Network port profiling

US 7,290,283 B2
Filed: 01/31/2002
Issued: 10/30/2007
Est. Priority Date: 01/31/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for determining unauthorized usage of a data communication network, comprising the steps of:

monitoring packet headers of packets exchanged between two hosts on the data communication network;

based on the packet headers, determining the existence of a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic;

storing information associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;

determining if an observed service associated with a particular host is out of profile by comparing the service to a prestored allowed network services profile for the particular host; and

in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A port profiling system detects unauthorized network usage. The port profiling system analyzes network communications to determine the service ports being used. The system collects flow data from packet headers between two hosts or Internet Protocol (IP) addresses. The collected flow data is analyzed to determine the associated network service provided. A host data structure is maintained containing a profile of the network services normally associated with the host. If the observed network service is not one of the normal network services performed as defined by the port profile for that host, an alarm signal is generated and action can be taken based upon the detection of an Out of Profile network service. An Out of Profile operation can indicate the operation of a Trojan Horse program on the host, or the existence of a non-approved network application that has been installed.

310 Citations

36 Claims

1. A method for determining unauthorized usage of a data communication network, comprising the steps of:
- monitoring packet headers of packets exchanged between two hosts on the data communication network;
  
  based on the packet headers, determining the existence of a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  storing information associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
  
  determining if an observed service associated with a particular host is out of profile by comparing the service to a prestored allowed network services profile for the particular host; and
  
  in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 2. The method of claim 1, farther comprising the step of displaying to a user indicia corresponding to the occurrence of particular network services observed in connection with one or more hosts during a monitoring period.
  - 3. The method of claim 2, further comprising the step of displaying an indication that a predetermined observed network service is in profile and observed during the monitoring period, is in profile and was not observed during the monitoring period, or is not in profile.
  - 4. The method of claim 1, further comprising the step of:
    - generating an alarm when an observed network service is not an allowed network service for the particular host.
  - 5. The method of claim 1, further comprising the step of displaying indicia indicating whether an observed network service is not an allowed network service for a particular host.
  - 6. The method of claim 1, further comprising the step of building the allowed network services profile based upon network services observed during a profile generation time period.
  - 7. The method of claim 1, further comprising the step of allowing user editing of the allowed network services profile for particular hosts.
  - 8. The method of claim 1, further comprising the step of allowing user editing of the allowed network services profile for a block of network addresses corresponding to a plurality of hosts.
  - 24. The method or system of claims 1, 9, 10, 17, or 23, wherein the predetermined C/S flow characteristic is selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a given port, the occurrence of a RESET packet, data sent by TCP and acknowledged, UDP packets that are not rejected, and local multicast or broadcast.
  - 25. The method or system of claims 1, 9, 10, 17, or 23, wherein the step of providing an output or alarm comprises the step of communicating a message to a firewall to drop packets going to or from the particular host.
  - 26. The method or system of claims 1, 9, 10, 17, or 23, wherein the output or alarm is a notification to a network administrator.
  - 27. The method or system of claims 1, 9, 10, 17, or 23, wherein the output or alarm is provided to a utilization component selected from the group comprising:
    - network security device, email, SNMP trap message, beeper, cellphone, firewall, network monitor, user interface display to an operator.
  - 28. The method or system of claims 1, 9, 10, 17, or 23, wherein the single service comprises a port number remaining constant for a plurality of packets.
  - 29. The method or system of claims 1, 9, 10, 17, or 23, wherein the steps are carried out in a monitoring appliance.
  - 30. The method of claim 29, wherein the monitoring appliance monitors communications among inside hosts and outside hosts.
  - 31. The method of claim 29, wherein the monitoring appliance is coupled to a network device.
  - 32. The method of claim 31, wherein the network device is selected from the group comprising:
    - router, switch, hub, tap.
  - 33. The method of claim 31, wherein the network device is a network security device.
  - 34. The method or system of claims 1, 9, 10, 17, or 23, wherein the monitoring of packets comprises monitoring packet header information only.
  - 35. The method or system of claims 1, 9, 10, 17, or 23, wherein the unauthorized use is from an inside address or from an outside address.
  - 36. The method or system of claims 1, 9, 10, 17, or 23, wherein a service is associated with a determined C/S flow in response to initiation of communications between the two hosts.

9. A method for determining unauthorized usage of a data communication network, comprising the steps of:
- monitoring packet headers of packets exchanged between two hosts on the data communication network;
  
  based on the packet headers, determining the existence of a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  storing information associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
  
  determining hosts on the network that act as a client and server for each determined C/S flow;
  
  determining an allowed network services profile comprising information indicating particular network services that are authorized for use by each one of a plurality of hosts in a predefined group of hosts; and
  
  generating an alarm in response to determination that an observed network service for a particular host in the group of hosts is not included in the allowed network services profile.

10. A method for determining unauthorized usage of a data communication network, comprising the steps of:
- monitoring packet headers of packets exchanged between two hosts on the data communication network;
  
  based on the packet headers, determining the existence of a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  storing information associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
  
  storing an allowed network services port profile for each one of a plurality of hosts in a predefined host group, said profile including information identifying port numbers that are authorized for use by each host in the host group;
  
  determining the port numbers of observed network services used by each host in the predefined host group for each determined C/S flow;
  
  comparing the allowed network services port profile with observed network service port numbers; and
  
  generating an alarm when an observed network service port number is not included in the allowed network services port profile.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising the step of displaying indicia indicating the observed network service port numbers during a monitoring period.
  - 12. The method of claim 11, further comprising the step of displaying indications that observed network service port numbers are in profile and observed during the monitoring period, are in profile but not yet observed in the monitoring period, or are not in profile.
  - 13. The method of claim 12, further comprising the step of displaying indicia indicating that observed network service port numbers are included in the allowed network services port profile.
  - 14. The method of claim 10, further comprising the step of building the network services port profile based upon network service ports observed during a profile generation time period.
  - 15. The method of claim 10, further comprising the step of allowing user editing of the allowed network services port profile for the hosts group.
  - 16. The method of claim 15, further comprising the step of allowing user editing of the allowed network services port profile for a block of network addresses corresponding to the hosts group.

17. A system for determining unauthorized usage of a data communication network, comprising:
- a monitoring device including a processor operative to carry out the steps of;
  
  monitoring packet headers of packets exchanged between two hosts on the data communication network;
  
  based on the packet headers, determining the existence of a client/server C/S flow corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  storing information associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
  
  determining if an observed service associated with a particular host is out of profile by comparing the service to a prestored allowed network services profile for the particular host; and
  
  in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The system of claim 17, further comprising a monitor coupled to the monitoring device and operative to display indicia indicating observed network services during a monitoring period.
  - 19. The system of claim 18, wherein the monitor is further operative to display indicia indicating that an observed network service is not an allowed network service.
  - 20. The system of claim 17, wherein the process is further operative to build the prestored a network services profile based upon network services observed during a profile generation time period.
  - 21. The system of claim 17, further comprising an editor coupled to the monitoring device and operative to allow user editing of the allowed network services profile.
  - 22. The system of claim 21, wherein the editor is further operative to allow user editing of the allowed network services profile for a block of network addresses.

23. A system for analyzing network communication traffic and determining unauthorized use, comprising:
- a processor operative to;
  
  a) monitor the racket headers packets on a data communication network;
  
  b) based on the packet headers, classify the monitored packets into client/server (C/S) flows, wherein a C/S flow corresponds to a predetermined plurality of packets exchanged between two hosts that are associated with a single service on the network;
  
  c) maintain a flow data structure for storing data corresponding to a plurality of C/S flows;
  
  d) maintain a host data structure for storing an allowed network services profile for at least one host;
  
  e) analyze the C/S flows in the flow data structure in order to determine if an observed service associated with a particular host is out of profile by comparing the service to the allowed network services profile for the particular host; and
  
  e) in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile;
  
  a memory coupled to the processor and operative to store the flow data structure and the host data structure; and
  
  a network interface coupled to the processor operative to receive packets on the data communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Lancope, Inc. (Cisco Systems, Inc.)
Inventors
Copeland, John A. III
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Baum; Ronald

Application Number

US10/062,621
Publication Number

US 20020144156A1
Time in Patent Office

2,098 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

H04L 2101/663   Transport layer addresses, ...

H04L 43/026   using flow identification

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

Y02D 30/50   in wire-line communication ...

Network port profiling

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

310 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Network port profiling

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

310 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others