one of the devices not being an authorized conduit for communication with external devices that are not part of the internal packet network, the method comprisingobserving packets passing on the medium,based on the observation, detecting packets that pass between the internal packet network and one of the external devices via one of the devices that is part of the internal network, andfor detected packets associated with communication with the external device, determining if the one device via which the packets pass is an authorized conduit for communication with external devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16, 17)
- - 2. The method of claim 1 in which the detecting comprisescomparing address information in the packets with address information associated with devices that are part of the internal packet network to determine if the packet involves communication only between devices that are part of the internal packet network.
  - 3. The method of claim 2 in which the address information comprises logical network addresses.
  - 4. The method of claim 2 in which the logical network addresses comprise IP addresses.
  - 5. The method of claim 2 further comprising storing the address information associated with devices that are part of the internal packet network in a look-up table.
  - 6. The method of claim 1 in which the determining comprisesexamining hardware addresses in the packets.
  - 7. The method of claim 6 in which the hardware addresses comprise unique hardware addresses of network interface cards in the devices.
  - 8. The method of claim 1 further comprisingcomparing address information in the packets with address information associated with the devices that are authorized conduits for communication with external devices.
  - 9. The method of claim 8 further comprising storing the address information associated with the devices that are authorized conduits in a look-up table.
  - 10. The method of claim 1 in which at least one of the devices of the internal packet network is an authorized conduit for communication with external devices that are not part of the internal packet network.
  - 11. The method of claim 1 further comprising storing packets temporarily in a look-ahead buffer.
  - 12. The method of claim 1 further comprising reporting information about the non-authorized communication.
  - 16. The method of claim 1 in which the determining comprises watching for packets indicating that a non-authorized device is advertising routes.
  - 17. The method of claim 1 in which the determining comprises watching for redirect messages being sent by a non-authorized device to redirect traffic to an unauthorized gateway.

13. A method for reducing back door packet communication between a device on a network that is not an authorized conduit for communication with external devices that are outside of the network and a device outside the network comprisingdetecting packets that pass between the network and the device outside the network via the device on the network, andidentifying packets among the detected packets that are sent or received by the device on the network that is not authorized for communication with devices outside the network.

14. Apparatus for use in reducing packet communication between a device on a network that is not an authorized conduit for communication with devices outside the network and a device outside the network comprisinga scanner connected to observe packets passing on the network, andan analyzer that determines if one of the packets includes address information indicating that communication is occurring with the device that is not an authorized conduit for communication with devices outside the network and the external device.

15. A method for use with devices that are coupled by a communication medium to form an internal packet network, none of the devices being an authorized conduit for communication with external devices that are not part of the internal packet network, the method comprisingobserving network address information in packets passing on the medium,based on the observed network address information, detecting packets intended to pass from the internal packet network to the external device via one of the devices that is part of the internal packet network, andraising an alarm with respect to packets intended for communication with an external device.

18. A method for use with devices that are coupled by a communication medium to form an internal message network, at least one of the devices not being an authorized conduit for communication with external devices that are not part of the internal message network, the method comprisingobserving messages passing on the medium,based on the observation, detecting messages that pass between the internal packet network and one of the external devices via one of the devices that is part of the internal packet network, andfor detected messages associated with communication with the external device, determining if the one device via which the packets pass is an authorized conduit for communication with external devices.

19. A method for use with devices that are coupled by a communication medium to form an internal packet network, at least one of the devices not being an authorized conduit for communication with external devices that are not part of the internal packet network, the method comprisingobserving packets passing on the medium,based on the observation, detecting packets that pass between the internal packet network and one of the external devices via one of the devices that is part of the internal network by comparing the IP addresses of the packets with the IP addresses of devices on the internal packet network,for detected packets associated with communication with the external device, determining if the one device via which the packets pass is an authorized conduit for communication with external devices by comparing the hardware addresses of the packets with hardware addresses that correspond to devices that are authorized conduits, andfor packets whose hardware addresses do not correspond to devices that are authorized conduits, reporting information about the non-authorized communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Raptor Systems Inc. (Gen Digital Inc.)
Inventors
Kraemer, Jeffrey A., Waterman, David C., Kirby, Alan J.
Primary Examiner(s)
Zimmerman, Brian
Assistant Examiner(s)
MERZ, EDWARD W

Application Number

US08/665,293
Time in Patent Office

798 Days
Field of Search

340/825.06, 340/825.07, 370/252, 370/401, 370/402, 395/186, 395/187.01, 395/287
US Class Current

726/3
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 9/40   Network security protocols

Detecting unauthorized network communication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting unauthorized network communication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links