Method and system for mapping a network for system security

US 6,968,377 B1
Filed: 07/01/2002
Issued: 11/22/2005
Est. Priority Date: 12/29/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for mapping a network domain for use in intrusion detection of a network interfaced with one or more network devices each having network information, the system comprising:

a device operable to detect an attack signature in network traffic directed to the network; and

a domain mapping device operable to;

interface with the network;

receive and store network information from the one of more network devices; and

provide the received and stored information to the device operable to detect an attack signature in network traffic directed to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for mapping a network domain provides a centralized repository for network information to support network devices, including an intrusion detection system. A domain mapping device includes an acquisition engine for acquiring network information, hypercube storage for storing network information, and a query engine for responding to queries from network devices for network information. The acquisition engine acquires network information by active scanning of network devices, passive scanning of network devices, polling of network devices, or receiving network information pushed from network devices. The network information includes device type, operating system, service and vulnerability information. The query engine provides network information in response to queries from network devices, such as intrusion detection devices that use the data to detect attacks on the vulnerabilities of the network.

64 Citations

View as Search Results

52 Claims

1. A system for mapping a network domain for use in intrusion detection of a network interfaced with one or more network devices each having network information, the system comprising:
- a device operable to detect an attack signature in network traffic directed to the network; and
  
  a domain mapping device operable to;
  
  interface with the network;
  
  receive and store network information from the one of more network devices; and
  
  provide the received and stored information to the device operable to detect an attack signature in network traffic directed to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1 wherein the domain mapping device further comprises an acquisition engine operable to acquire network information.
  - 3. The system of claim 2 wherein the acquisition engine is operable to acquire network information with active capture of the network information from the one or more network devices each having network information.
  - 4. The system of claim 2 wherein the acquisition engine is operable to acquire network information with passive capture of the network information from the one or more network devices each having network information.
  - 5. The system of claim 2 wherein the acquisition engine is operable to poll the one or more network devices to acquire network information from the one or more network devices.
  - 6. The system of claim 2 wherein the acquisition engine is operable to receive network information pushed from the one or more network devices each having network information.
  - 7. The system of claim 1 wherein the network information comprises vulnerabilities of the one or more network devices each having network information.
  - 8. The system of claim 7 wherein the network information further comprises device type, services and operating system information of the one or more network devices each having network information.
  - 9. The system of claim 1 wherein the domain mapping device further comprises hypercube storage operable to store network information.
  - 10. The system of claim 1 wherein the domain mapping device further comprises a query engine operable to respond to queries from the one or more network devices each having network information for network information.
  - 11. The system of claim 1, and further comprising a firewall device operable to categorize the network traffic into one or more categories and to block at least a portion of the network traffic based on the categorization, and wherein the network traffic is directed to the network devices, and the domain mapping device is operable to provide the received and stored information to the firewall device.

12. A system for use in intrusion detection of a network interfaced with one or more network devices each having network information, the system comprising:
- a domain mapping device operable to interface with the network and further operable when interfaced with the network to;
  
  receive network information from the one or more devices interfaced with the network, the received network information at least indicating a potential vulnerability associated with at least one of the one or more network devices each having network information; and
  
  provide the potential vulnerability to an intrusion detection system interfaced with the network, the intrusion detection system operable to detect an attack signature in network traffic directed to the network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 13. The system of claim 12, wherein the domain mapping device further comprises an acquisition engine operable to acquire network information.
  - 14. The system of claim 13, wherein the acquisition engine is operable to acquire network information with active capture of the network information from the one or more network devices interfaced with the network.
  - 15. The system of claim 13, wherein the acquisition engine is operable to acquire network information with passive capture of the network information from the one or more network devices interfaced with the network.
  - 16. The system of claim 13, wherein the acquisition engine is operable to poll the one or more network devices interfaced with the network to acquire network information from the one or more network devices.
  - 17. The system of claim 13, wherein the acquisition engine is operable to receive network information pushed from the one or more network devices interfaced with the network.
  - 18. The system of claim 12, wherein the domain mapping device is further operable to configure the intrusion detection system based on the potential vulnerability.
  - 19. They system of claim 18, wherein the domain mapping device is further operable to generate a network map based on the received information and determine the potential vulnerability based on the network map.
  - 20. The system of claim 12, wherein the network information comprises vulnerabilities of the one or more network devices interfaced with the network.
  - 21. The system of claim 20, wherein the network information further comprises device type, services and operating system information of the one or more network devices interfaced with the network.
  - 22. The system of claim 12, wherein the domain mapping device is further operable to generate a network map based on the received information and determine the potential vulnerability based on the network map.
  - 23. The system of claim 12, wherein the domain mapping device is further operable to store the received information.
  - 24. The system of claim 12, wherein the domain mapping device is further operable to identify the potential vulnerability by comparing stored potential vulnerabilities to the received network information.
  - 25. The system of claim 12, wherein the domain mapping device further comprises hypercube storage operable to store network information.
  - 26. The system of claim 12, wherein the domain mapping device further comprises a query engine operable to respond to queries from the one or more network devices interfaced with the network for network information.

27. A method for use in intrusion detection of a network comprising:
- acquiring network information for one or more network devices, the one or more network devices associated with the network, the acquired network information at least indicating a potential vulnerability associated with at least one of the network devices; and
  
  providing the potential vulnerability to an intrusion detection system associated with the network, the intrusion detection system operable to detect an attack signature in network traffic directed to the network.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 28. The method of claim 27, and further comprising configuring the intrusion detection system based on the potential vulnerability.
  - 29. The method of claim 28, and further comprising generating a network map based on the acquired network information and determining the potential vulnerability based on the acquired information and determining the potential vulnerability based on the network map.
  - 30. The method of claim 27, wherein in the network information comprises vulnerabilities of the one or more of the network devices associated with the network.
  - 31. The method according to claim 30, wherein storing the acquired information comprises hypercube storage of the network information.
  - 32. The method of claim 27, and further comprising generating a network map based on the acquired network information and determining the potential vulnerability based on the acquired information and determining the potential vulnerability based on the network map.
  - 33. The method of claim 27, and further comprising storing the acquired information.
  - 34. The method of claim 27, and further comprising determining the potential vulnerability based on the acquired network information and stored potential vulnerabilities.
  - 35. The method of claim 27, wherein acquiring network information comprises active capture of the network information from the one or more of the network devices associated with the network.
  - 36. The method of claim 27, wherein acquiring network information comprises passive caption of the network information from the one or more of the network devices associated with the network.
  - 37. The method of claim 27 wherein acquiring the network information comprises polling network devices for network information.
  - 38. The method of claim 27 wherein acquiring the network information comprises pushing network information from the one or more network devices associated with the network for storage on a centralized repository.
  - 39. The method of claim 27, wherein the network information comprises identification of one or more services associated with the one or more of the network devices associated with the network.
  - 40. The method of claim 27, wherein the network information comprises identification of one or more operating systems associated with the one or more of the network devices associated with the network.
  - 41. The method of claim 27, wherein the network information comprises identification of a device type of the one or more network devices associated with the network.

42. A method for mapping a network domain for use in intrusion detection comprising:
- acquiring network information from one or more devices, the one or more devices associated with the network domain;
  
  storing the network information; and
  
  providing the stored information to a network security device associated with the one or more devices, the network security device operable to detect an attack signature in network traffic directed to the network domain.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 43. The method of claim 42 wherein acquiring network information comprises active capture of network information from the one or more of the network devices associated with the network domain.
  - 44. The method of claim 42 wherein acquiring network information comprises passive capture of network information from the one or more of the network devices associated with the network domain.
  - 45. The method of claim 42 wherein acquiring network information comprises polling the network devices associated with the network domain for network information.
  - 46. The method of claim 42 wherein acquiring network information comprises pushing network information from the one or more network devices associated with the network domain for storage on a centralized repository.
  - 47. The method of claim 42 wherein the network information comprises identification of one or more services associated with the one or more of the network devices associated with the network domain.
  - 48. The method of claim 42 wherein the network information comprises identification of one or more operating systems associated with the one or more of the network devices associated with the network domain.
  - 49. The method of claim 42 wherein the network information comprises identification of the device type of the one or more network devices associated with the network domain.
  - 50. The method of claim 42 wherein the network information comprises vulnerabilities of the one or more of the network devices associated with the network domain.
  - 51. The method according to claim 42 wherein storing the network information comprises hypercube storage of the network information.

52. A system for use in network intrusion detection of a network interfaced with one or more network devices each having network information, the system comprising:
- a network intrusion detection means for detecting an attack signature in network traffic directed to the network; and
  
  a means for acquiring the network information from the one or more devices, storing the network information, and providing the stored network information to the network intrusion detection means.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Waddell, Scott V., Gleichauf, Robert E., Lathem, Gerald
Primary Examiner(s)
Harrell, Robert B.

Application Number

US10/188,278
Time in Patent Office

1,240 Days
Field of Search

713/164, 713/166, 713/188, 713/200, 713/201, 345/418, 345/473, 717/4, 709/200, 709/223, 709/224, 709/225, 714/38, 714/57, 714/46
US Class Current

709/224
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 63/0263   Rule management

H04L 63/1433   Vulnerability analysis

Method and system for mapping a network for system security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

64 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for mapping a network for system security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links