System and method for identifying unauthorized endpoints

US 8,479,267 B2
Filed: 06/30/2009
Issued: 07/02/2013
Est. Priority Date: 06/30/2009
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:

collecting active endpoint information from each of a plurality of network devices other than active endpoints in a computer network, wherein the active endpoint information includes address information from each of a plurality of active endpoint computing facilities communicating through at least one of the plurality of network devices;

forming an active endpoint list in a datastore wherein the address information is maintained as a list of media access control (MAC) addresses for active endpoints communicating with each of the plurality of network devices and wherein the contents of the data store are formed from Address Resolution Protocol (ARP) data collected from the plurality of network devices;

collecting authorized endpoint information to the datastore from one or more authorized endpoints, wherein the authorized endpoint information is received from a security agent operating on each of a plurality of authorized endpoints that have been verified as being compliant with a security policy and have been authorized to access the computer network;

forming an authorized endpoint list, wherein each authorized endpoint is represented by the authorized endpoint'"'"'s media access control (MAC) address; and

comparing the active endpoint list to the authorized endpoint list to identify an unauthorized endpoint, wherein the unauthorized endpoint is one of the active endpoints but is not one of the authorized endpoints.

View all claims

9 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for identifying unauthorized endpoints. The present invention includes computer implemented methods and systems for actively polling and monitoring network devices, such as network routers and switches, to obtain information on any or all of the endpoints on a network with which the router or switch may have communicated. Address information acquired through polling is compared with an authorized endpoint list, which is generated from information reported to the store by security agents on the authorized endpoints and which is stored in a security compliance store, in order to identify unauthorized endpoints. Methods and systems disclosed herein also include remediation measures to be taken on the unauthorized endpoints. Related user interfaces, applications, and computer program products are disclosed.

Citations

13 Claims

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- collecting active endpoint information from each of a plurality of network devices other than active endpoints in a computer network, wherein the active endpoint information includes address information from each of a plurality of active endpoint computing facilities communicating through at least one of the plurality of network devices;
  
  forming an active endpoint list in a datastore wherein the address information is maintained as a list of media access control (MAC) addresses for active endpoints communicating with each of the plurality of network devices and wherein the contents of the data store are formed from Address Resolution Protocol (ARP) data collected from the plurality of network devices;
  
  collecting authorized endpoint information to the datastore from one or more authorized endpoints, wherein the authorized endpoint information is received from a security agent operating on each of a plurality of authorized endpoints that have been verified as being compliant with a security policy and have been authorized to access the computer network;
  
  forming an authorized endpoint list, wherein each authorized endpoint is represented by the authorized endpoint'"'"'s media access control (MAC) address; and
  
  comparing the active endpoint list to the authorized endpoint list to identify an unauthorized endpoint, wherein the unauthorized endpoint is one of the active endpoints but is not one of the authorized endpoints.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer program product of claim 1, wherein the list of MAC addresses is maintained as a consolidated list comprising the address information collected from each of the plurality of network devices.
  - 3. The computer program product of claim 2, wherein the consolidated list is maintained in a central repository accessible to a processor making the comparison of the active endpoint list and the authorized endpoint list.
  - 4. The computer program product of claim 1, wherein the authorized endpoint information is stored in the data store in response to the delivery of an IP address.
  - 5. The computer program product of claim 1, wherein the network device is a network router.
  - 6. The computer program product of claim 1, wherein the network device is a network switch.
  - 7. The computer program product of claim 1, wherein the address information included in the active endpoint information is a list of IP addresses.
  - 8. The computer program product of claim 1, wherein the address information included in the active endpoint information includes both an IP address and a related MAC address.
  - 9. The computer program product of claim 1, wherein the datastore is associated with an IP address server.
  - 10. The computer program product of claim 1, wherein the information identifying each authorized endpoint is a MAC address with an associated IP address.
  - 11. The computer program product of claim 1, further comprising:
    - causing the unauthorized endpoint computing facility to be prevented from network access.
  - 12. The computer program product of claim 11, wherein controlling network access includes configuration of the network device by at least one endpoint computing facility to control the endpoint, as identified by at least one of its media access control (MAC) address and its IP address.
  - 13. The computer program product of claim 1, further comprising:
    - causing the unauthorized endpoint computing facility to be provided only a limited level of network access.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Donley, Daryl E., Keene, David P.
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US12/494,435
Publication Number

US 20100333177A1
Time in Patent Office

1,463 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/1416   Event detection, e.g. attac...

System and method for identifying unauthorized endpoints

First Claim

9 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identifying unauthorized endpoints

First Claim

9 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links