Host entry synchronization

US 8,671,181 B2
Filed: 10/06/2009
Issued: 03/11/2014
Est. Priority Date: 09/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method performed by data processing apparatus, the method comprising:

identifying a host table of a first sensor, the host table of the first sensor including, for each of a plurality of host devices monitored by the first sensor on a network, a record describing host device attributes including;

an IP address assigned to the respective host device;

an agent identifier of an agent installed on the respective host device;

a media access control (MAC) address of the respective host device;

an information probe type of an information probe used by the first sensor to collect data from the respective host device; and

a time stamp indicating when the respective host attributes were stored in the record;

receiving from a peer sensor of the first sensor in connection with a synchronization event, a peer record for a first host device, the peer record comprising data describing attributes of the first host device stored in a host table of the peer sensor, wherein the synchronization event is triggered by recovery of at least one of the first sensor and peer sensor from an offline condition; and

comparing host device attributes of a particular record in the host table with host device information of the peer record, wherein the comparing includes;

determining that a MAC address of a particular record stored in the host table matches a MAC address of the peer record;

determining that the information probe type of the particular record is different from an information probe type of the peer record;

determining that the peer record is more recent than the particular record of the host table based on a comparison of a time stamp of the peer record with the time stamp of the particular record in the host table; and

updating the information probe type stored in the particular record with the information probe type of the peer record, wherein the updating causes the first sensor to use an information probe of the information probe type of the peer record in subsequent probes of the first host device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, synchronizing records in peer devices. In one aspect, a method includes comparing, in a first peer device, a peer record received from a second peer device based on an IP address of the peer record from the second peer device and an IP address of a record stored in a host table of the first peer device. Unique agent identifiers, MAC addresses and time stamps are also compared to determine whether the peer record indicates a new host device, a new IP assignment to a known host device, or a new user logged into a known host device.

85 Citations

View as Search Results

15 Claims

1. A method performed by data processing apparatus, the method comprising:
- identifying a host table of a first sensor, the host table of the first sensor including, for each of a plurality of host devices monitored by the first sensor on a network, a record describing host device attributes including;
  
  an IP address assigned to the respective host device;
  
  an agent identifier of an agent installed on the respective host device;
  
  a media access control (MAC) address of the respective host device;
  
  an information probe type of an information probe used by the first sensor to collect data from the respective host device; and
  
  a time stamp indicating when the respective host attributes were stored in the record;
  
  receiving from a peer sensor of the first sensor in connection with a synchronization event, a peer record for a first host device, the peer record comprising data describing attributes of the first host device stored in a host table of the peer sensor, wherein the synchronization event is triggered by recovery of at least one of the first sensor and peer sensor from an offline condition; and
  
  comparing host device attributes of a particular record in the host table with host device information of the peer record, wherein the comparing includes;
  
  determining that a MAC address of a particular record stored in the host table matches a MAC address of the peer record;
  
  determining that the information probe type of the particular record is different from an information probe type of the peer record;
  
  determining that the peer record is more recent than the particular record of the host table based on a comparison of a time stamp of the peer record with the time stamp of the particular record in the host table; and
  
  updating the information probe type stored in the particular record with the information probe type of the peer record, wherein the updating causes the first sensor to use an information probe of the information probe type of the peer record in subsequent probes of the first host device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein comparing the host device attributes includes determining whether an IP address of the peer record is stored in at least one matching record of the host table, and determinations that the IP address of the peer record is included in the matching record of the host table causes a determination of whether the agent identifier of the peer record matches the agent identifier of the matching record and determining that the agent identifier of the peer record does not match the agent identifier of the matching record causes the matching record to be deleted and an new host device detected event to be generated.
  - 3. The method of claim 2, wherein the at least one matching record includes the particular record and determining that the peer record is not more recent than the at least one matching record of the host table causes determining whether the MAC address of the particular record stored in the host table matches the MAC address of the peer record.
  - 4. The method of claim 3, wherein each record includes the host device attributes of each record further include a user identifier field, the user identifier field storing a user identifier of a user, the method further comprising:
    - determining whether a user identifier of the peer record matches the user identifier of the particular record in the host table, wherein determining that the information probe type of the particular record is different from an information probe type of the peer record is at least partially in response to determining that the user identifier of the peer record matches the user identifier of the particular record.
  - 5. The method of claim 1, wherein the time stamps are unsynchronized system clock values.
  - 6. The method of claim 1, wherein the time stamp of the peer record is a difference of a first system clock value of the peer sensor at indicating a time the peer sensor transmitted the peer record and a second system clock value of the peer sensor indicating a time when an update was made to the peer record.
  - 7. The method of claim 1, wherein the time stamps are system clock values synchronized to a reference time.

8. A data processing apparatus, comprising a memory subsystem, an input/output subsystem that transmits and receives data over a network, and a processor in data communication with the memory subsystem and the input/output subsystem, the processor programmed to perform operations comprising:
- identifying a host table of a first sensor, the host table of the first sensor including, for each of a plurality of host devices monitored by the first sensor on a network, a record describing host device attributes including;
  
  an IP address assigned to the respective host device;
  
  an agent identifier of an agent installed on the respective host device;
  
  a media access control (MAC) address of the respective host device;
  
  an information probe type of an information probe used by the first sensor to collect data from the respective host device; and
  
  a time stamp indicating when the respective host attributes were stored in the record;
  
  receiving from a peer sensor of the first sensor in connection with a synchronization event, a peer record for a first host device, the peer record comprising data describing attributes of the first host device stored in a host table of the peer sensor, wherein the synchronization event is triggered by recovery of at least one of the first sensor and peer sensor from an offline condition; and
  
  comparing host device attributes of a particular record in the host table with host device information of the peer record, wherein the comparing includes;
  
  determining that a MAC address of a particular record stored in the host table matches a MAC address of the peer record;
  
  determining that the information probe type of the particular record is different from an information probe type of the peer record;
  
  determining that the peer record is more recent than the particular record of the host table based on a comparison of a time stamp of the peer record with the time stamp of the particular record in the host table; and
  
  updating the information probe type stored in the particular record with the information probe type of the peer record, wherein the updating causes the first sensor to use an information probe of the information probe type of the peer record in subsequent probes of the first host device.
- View Dependent Claims (9, 10, 11)
- - 9. The data processing apparatus of claim 8, wherein comparing the host device attributes includes determining whether an IP address of the peer record is stored in at least one matching record of the host table, and determinations that the IP address of the peer record is included in the matching record of the host table causes a determination of whether the agent identifier of the peer record matches the agent identifier of the matching record and determining that the agent identifier of the peer record does not match the agent identifier of the matching record causes the matching record to be deleted and an new host device detected event to be generated.
  - 10. The data processing apparatus of claim 9, wherein the at least one matching record includes the particular record and determining that the peer record is not more recent than the at least one matching record of the host table causes determining whether the MAC address of the particular record stored in the host table matches the MAC address of the peer record.
  - 11. The data processing apparatus of claim 10, wherein the host device attributes of each record further include a user identifier field, the user identifier field storing a user identifier of a user, the method further comprising:
    - determining whether a user identifier of the peer record matches the user identifier of the particular record in the host table, wherein determining that the information probe type of the particular record is different from an information probe type of the peer record is at least partially in response to determining that the user identifier of the peer record matches the user identifier of the particular record.

12. A system, comprising:
- a pair of peer sensors configured to control access to a network for a plurality of host devices, each of the sensors including a memory subsystem, an input/output subsystem that transmits and receives data over the network, and a processor in data communication with the memory subsystem and the input/output subsystem, wherein each sensor is configured to perform operations comprising;
  
  identifying in the memory of the sensor a host table, the host table including, for each of the plurality of host devices monitored on the network by the peer sensors, a record describing host device attributes including;
  
  an IP address assigned to the respective host device;
  
  an agent identifier of an agent installed on the respective host device;
  
  a media access control (MAC) address of the respective host device;
  
  an information probe type of an information probe used by the first sensor to collect data from the respective host device; and
  
  a time stamp indicating when the respective host attributes were stored in the record;
  
  receiving from the other peer sensor, in response to a synchronization event, a peer record for a host device, the peer record being a record stored in the host table in the memory of the other peer sensor, wherein the synchronization event is triggered by recovery of at least one of the peer sensors from an offline condition; and
  
  comparing host device attributes of a record in the host table with host device information of the peer record, wherein the comparing includes;
  
  determining whether the MAC address of the record in the host table matches a MAC address of the peer record;
  
  determining whether the information probe type of the record in the host table is different from an information probe type of the peer record;
  
  determining whether the peer record is more recent than the record in the host table based on a comparison of a time stamp of the peer record with the time stamp of the record in the host table; and
  
  updating the information probe type stored in the record in the host table with the information probe type of the peer record in response to determining that the information probe type of the record in the host table is different from an information probe type of the peer record and that the peer record is more recent than the record in the host table, wherein updating the information probe type causes the sensor to use an information probe of the information probe type of the peer record in subsequent probes of the particular host device.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein comparing the host device attributes includes determining whether an IP address of the peer record is stored in at least one matching record of the host table, and determinations that the IP address of the peer record is included in the matching record of the host table causes a determination of whether the agent identifier of the peer record matches the agent identifier of the matching record and determining that the agent identifier of the peer record does not match the agent identifier of the matching record causes the matching record to be deleted and a new host device detected event to be generated.
  - 14. The system of claim 13, wherein each processor is further programmed to cause each peer sensor to perform operations comprising, wherein the at least one matching record includes the particular record and determining that the peer record is not more recent than the at least one matching record of the host table causes determining whether the MAC address of the particular record stored in the host table matches the MAC address of the peer record.
  - 15. The system of claim 14, wherein the host device attributes of each record further include a user identifier field, the user identifier field storing a user identifier of a user, the method further comprising:
    - determining whether a user identifier of the peer record matches the user identifier of the particular record in the host table, wherein determining that the information probe type of the particular record is different from an information probe type of the peer record is at least partially in response to determining that the user identifier of the peer record matches the user identifier of the particular record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Narasimhan, Srinivasan
Primary Examiner(s)
Bengzon, Greg C

Application Number

US12/574,104
Publication Number

US 20110055382A1
Time in Patent Office

1,617 Days
Field of Search

None
US Class Current

709/224
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0893   Assignment of logical group...

H04L 41/12   Discovery or management of ...

H04L 43/0811   by checking connectivity

Host entry synchronization

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Host entry synchronization

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links