Automated change detection within a network environment

US 7,810,151 B1
Filed: 01/27/2005
Issued: 10/05/2010
Est. Priority Date: 01/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

processing, with an intrusion detection device, packet flows to identify low-level network elements associated with the packet flows, wherein the low-level network elements describe one or more network devices of a network;

assembling application-layer communications from the packet flows with protocol-specific decoders;

processing the application-layer communications with the protocol-specific decoders to identify application-layer elements;

analyzing the application-layer communications to determine whether any of the packet flows represent a network attack and, for each of the packet flows, forwarding the packet flow only when the packet flow does not represent a network attack;

generating profiling data that associates the application-layer elements of the application-layer communications with the low-level network elements of the packet flows;

maintaining, within the intrusion detection device, a correlation database that stores the profiling data describing the packet flows within the network;

defining a database trigger for the correlation database to detect database operations that have changed the profiling data stored within the correlation database, wherein the database trigger is defined to detect database operations that have utilized a specified combination of the low-level network elements and the application-layer elements, such that the database trigger fires when changes are made to the network devices of the network that are determined to expose the network to security risks; and

maintaining, within the intrusion detection device, a log to record the detected database operations by updating the log when the database trigger fires to record in the log the database operation that fired the database trigger.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A correlation database stores profiling data that describes packet flows within a network. A network device presents a user interface by which a user defines a database trigger to detect database operations that change to the profiling data stored within the correlation database. The network device may maintain a log to record the detected database operations. The database trigger may specify a combination of low-level network elements associated with the packet flows and application-layer elements extracted from application-layer communications reassembled from the packet flows.

Citations

19 Claims

1. A method comprising:
- processing, with an intrusion detection device, packet flows to identify low-level network elements associated with the packet flows, wherein the low-level network elements describe one or more network devices of a network;
  
  assembling application-layer communications from the packet flows with protocol-specific decoders;
  
  processing the application-layer communications with the protocol-specific decoders to identify application-layer elements;
  
  analyzing the application-layer communications to determine whether any of the packet flows represent a network attack and, for each of the packet flows, forwarding the packet flow only when the packet flow does not represent a network attack;
  
  generating profiling data that associates the application-layer elements of the application-layer communications with the low-level network elements of the packet flows;
  
  maintaining, within the intrusion detection device, a correlation database that stores the profiling data describing the packet flows within the network;
  
  defining a database trigger for the correlation database to detect database operations that have changed the profiling data stored within the correlation database, wherein the database trigger is defined to detect database operations that have utilized a specified combination of the low-level network elements and the application-layer elements, such that the database trigger fires when changes are made to the network devices of the network that are determined to expose the network to security risks; and
  
  maintaining, within the intrusion detection device, a log to record the detected database operations by updating the log when the database trigger fires to record in the log the database operation that fired the database trigger.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the network elements comprise low-level network information including at least one of a network host, network peers or a network port associated with the network traffic.
  - 3. The method of claim 1, wherein the application-layer elements comprise named elements that uniquely identify types of the application-layer elements and values for the named elements.
  - 4. The method of claim 3, wherein the named elements for the application-layer communications include at least one of a file name, a user name, a software application name or a name of an attached document.
  - 5. The method of claim 1, wherein generating profiling data comprises:
    - storing the network elements and the application-layer elements in the correlation database; and
      
      defining relationships within the correlation database to associate the network elements of the packet flows with the application-layer elements of the application-layer communications.
  - 6. The method of claim 5,wherein the network elements comprise data defining hosts associated with the packet flows, data defining peers for each of the packet flows, and data defining ports associated with the packet flows, andwherein defining relationships within the database comprises mapping each of the application-layer elements to a respective one of the peers.
  - 7. The method of claim 1, wherein processing the application-layer communications comprises processing the application-layer communications with protocol-specific decoders for at least one of a HyperText Transfer Protocol (HTTP) decoder, a File Transfer Protocol (FTP) decoder, a Network News Transfer Protocol (NNTP) decoder, a Telnet decoder, a Domain Name System (DNS) decoder, a Gopher decoder, a Finger decoder, a Post Office Protocol (POP) decoder, a Secure Socket Layer (SSL) protocol decoder, a Lightweight Directory Access Protocol (LDAP) decoder, a Secure Shell (SSH) decoder, a Server Message Block (SMB) decoder or a Simple Mail Transfer Protocol (SMTP) decoder.
  - 8. The method of claim 1, further comprising presenting a user interface by which a user defines the database triggers.
  - 16. The method of claim 1, wherein defining a database trigger to detect database operations that change the profiling data stored within the correlation database comprises defining the trigger to fire in response to the database operations that change the profiling data.
  - 17. The method of claim 1, wherein defining a database trigger to detect database operations that change the profiling data stored within the correlation database comprises defining the trigger to fire in response to one or more of a database insert operation and a database update operation.
  - 18. The method of claim 1, wherein defining a database trigger to detect database operations that change the profiling data stored within the correlation database comprises defining the trigger to fire in response to a database insert operation that specifies newly detected peers that utilize a particular version of a communication protocol.
  - 19. The method of claim 1, wherein defining a database trigger to detect database operations that change the profiling data stored within the correlation database comprises defining the trigger to fire in response to a database insert operation that specifies a new host that utilizes a specific vulnerable version of software.

9. A system comprising:
- a flow analysis module to process packet flows and identify low-level network elements associated with the packet flows in a network, wherein the low-level network elements describe one or more network devices of the network;
  
  an analysis engine to form application-layer communications from the packet flows;
  
  a plurality of protocol-specific decoders to process the application-layer communications to generate application-layer elements and to assemble application-layer communications from the packet flows, and to analyze the application-layer communications to determine whether any of the packet flows represent a network attack;
  
  a forwarding component to, for each of the packet flows, forward the packet flow only when the packet flow does not represent a network attack, as determined by the plurality of protocol-specific decoders;
  
  a profiler to generate profiling data by correlating the application-layer elements of the application-layer communications with the low-level network elements of the packet flows;
  
  a correlation database that stores profiling data that describes the packet flows within the network; and
  
  a network device that presents a user interface by which a user defines a database trigger to detect database operations that have changed the profiling data stored within the correlation database, wherein the user interface allows the user to define the database trigger by specifying a combination of the low-level network elements and the application-layer elements that the detected database operations have utilized, such that the database trigger fires when changes are made to the network devices of the network that are determined to expose the network to security risks; and
  
  a log file maintained by the network device, wherein the network device records the detected database operations in the log file, and wherein the network device updates the log when the database trigger fires to record in the log the database operation fired the database trigger.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the profiling data maps the application-layer elements to the network elements.
  - 11. The system of claim 9, wherein the plurality of protocol-specific decoders include at least one of a HyperText Transfer Protocol (HTTP) decoder, a File Transfer Protocol (FTP) decoder, a Network News Transfer Protocol (NNTP) decoder or a Simple Mail Transfer Protocol (SMTP) decoder.
  - 12. The system of claim 9, wherein the network elements comprise low-level network information including at least one of a network host, network peers or a network port associated with the network traffic.
  - 13. The system of claim 9, wherein the application-layer elements comprise named elements that uniquely identify types of the application-layer elements and values for the named elements.
  - 14. The system of claim 13, wherein the named elements for the application-layer communications include at least one of a file name, a user name, a software application name or a name of an attached document.

15. A computer-readable storage medium comprising instructions that cause a programmable processor within a network device to:
- process packet flows to identify low-level network elements associated with the packet flows, wherein the low-level network elements describe one or more network devices of a network;
  
  assemble application-layer communications from the packet flows with protocol-specific decoders;
  
  process the application-layer communications with the protocol-specific decoders to identify application-layer elements;
  
  analyze the application-layer communications to determine whether any of the packet flows represent a network attack and, for each of the packet flows, forwarding the packet flow only when the packet flow does not represent a network attack;
  
  generate profiling data that associates the application-layer elements of the application-layer communications with the low-level network elements of the packet flows;
  
  present a user interface by which a user defines a database trigger to detect database operations that have changed the profiling data stored within a correlation database, wherein the profiling data describes packet flows within the network, wherein the database trigger is defined to detect database operations that have utilized a specified combination of the low-level network elements and the application-layer elements, such that the database trigger fires when changes are made to the network devices of the network that are determined to expose the network to security risks;
  
  maintain a log to record the detected database operations by updating the log when the database trigger fires to record in the log the database operation that fired the database trigger.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Guruswamy, Kowsik
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
SCHWARTZ, DARREN B

Application Number

US11/044,240
Time in Patent Office

2,077 Days
Field of Search

709223-225, 709246-247, 709/249, 713153-154, 726 2- 3, 726 11- 15, 726 22- 23, 726/25
US Class Current

726/13
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/577   Assessing vulnerabilities a...

H04L 43/028   by filtering

H04L 43/04   Processing captured monitor...

H04L 43/18   Protocol analysers

H04L 63/1408   by monitoring network traff...

H04L 9/0866   involving user or device id...

H04W 12/79   Radio fingerprint

Automated change detection within a network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Automated change detection within a network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links