Systems and methods for determining characteristics of a network

US 7,801,980 B1
Filed: 05/12/2004
Issued: 09/21/2010
Est. Priority Date: 05/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method for automatically and passively determining the characteristics of a network, comprising:

passively reading, at a processor disposed between two endpoints, packets passively transmitted on the network from one of the two endpoints to the other;

identifying a network device on the network indicated in the packets which were passively transmitted, the network device being identified from a context of the packet as a client and a client-specific fingerprint table being selected for comparison when plural protocol fields in the packet identify the network device as a client, the network device being identified from the context of the packet as a server and a server-specific fingerprint table being selected for comparison when the plural protocol fields in the packet identify the network device as a server;

matching plural protocol field values in the packet to the selected client-specific or server-specific fingerprint table to identify an operating system specific to the network device as server or client;

selecting an application-specific fingerprint table for comparison when the packet contains application protocol fields, and matching the application protocol fields to the selected application-specific fingerprint table to identify an operating system specific to the application of the network device;

recording the matched operating system as the network device'"'"'s operating system; and

recording an identity of the network device,the plural protocol field values being matched when all of the protocol fields traversed in-order match a branch of the table as the table is walked, the plural protocol field values not being matched when a row of the table is traversed without a match,wherein the table is a tree or a linked list.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.

167 Citations

30 Claims

1. A method for automatically and passively determining the characteristics of a network, comprising:
- passively reading, at a processor disposed between two endpoints, packets passively transmitted on the network from one of the two endpoints to the other;
  
  identifying a network device on the network indicated in the packets which were passively transmitted, the network device being identified from a context of the packet as a client and a client-specific fingerprint table being selected for comparison when plural protocol fields in the packet identify the network device as a client, the network device being identified from the context of the packet as a server and a server-specific fingerprint table being selected for comparison when the plural protocol fields in the packet identify the network device as a server;
  
  matching plural protocol field values in the packet to the selected client-specific or server-specific fingerprint table to identify an operating system specific to the network device as server or client;
  
  selecting an application-specific fingerprint table for comparison when the packet contains application protocol fields, and matching the application protocol fields to the selected application-specific fingerprint table to identify an operating system specific to the application of the network device;
  
  recording the matched operating system as the network device'"'"'s operating system; and
  
  recording an identity of the network device,the plural protocol field values being matched when all of the protocol fields traversed in-order match a branch of the table as the table is walked, the plural protocol field values not being matched when a row of the table is traversed without a match,wherein the table is a tree or a linked list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the identity of the network device is one or more of an Internet protocol address, a media access control address, and a time-to-live parameter.
  - 3. The method of claim 1, further comprising reporting the identity to a network reporting mechanism.
  - 4. The method of claim 3, wherein the network reporting mechanism comprises one or more of an intrusion detection system and a network management system.
  - 5. The method of claim 1, further comprising recording changes to the identity of the network device indicated in the passively read packets.
  - 6. The method of claim 1, wherein the network device comprises one or more of a computer, a printer, a switch, and a router.
  - 7. The method of claim 1, further comprising recording the operating system of the network device.
  - 8. The method of claim 7, further comprising recording changes to the operating system indicated in the passively read packets.
  - 9. The method of claim 1, further comprising reporting the operating system to a network reporting mechanism.
  - 10. The method of claim 1, further comprising identifying one or more services that are running on the network device based on the passively read packets.
  - 11. The method of claim 10, further comprising recording the one or more services running on the network device.
  - 12. The method of claim 10, further comprising reporting the one or more services to the network reporting mechanism.
  - 13. The method of claim 10, further comprising recording changes to the one or more services using one or more packets.
  - 14. The method of claim 1, further comprising identifying a logical location of the network device on the network.

15. A method for identifying a network device'"'"'s operating system on a network, comprising:
- passively reading, at a processor disposed between two endpoints, packets passively transmitted on the network from one of the two endpoints to the other;
  
  decoding the packets, which were passively transmitted, into one or more fields;
  
  selecting, as an operating system identifying data structure based on a context identified from the packet, an initiator-specific fingerprint table when the packet is from an initiator, and a responder-specific fingerprint table when the packet is from a responder;
  
  comparing the one or more fields of the packets to the selected operating system identifying data structure; and
  
  recording a matched operating system as the network device'"'"'s operating system,the operating system being matched when plural protocol fields traversed in-order match a branch of the table as the table is walked, the operating system not being matched when a row of the table is traversed without a match,wherein the table is a tree or a linked list.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, further comprising reporting the matched operating system to a network reporting mechanism.
  - 17. The method of claim 16, wherein the network reporting mechanism comprises one or more of an intrusion detection system and a network management system.
  - 18. The method of claim 15, wherein the one or more fields comprise one or more of a network protocol field, a transport protocol field, and an application protocol field.
  - 19. The method of claim 18, further comprising selecting, for one of the packets, a network operating system identifying data structure for comparison with one or more of the network protocol field and the transport protocol field, if the packet is decoded into one or more of the network protocol field and the transport protocol field.
  - 20. The method of claim 18, wherein there are provided plural different fingerprint tables which are specific to different application protocols, further comprising selecting, for one of the packets, as an application operating system identifying data structure, one of the different fingerprint tables which corresponds to the application protocol, for comparison with the application protocol field, if the packet is decoded into the application protocol field.
  - 21. The method of claim 15, further comprising identifying the type of network device form the one or more fields.
  - 22. The method of claim 21, further comprising selecting the operating system identifying data structure based on the type of network device.
  - 23. The method of claim 21, wherein the type of network device is one of an initiator and a responder.
  - 24. The method of claim 15, wherein the network device comprises one of a computer, a printer, a switch, and a router.
  - 25. The method of claim 15, further comprising examining the port identified in the decoded field of the packet, and eliminating a selected operating system from consideration when the operating system does not support the port of the packet.

26. A system for automatically and passively determining the characteristics of a network, comprising:
- a packet detector, wherein the packet detector passively detects and reads, at a processor device disposed between a network device and an endpoint, packets passively transmitted on the network by the network device to the endpoint;
  
  a packet decoder, wherein the packet decoder decodes the packets, which were passively transmitted, into one or more protocol fields;
  
  a protocol field analyzer, wherein the protocol field analyzer determines information about the network device indicated in each of the one or more protocol fields from the decoded packets which were passively transmitted, the network device being identified from a context of the packet as a client and a client-specific fingerprint table being selected for comparison when the protocol fields in the packet identify the network device as a client, the network device being identified from the context of the packet as a server and a server-specific fingerprint table being selected for comparison when the protocol fields in the packet identify the network device as a server, the protocol field analyzer being configured to match plural protocol field values in the packet to the selected client-specific or server-specific fingerprint table to identify an operating system specific to the network device as server or client, and to record the matched operating system as the network device'"'"'s operating system; and
  
  a network device database, wherein the network device database stores the information about the network device,the operating system being matched when all of the plural protocol fields traversed in-order match a branch of the table as the table is walked, the operating system not being matched when a row of the table is traversed without a match,wherein the table is a tree or a linked list.
- View Dependent Claims (27, 28, 29)
- - 27. The system of claim 26, wherein the information comprises one or more of an identity of the network device, the operating system of the network device, a service running on the network device, and a logical location of the network device.
  - 28. The system of claim 27, wherein the identity of the network device is one or more of an Internet protocol address, a media access control address, and a time-to-live parameter.
  - 29. The system of claim 28, further comprising a network reporting mechanism, wherein the network reporting mechanism receives the information.

30. A system for automatically and passively determining the characteristics of a network, comprising:
- a packet reader that passively reads, at a processor device disposed between two endpoints, packets passively transmitted on the network from one of the two endpoints to the other;
  
  a packet decoder that decodes the packets read by the packet reader;
  
  a flow analyzer that identifies a flow as being between an initiator and a responder indicated in two or more decoded packets, wherein the flow analyzer maintains flow statistics;
  
  an operating system detector, wherein the operating system detector receives decoded packets, which were passively transmitted, from the flow analyzer, wherein the operating system detector detects, from the decoded packets which were passively transmitted, one or more operating systems using one or more identification techniques, and wherein the operating system detector selects an operating system from the one or more operating systems using confidence assessment;
  
  a service detector, wherein the service detector receives decoded packets, which were passively transmitted, from the operating system detector, wherein the service detector detects one or more services using one or more identification techniques, identifies the service based on a context identified from the packet as being run on the initiator when plural protocol fields of the decoded packet being from the initiator match initiator protocol fields of the service, and identifies the service based on the context identified from the packet as being run on the responder when plural protocol fields of the decoded packet being from the responder match responder protocol fields of the service, and wherein the service detector selects a service from the one or more services using confidence assessment;
  
  a network change monitor, wherein the network change monitor continuously monitors, in the decoded packets which were passively transmitted, for network device operating system and service changes;
  
  a host representation monitor, wherein the host representation monitor continuously monitors, in the decoded packets which were passively transmitted, for changes to operating systems and services detected on the network;
  
  a normalized vulnerability list, wherein the normalized vulnerability list groups vulnerabilities by operating system and service and wherein the normalized vulnerability list provides vulnerabilities to the host representation monitor;
  
  a host representation storage, wherein the host representation storage stores operating system and service information that is detected and wherein the host representation storage sends and receives information to the host representation monitor;
  
  a flow analysis data storage, wherein the flow analysis data storage receives the flow statistics gathered by the flow analyzer;
  
  a policy component, wherein the policy component enforces network configuration rules based on information received from the host representation storage and information received form the flow analysis data storage;
  
  a network topology component, wherein the network topology component identifies routers on the network;
  
  a mapping component, wherein the mapping component assigns detected network devices to subnets; and
  
  a results reporter, wherein the results reporter reports policy information, network topology information, and mapping information to a network reporting mechanism,the plural protocol fields being matched when all of the protocol fields traversed in-order match a branch of the table as the table is walked, the protocol field values not being matched when a row of the table is traversed without a match,wherein the table is a tree or a linked list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Novak, Judy, Roesch, Martin, Dempster, Ronald A.
Primary Examiner(s)
Bruckart; Benjamin R
Assistant Examiner(s)
Sciacca; Scott M

Application Number

US10/843,398
Time in Patent Office

2,323 Days
Field of Search

709217-219, 709223-225, 709/227, 709/230, 709/231
US Class Current

709/224
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 67/125 involving control of end-de...

Systems and methods for determining characteristics of a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

167 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for determining characteristics of a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links