Network port profiling

US 7,886,358 B2
Filed: 08/24/2007
Issued: 02/08/2011
Est. Priority Date: 01/31/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for determining unauthorized usage of a data communication network by port profiling, comprising the steps of:

receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;

storing information in a host data structure associating a service that is associated with a determined (C/S) flow with at least one of the hosts that is associated with the determined (C/S) flow, said service comprising an observed service;

determining by reference to the host data structure that an observed service associated with a particular host is out of profile by comparing the observed service to a prestored allowed network services profile for the particular host; and

in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A port profiling system detects unauthorized network usage. The port profiling system analyzes network communications to determine the service ports being used. The system collects flow data from packet headers between two hosts or Internet Protocol (IP) addresses. The collected flow data is analyzed to determine the associated network service provided. A host data structure is maintained containing a profile of the network services normally associated with the host. If the observed network service is not one of the normal network services performed as defined by the port profile for that host, an alarm signal is generated and action can be taken based upon the detection of an Out of Profile network service. An Out of Profile operation can indicate the operation of a Trojan Horse program on the host, or the existence of a non-approved network application that has been installed.

45 Citations

View as Search Results

43 Claims

1. A method for determining unauthorized usage of a data communication network by port profiling, comprising the steps of:
- receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  storing information in a host data structure associating a service that is associated with a determined (C/S) flow with at least one of the hosts that is associated with the determined (C/S) flow, said service comprising an observed service;
  
  determining by reference to the host data structure that an observed service associated with a particular host is out of profile by comparing the observed service to a prestored allowed network services profile for the particular host; and
  
  in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 2. The method of claim 1, further comprising the step of displaying to a user indicia corresponding to the occurrence of particular network services observed in connection with one or more hosts during a monitoring period.
  - 3. The method of claim 2, further comprising the step of displaying an indication that a predetermined observed network service is in profile and observed during the monitoring period, is in profile and was not observed during the monitoring period, or is not in profile.
  - 4. The method of claim 1, further comprising the step of:
    - generating an alarm when an observed service is not an allowed network service for the particular host.
  - 5. The method of claim 1, further comprising the step of displaying indicia indicating whether an observed service is not an allowed network service for a particular host.
  - 6. The method of claim 1, further comprising the step of building the prestored allowed network services profile based upon network services observed during a profile generation time period.
  - 7. The method of claim 1, further comprising the step of allowing user editing of the prestored allowed network services profile for particular hosts.
  - 8. The method of claim 1, further comprising the step of allowing user editing of the prestored allowed network services profile for a block of network addresses corresponding to a plurality of hosts.
  - 24. The method of claim 1, wherein the predetermined C/S flow characteristic is selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a given port, the occurrence of a RESET packet, data sent by TCP and acknowledged, UDP packets that are not rejected, and local multicast or broadcast.
  - 25. The method of claim 1, wherein the step of providing an output or alarm comprises the step of communicating a message to a firewall to drop packets going to or from the particular host.
  - 26. The method of claim 1, wherein the output or alarm is a notification to a network administrator.
  - 27. The method of claim 1, wherein the output or alarm is provided to a utilization component selected from the group comprising:
    - network security device, email, SNMP trap message, beeper, cellphone, firewall, network monitor, user interface display to an operator.
  - 28. The method of claim 1, wherein the single service comprises a port number remaining constant for a plurality of packets.
  - 29. The method of claim 1, wherein the steps are carried out in a monitoring appliance.
  - 30. The method of claim 29, wherein the monitoring appliance is installed behind a firewall.
  - 31. The method of claim 29, wherein the monitoring appliance is connected before a firewall.
  - 32. The method of claim 29, wherein the monitoring appliance is connected in a DMZ.
  - 33. The method of claim 29, wherein the monitoring appliance is configured to operate as a pass-by filter.
  - 34. The method of claim 29, wherein the monitoring appliance monitors communications among inside hosts and outside hosts.
  - 35. The method of claim 29, wherein the monitoring appliance is coupled to a network device.
  - 36. The method of claim 35, wherein the network device is selected from the group comprising:
    - router, switch, hub, tap.
  - 37. The method of claim 35, wherein the network device is a network security device.
  - 38. The method of claim 1, wherein the unauthorized usage is from an inside address or from an outside address.
  - 39. The method of claim 1, wherein a service is associated with a determined C/S flow in response to initiation of communications between the two hosts.
  - 40. The method of claim 1, wherein the information corresponding to a determined C/S flow comprises flow data.
  - 41. The method of claim 1, wherein the flow data comprises information identifying two hosts on the network and statistics associated with the exchange of a plurality of packets between the two hosts.
  - 42. The method of claim 1, wherein the information corresponding to a determined C/S flow comprises host data.
  - 43. The method of claim 1, wherein the host data comprises information corresponding to a particular host on the network identified as participating in at least one C/S flow, statistics associated with communications involving the particular host, and an accumulated concern index associated with the particular host.

9. A method for determining unauthorized usage of a data communication network by port profiling, comprising the steps of:
- receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  storing information in a host data structure associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
  
  determining an allowed network services profile comprising information indicating particular network services that are authorized for use by each one of a plurality of hosts a predefined group of hosts; and
  
  generating an alarm in response to determination by reference to the host data structure that an observed service for a particular host in the group of hosts is not included in the allowed network services profile.

10. A method for determining unauthorized usage of a data communication network by port profiling, comprising the steps of:
- receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  storing information in a host data structure associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
  
  storing an allowed network services port profile for each one of a plurality of hosts in a predefined host group, said profile including information identifying port numbers that are authorized for use by each host in the host group;
  
  determining by reference to the host data structure the port numbers of observed network services used by each host in the predefined host group for each determined C/S flow;
  
  comparing the allowed network services port profile with observed network service port numbers; and
  
  generating an alarm in response to a determination from the comparing step that an observed network service port number is not included in the allowed network services port profile.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising the step of displaying indicia indicating the observed network service port numbers during a monitoring period.
  - 12. The method of claim 11, further comprising the step of displaying indications that observed network service port numbers are in profile and observed during the monitoring period, are in profile but not yet observed in the monitoring period, or are not in profile.
  - 13. The method of claim 12, further comprising the step of displaying indicia indicating that observed network service port numbers are included in the allowed network services port profile.
  - 14. The method of claim 10, further comprising the step of building the network services port profile based upon network service ports observed during a profile generation time period.
  - 15. The method of claim 10, further comprising the step of allowing user editing of the allowed network services port profile for the hosts group.
  - 16. The method of claim 15, further comprising the step of allowing user editing of the allowed network services port profile for a block of network addresses corresponding to the hosts group.

17. A system for determining unauthorized usage of a data communication network by port profiling, comprising:
- a monitoring device including a processor operative to carry out the steps of;
  
  receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristicstoring information in a host data structure associating a service that is associated with a determined C/S flow with at least one of the hosts that is associated with the determined C/S flow, said service comprising an observed service;
  
  determining by reference to the host data structure that an observed service associated with a particular host is out of profile by comparing the observed service to a prestored allowed network services profile for the particular host; and
  
  in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The system of claim 17, further comprising a monitor coupled to the monitoring device and operative to display indicia indicating observed services during a monitoring period.
  - 19. The system of claim 18, wherein the monitor is further operative to display indicia indicating that an observed service is not an allowed network service.
  - 20. The system of claim 17, wherein the processor is further operative to build the prestored allowed network services profile based upon network services observed during a profile generation time period.
  - 21. The system of claim 17, further comprising an editor coupled to the monitoring device and operative to allow user editing of the prestored allowed network services profile.
  - 22. The system of claim 21, wherein the editor is further operative to allow user editing of the prestored allowed network services profile for a block of network addresses.

23. A system for analyzing network communication traffic and determining unauthorized use by port profiling, comprising:
- a processor operative to;
  
  a) receive information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  b) maintain a flow data structure for storing information corresponding to determined client/server (C/S) flows;
  
  c) maintain a host data structure for storing an allowed network services profile for at least one host;
  
  d) analyze the information corresponding to a determined client/server (C/S) flow in the flow data structure in order to determine that an observed service associated with a particular host in the determined client/server (C/S) flow is out of profile by comparing the observed service to the allowed network services profile for the particular host; and
  
  e) in response to determination that an observed service associated with a particular host is out of profile, providing an output indicating that the observed service is out of profile;
  
  a memory coupled to the processor and operative to store the flow data structure and the host data structure; and
  
  a network interface coupled to the processor operative to receive packets on the data communications network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Lancope, Inc. (Cisco Systems, Inc.)
Inventors
Copeland, John A. III
Primary Examiner(s)
LaForgia; Christian
Assistant Examiner(s)
Baum; Ronald

Application Number

US11/844,568
Publication Number

US 20070289017A1
Time in Patent Office

1,264 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 41/50   Network service management,...

H04L 43/026   using flow identification

H04L 63/1416   Event detection, e.g. attac...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

Y02D 30/50   in wire-line communication ...

Network port profiling

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Network port profiling

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links