Systems and methods for determining characteristics of a network
First Claim
1. A method for automatically and passively determining the characteristics of a network, comprising:
- passively reading, at a processor disposed between two endpoints, packets passively transmitted on the network from one of the two endpoints to the other;
identifying a network device on the network indicated in the packets which were passively transmitted, the network device being identified from a context of the packet as a client and a client-specific fingerprint table being selected for comparison when plural protocol fields in the packet identify the network device as a client, the network device being identified from the context of the packet as a server and a server-specific fingerprint table being selected for comparison when the plural protocol fields in the packet identify the network device as a server;
matching plural protocol field values in the packet to the selected client-specific or server-specific fingerprint table to identify an operating system specific to the network device as server or client;
selecting an application-specific fingerprint table for comparison when the packet contains application protocol fields, and matching the application protocol fields to the selected application-specific fingerprint table to identify an operating system specific to the application of the network device;
recording the matched operating system as the network device'"'"'s operating system; and
recording an identity of the network device,the plural protocol field values being matched when all of the protocol fields traversed in-order match a branch of the table as the table is walked, the plural protocol field values not being matched when a row of the table is traversed without a match,wherein the table is a tree or a linked list.
3 Assignments
0 Petitions
Accused Products
Abstract
A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.
167 Citations
30 Claims
-
1. A method for automatically and passively determining the characteristics of a network, comprising:
-
passively reading, at a processor disposed between two endpoints, packets passively transmitted on the network from one of the two endpoints to the other; identifying a network device on the network indicated in the packets which were passively transmitted, the network device being identified from a context of the packet as a client and a client-specific fingerprint table being selected for comparison when plural protocol fields in the packet identify the network device as a client, the network device being identified from the context of the packet as a server and a server-specific fingerprint table being selected for comparison when the plural protocol fields in the packet identify the network device as a server; matching plural protocol field values in the packet to the selected client-specific or server-specific fingerprint table to identify an operating system specific to the network device as server or client; selecting an application-specific fingerprint table for comparison when the packet contains application protocol fields, and matching the application protocol fields to the selected application-specific fingerprint table to identify an operating system specific to the application of the network device; recording the matched operating system as the network device'"'"'s operating system; and recording an identity of the network device, the plural protocol field values being matched when all of the protocol fields traversed in-order match a branch of the table as the table is walked, the plural protocol field values not being matched when a row of the table is traversed without a match, wherein the table is a tree or a linked list. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for identifying a network device'"'"'s operating system on a network, comprising:
-
passively reading, at a processor disposed between two endpoints, packets passively transmitted on the network from one of the two endpoints to the other; decoding the packets, which were passively transmitted, into one or more fields; selecting, as an operating system identifying data structure based on a context identified from the packet, an initiator-specific fingerprint table when the packet is from an initiator, and a responder-specific fingerprint table when the packet is from a responder; comparing the one or more fields of the packets to the selected operating system identifying data structure; and recording a matched operating system as the network device'"'"'s operating system, the operating system being matched when plural protocol fields traversed in-order match a branch of the table as the table is walked, the operating system not being matched when a row of the table is traversed without a match, wherein the table is a tree or a linked list. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A system for automatically and passively determining the characteristics of a network, comprising:
-
a packet detector, wherein the packet detector passively detects and reads, at a processor device disposed between a network device and an endpoint, packets passively transmitted on the network by the network device to the endpoint; a packet decoder, wherein the packet decoder decodes the packets, which were passively transmitted, into one or more protocol fields; a protocol field analyzer, wherein the protocol field analyzer determines information about the network device indicated in each of the one or more protocol fields from the decoded packets which were passively transmitted, the network device being identified from a context of the packet as a client and a client-specific fingerprint table being selected for comparison when the protocol fields in the packet identify the network device as a client, the network device being identified from the context of the packet as a server and a server-specific fingerprint table being selected for comparison when the protocol fields in the packet identify the network device as a server, the protocol field analyzer being configured to match plural protocol field values in the packet to the selected client-specific or server-specific fingerprint table to identify an operating system specific to the network device as server or client, and to record the matched operating system as the network device'"'"'s operating system; and a network device database, wherein the network device database stores the information about the network device, the operating system being matched when all of the plural protocol fields traversed in-order match a branch of the table as the table is walked, the operating system not being matched when a row of the table is traversed without a match, wherein the table is a tree or a linked list. - View Dependent Claims (27, 28, 29)
-
-
30. A system for automatically and passively determining the characteristics of a network, comprising:
-
a packet reader that passively reads, at a processor device disposed between two endpoints, packets passively transmitted on the network from one of the two endpoints to the other; a packet decoder that decodes the packets read by the packet reader; a flow analyzer that identifies a flow as being between an initiator and a responder indicated in two or more decoded packets, wherein the flow analyzer maintains flow statistics; an operating system detector, wherein the operating system detector receives decoded packets, which were passively transmitted, from the flow analyzer, wherein the operating system detector detects, from the decoded packets which were passively transmitted, one or more operating systems using one or more identification techniques, and wherein the operating system detector selects an operating system from the one or more operating systems using confidence assessment; a service detector, wherein the service detector receives decoded packets, which were passively transmitted, from the operating system detector, wherein the service detector detects one or more services using one or more identification techniques, identifies the service based on a context identified from the packet as being run on the initiator when plural protocol fields of the decoded packet being from the initiator match initiator protocol fields of the service, and identifies the service based on the context identified from the packet as being run on the responder when plural protocol fields of the decoded packet being from the responder match responder protocol fields of the service, and wherein the service detector selects a service from the one or more services using confidence assessment; a network change monitor, wherein the network change monitor continuously monitors, in the decoded packets which were passively transmitted, for network device operating system and service changes; a host representation monitor, wherein the host representation monitor continuously monitors, in the decoded packets which were passively transmitted, for changes to operating systems and services detected on the network; a normalized vulnerability list, wherein the normalized vulnerability list groups vulnerabilities by operating system and service and wherein the normalized vulnerability list provides vulnerabilities to the host representation monitor; a host representation storage, wherein the host representation storage stores operating system and service information that is detected and wherein the host representation storage sends and receives information to the host representation monitor; a flow analysis data storage, wherein the flow analysis data storage receives the flow statistics gathered by the flow analyzer; a policy component, wherein the policy component enforces network configuration rules based on information received from the host representation storage and information received form the flow analysis data storage; a network topology component, wherein the network topology component identifies routers on the network; a mapping component, wherein the mapping component assigns detected network devices to subnets; and a results reporter, wherein the results reporter reports policy information, network topology information, and mapping information to a network reporting mechanism, the plural protocol fields being matched when all of the protocol fields traversed in-order match a branch of the table as the table is walked, the protocol field values not being matched when a row of the table is traversed without a match, wherein the table is a tree or a linked list.
-
Specification