Service detection
First Claim
Patent Images
1. A method for detection of a new service involving a host in a network, the method comprises:
- retrieving a baseline list of port and/or service protocols used by a host being tracked, the baseline list listing service and/or port protocols used by that host over a baseline period that is of a longer duration than a current period;
retrieving a current list of service and/or port protocols for the current period used by the host being tracked;
determining whether there is a difference in the protocols, by finding a protocol that was in the current list but was not in the baseline list; and
if there is a difference;
determining whether the host is providing or using the new service;
determining if the host is sending traffic using a protocol not in the current list;
identifying an alert rule corresponding to whether the host is providing or using the new service; and
issuing an alert based at least on the identified alert rule and whether the host is providing or using the new service.
21 Assignments
0 Petitions
Accused Products
Abstract
A new service detection process in a network retrieves a baseline list of port protocols used by a entity being tracked. The baseline value is determined over a baseline period. A current list of port protocols for the entity being tracked is also retrieved and is compared to determine whether there is a difference in the port protocols, by having a protocol that was in a current list but was not in the baseline list. If there is a difference the process indicates a new service involving the tracked entity.
30 Citations
11 Claims
-
1. A method for detection of a new service involving a host in a network, the method comprises:
-
retrieving a baseline list of port and/or service protocols used by a host being tracked, the baseline list listing service and/or port protocols used by that host over a baseline period that is of a longer duration than a current period; retrieving a current list of service and/or port protocols for the current period used by the host being tracked; determining whether there is a difference in the protocols, by finding a protocol that was in the current list but was not in the baseline list; and
if there is a difference;determining whether the host is providing or using the new service; determining if the host is sending traffic using a protocol not in the current list; identifying an alert rule corresponding to whether the host is providing or using the new service; and issuing an alert based at least on the identified alert rule and whether the host is providing or using the new service. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product residing on a computer readable medium for detection of new services in a network, the computer program product comprising instructions for causing a computer to:
-
retrieve a baseline list of port and/or service protocols used by a host being tracked, the baseline list listing service and/or port protocols used by that host over a baseline period that is of a longer duration that a current period; aggregating communication information between every host pair; retrieve a current list of service and/or port protocols for the current period used by the host being tracked; determine whether there is a difference in the protocols, by identifying a protocol that was in a the current list but was not in the baseline list; and
if there is a difference;determine whether the host is providing or using the new service; determining if the host is sending traffic using a protocol not in the current list; identify an alert rule corresponding to whether the host is providing or using the new service; and issue an alert based at least on the identified alert rule and whether the host is providing or using the new service. - View Dependent Claims (7, 8, 9, 10, 11)
-
Specification