Service detection

US 7,698,730 B2
Filed: 03/16/2004
Issued: 04/13/2010
Est. Priority Date: 03/16/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detection of a new service involving a host in a network, the method comprises:

retrieving a baseline list of port and/or service protocols used by a host being tracked, the baseline list listing service and/or port protocols used by that host over a baseline period that is of a longer duration than a current period;

retrieving a current list of service and/or port protocols for the current period used by the host being tracked;

determining whether there is a difference in the protocols, by finding a protocol that was in the current list but was not in the baseline list; and

if there is a difference;

determining whether the host is providing or using the new service;

determining if the host is sending traffic using a protocol not in the current list;

identifying an alert rule corresponding to whether the host is providing or using the new service; and

issuing an alert based at least on the identified alert rule and whether the host is providing or using the new service.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new service detection process in a network retrieves a baseline list of port protocols used by a entity being tracked. The baseline value is determined over a baseline period. A current list of port protocols for the entity being tracked is also retrieved and is compared to determine whether there is a difference in the port protocols, by having a protocol that was in a current list but was not in the baseline list. If there is a difference the process indicates a new service involving the tracked entity.

30 Citations

View as Search Results

11 Claims

1. A method for detection of a new service involving a host in a network, the method comprises:
- retrieving a baseline list of port and/or service protocols used by a host being tracked, the baseline list listing service and/or port protocols used by that host over a baseline period that is of a longer duration than a current period;
  
  retrieving a current list of service and/or port protocols for the current period used by the host being tracked;
  
  determining whether there is a difference in the protocols, by finding a protocol that was in the current list but was not in the baseline list; and
  
  if there is a difference;
  
  determining whether the host is providing or using the new service;
  
  determining if the host is sending traffic using a protocol not in the current list;
  
  identifying an alert rule corresponding to whether the host is providing or using the new service; and
  
  issuing an alert based at least on the identified alert rule and whether the host is providing or using the new service.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - retrieving a value corresponding to an alert severity level set for violation of the rule.
  - 3. The method of claim 1 wherein a property of the host being tracked is that the host is at least one of a specific host, any host in a specific role, any host in a specific segment, or any host.
  - 4. The method of claim 1 wherein the extent of the determining is configured for that host, in its role, in its segment or anywhere in the network.
  - 5. The method of claim 1 wherein the baseline and current lists of protocols are provided from data in a connection table.

6. A computer program product residing on a computer readable medium for detection of new services in a network, the computer program product comprising instructions for causing a computer to:
- retrieve a baseline list of port and/or service protocols used by a host being tracked, the baseline list listing service and/or port protocols used by that host over a baseline period that is of a longer duration that a current period;
  
  aggregating communication information between every host pair;
  
  retrieve a current list of service and/or port protocols for the current period used by the host being tracked;
  
  determine whether there is a difference in the protocols, by identifying a protocol that was in a the current list but was not in the baseline list; and
  
  if there is a difference;
  
  determine whether the host is providing or using the new service;
  
  determining if the host is sending traffic using a protocol not in the current list;
  
  identify an alert rule corresponding to whether the host is providing or using the new service; and
  
  issue an alert based at least on the identified alert rule and whether the host is providing or using the new service.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The computer program product of claim 6 wherein instructions to indicate further comprise instructions to:
    - issue an alert if the new service is detected.
  - 8. The computer program product of claim 6 further comprising instructions to:
    - retrieve a value corresponding to the alert severity level set for violation of the rule.
  - 9. The computer program product of claim 6 wherein a property of the host being track is that the host is at least one of a specific host, any host in a specific role, any host in a specific segment, or any host.
  - 10. The computer program product of claim 6 wherein the extent of the determining is configured to for that host, in its role, in its segment or anywhere in the network.
  - 11. The computer program product of claim 6 further comprising instructions to:
    - access a connection table to provide data for the baseline and current lists of protocols.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Nazzal, Robert N.
Primary Examiner(s)
COLIN, CARL G

Application Number

US10/803,167
Publication Number

US 20050206650A1
Time in Patent Office

2,219 Days
Field of Search

726/1, 726/23, 726/26, 726/25, 709/224
US Class Current

726/1
CPC Class Codes

H04L 41/0631   using root cause analysis; ...

H04L 41/22   comprising specially adapte...

H04L 41/5045   Making service definitions ...

H04L 43/067   using time frame reporting

H04L 63/1416   Event detection, e.g. attac...

Service detection

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Service detection

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links