Security monitoring tool for computer network

US 7,904,456 B2
Filed: 09/01/2006
Issued: 03/08/2011
Est. Priority Date: 09/01/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A computer security monitoring method, comprising;

storing information at at least one computer system about a plurality of known Hosts, each of the known hosts being an entity of a computer network, the at least one computer system programmed for computer security monitoring and operatively communicating with the computer network;

receiving data at the at least one computer system from one or more sources;

associating and storing with the at least one computer system at least some of the data and at least some information about a first of the known hosts with at least two hosts if it is determined by the at least one computer system that, based on the data, the information associated with the first known host is more accurately associated with the at least two hosts; and

associating and storing with the at least one computer system at least some of the data and at least some information about at least two of the known hosts with a single host if it is determined by the at least one computer system that, based on the data, the information associated with the at least two known hosts is more accurately associated with the single host.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security monitoring tool and method for a computer network receives data and determines whether the data is associated with a host already stored in a database. Based on the determination, the tool stores the data as a new host or associates it with an existing host. The tool also uses the received data to improve how previously stored data is associated with hosts. In one aspect, the tool determines whether the received data indicates that data currently associated with a stored host represents data for at least two hosts. If so, the tool splits the data into two hosts and associates the received data to the appropriate host. In another aspect, the tool determines whether the received data indicates that data currently associated with two or more hosts represent data for only one host. If so, the tool merges the data into one host and associates the received data with that host.

30 Citations

View as Search Results

34 Claims

1. A computer security monitoring method, comprising;
- storing information at at least one computer system about a plurality of known Hosts, each of the known hosts being an entity of a computer network, the at least one computer system programmed for computer security monitoring and operatively communicating with the computer network;
  
  receiving data at the at least one computer system from one or more sources;
  
  associating and storing with the at least one computer system at least some of the data and at least some information about a first of the known hosts with at least two hosts if it is determined by the at least one computer system that, based on the data, the information associated with the first known host is more accurately associated with the at least two hosts; and
  
  associating and storing with the at least one computer system at least some of the data and at least some information about at least two of the known hosts with a single host if it is determined by the at least one computer system that, based on the data, the information associated with the at least two known hosts is more accurately associated with the single host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the act of storing information about a plurality of known hosts comprises assigning each of the known hosts with a unique host key.
  - 3. The method of claim 1, further comprising associating and storing at least some of the data with a new host if it is determined that the at least some of the data is not associated with information about one of the known hosts.
  - 4. The method of claim 1, further comprising associating and storing at least some of the data with at least one of the known hosts if it is determined that the at least some of the data is associated with information about the at least one known host.
  - 5. The method of claim 4, wherein the data includes at least one identifier, and wherein to determine that at least some of the data is associated with information about the at least one known host, the method comprises:
    - retrieving information about the at least one known host, wherein the at least one known host has the same identifier as the data;
      
      determining whether a conflict exists between at least a portion of the data with the retrieved information; and
      
      associating the data with the at least one known host based on whether the conflict exists.
  - 6. The method of claim 5, whereinthe at least one identifier comprises a Network Basic Input/Output System name, andthe act of determining whether a conflict exists comprises determining if a Media Access Control address or a Domain Name System name in the data conflicts with a Media Access Control address or a Domain Name System name in the retrieved information.
  - 7. The method of claim 5, whereinthe at least one identifier comprises a Media Access Control address, andthe act of determining whether a conflict exists comprises determining if a Domain Name System name in the data conflicts with a Domain Name System name in the retrieved information.
  - 8. The method of claim 5, whereinthe at least one identifier comprises a Domain Name System name, andthe act of determining whether a conflict exists comprises determining if a Media Access Control address in the data conflicts with a Media Access Control address in the retrieved information.
  - 9. The method of claim 5, whereinthe at least one identifier comprises an Internet Protocol address, andthe act of determining whether a conflict exists comprises determining if a Network Basic Input/Output System name in the data conflicts with a Network Basic Input/Output System name in the retrieved information.
  - 10. The method of claim 1, wherein the data comprises a first identifier and a second identifier, and wherein to determine that, based on the data, the information associated with the first known host is more accurately associated with the at least two hosts, the method comprises:
    - retrieving first information about the first known host, wherein the first information includes a first date that is older than a date of the data;
      
      retrieving second information about the first known host, wherein the second information has a second date older than the first date; and
      
      associating the first information to a new host and associating the data and the second information to the first known host if the first information has a different first identifier than in the data and if the second information has a same first identifier as the data.
  - 11. The method of claim 10, wherein the first identifier comprises a Network Basic Input/Output System name, and wherein the second identifier comprises a Media Access Control address.
  - 12. The method of claim 1, wherein the data comprises first, second, and third identifiers, and wherein to determine that, based on the data, the information associated with the at least two known hosts is more accurately associated with the single host, the method comprises:
    - associating the data with first information about a first known host based on a comparison of the data with the first information;
      
      retrieving second information about at least one second known host not associated with the first known host but having the same first identifier as the data; and
      
      associating the data, the first information, and the second information with the single host if the second information has the same second and third identifiers as the data.
  - 13. The method of claim 12, wherein the first identifier comprises an Internet Protocol address, wherein the second identifier comprises a Network Basic Input/Output System name, and wherein the third identifier comprises a Media Access Control address.
  - 14. The method of claim 1, wherein the data comprises first and second identifiers, and wherein to determine that, based on the data, the information associated with the at least two known hosts is more accurately associated with the single host, the method comprises:
    - associating the data with first information about a first known host based on a comparison of the data with the first information;
      
      retrieving second information about at least one second known host not associated with the first known host but having the same first identifier as the data; and
      
      associating the data, the first information, and the second information with the single host if the second information has the same second identifier as the data.
  - 15. The method of claim 14, wherein the first identifier comprises a Media Access Control address, and wherein the second identifier comprises a Network Basic Input/Output System name.
  - 16. The method of claim 1, further comprising receiving a definition of an incident concerning the computer network, and automatically associating information about one or more of the known hosts with the incident based on the definition.
  - 17. The method of claim 16, further comprising tracking whether a user update has been made to the one or more known hosts associated with the incident;
    - and providing the one or more known hosts associated with the incident that have not been updated to a user for updating.
  - 18. The method of claim 1, further comprising receiving at least one search criterion, and returning a search result for one of the known hosts based on the at least one search criterion, the search result having a clustered set of interfaces between the one known host and the computer network.

19. A non-transitory programmable storage device having program instructions stored thereon for causing at least one programmable control device to perform a computer security monitoring method, comprising;
- storing information about a plurality of known hosts, each of the known hosts being an entity of a computer network;
  
  receiving data from one or more sources;
  
  associating and storing at least some of the data and at least some information about a first of the known hosts with at least two hosts if it is determined by the at least one programmable control device that, based on the data, the information associated with the first known host is more accurately associated with the at least two hosts; and
  
  associating and storing at least some of the data and at least some information about at least two of the known hosts with a single host if it is determined by the at least one programmable control device that, based on the data, the information associated with the at least two known hosts is more accurately associated with the single host.

20. A computer system programmed with a computer security monitoring tool, comprising:
- at least one database storing information on a plurality of known hosts, each known host being an entity of a computer network;
  
  an interface module receiving data from one or more sources; and
  
  at least one program module associating the data with hosts and storing the data in the at least one database, the at least one program module configured tosplit the information currently associated with one of the known hosts into at least two hosts if it is determined by the at least one program module that, based on the data, the information currently associated with the one known host is more accurately associated with the at least two hosts; and
  
  merge the information currently associated with at least two known hosts into a single host if it is determined by the at least one program module that, based on the data, the information currently associated with the at least two hosts is more accurately associated with the single host.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 21. The computer system of claim 20, further comprising a loader assigned to one of the sources, the loader obtaining data from the source and making the obtained data available to the interface module.
  - 22. The computer system of claim 21, wherein the loader is selected from the group consisting of a script, a sniffer, an external application, and a passive operating system fingerprinting mechanism.
  - 23. The computer system of claim 21, wherein the source is selected from the group consisting of a log file, a text log, a system log, a syslog stream, a Domain Controller log, an Active Directory log, a Firewall log, a database, an intrusion detection system database, a configuration management database, a Web Registration Database, a patch management database, a network scan, an Nmap scan, an NBTscan, an Internet security system vulnerability scan, an external application, a security system, an incident detection system, and a passive operating system fingerprinting mechanism.
  - 24. The computer system of claim 20, further comprising a graphical user interface module operatively coupled to the at least one database and the at least one program module and accessible by a user via a browser.
  - 25. The computer system of claim 24, where in the graphical user interface module is configured to receive a definition of an incident concerning the computer network from the user, and wherein the at least one program module is configured to automatically associate information about one or more of the known hosts with the incident based on the definition.
  - 26. The computer system of claim 25, wherein the at least one program module is configured to track whether an update has been made by a user to the one or more known hosts associated with the incident, and wherein the graphical user interface is configured to provide the one or more known hosts associated with the incident that have not been updated to a user for updating.
  - 27. The computer system of claim 24, wherein the graphical user interface module is configured to receive at least one search criterion and to return a search result for one of the known hosts based on the at least one search criterion, the search result having a clustered set of interfaces between the one known host and the computer network.
  - 28. The computer system of claim 20, wherein the at least one database comprises a plurality of host records storing host information, the host records comprising one or more of a unique key to identify the host, a NetBIOS name, a NetBIOS domain, a date the host was last seen on the computer network, a date the host record was last updated, a date host related information was last collected, a location of the host, an operating system of the host, a serial number of the host, and an asset tag of the host.
  - 29. The computer system of claim 20, wherein the at least one database comprises a plurality of interface records storing interface information related to the hosts interfacing with the computer network, the interface records comprising one or more of a time value for when the host connected with the computer network, an Internet Protocol address, a MAC address, a Domain Name System name, a NetBIOS name, a NetBIOS domain, a switch, a switch port, a jack number, a Network Interface Card, and a unique key to identify the host.
  - 30. The computer system of claim 20, wherein to associate the data with hosts, the at least one program module is configured to associate the data from the interface module with a new host if it is determined that the data from the interface module is not associated with the information about one of the known hosts already stored in the at least one database.
  - 31. The computer system of claim 20, wherein to associate the data with hosts, the at least one program module is configured to associate the data from the interface module with one of the known hosts already stored in the at least one database if it is determined that the data is associated with the information about the one known host.
  - 32. The computer system of claim 20, wherein to split the information currently associated with one of the known host into at least two hosts, the at least one program module is configured to:
    - retrieve first information about a first known host stored in the at least one database, wherein the first information includes a first date that is older than a date of the data from the interface module;
      
      retrieve second information about the first known host, wherein the second information has a second date older than the first date; and
      
      associate the first information to a new host and associate the second information along with the data to the first known host if;
      
      (a) the first information has a different Network Basic Input/Output System name than the data, and(b) the second information has a same Media Access Control address as the data.
  - 33. The computer system of claim 20, wherein to merge the information currently associated with at least two known hosts into a single host, the at least one program module is configured to:
    - associate the data with first information about a first known host based on a comparison of the data with the first information;
      
      retrieve second information about at least one second known host not associated with the first known host but having a same Internet Protocol address as the data; and
      
      associate the data, the first information, and the second information with the single host if;
      
      (a) the second information has a same Network Basic Input/Output System name as the data, and(b) the second information has a same Media Access Control address as the data.
  - 34. The computer system of claim 20, wherein to merge the information currently associated with at least two hosts into a single host, the at least one program module is configured to:
    - associate the data with first information about a first known host based on a comparison of the data with the first information;
      
      retrieve second information about at least one second known host not associated with the first known host but having a same Media Access Control address as the data; and
      
      associate the data, the first information, and the second information with the single host if the second information has a same Network Basic Input/Output System name as the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John G. Roane, Robert John Hennan
Original Assignee
John G. Roane, Robert John Hennan
Inventors
Hennan, Robert John, Roane, John G.
Primary Examiner(s)
Wassum; Luke S

Application Number

US11/469,775
Publication Number

US 20080060071A1
Time in Patent Office

1,649 Days
Field of Search

None
US Class Current

707/737
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1433 Vulnerability analysis

Security monitoring tool for computer network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

Security monitoring tool for computer network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others