System and method for modeling interdependencies in a network datacenter

US 8,769,084 B2
Filed: 08/25/2010
Issued: 07/01/2014
Est. Priority Date: 06/07/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A system for modeling interdependencies in a network datacenter, comprising:

a machine-readable storage medium;

one or more physical processors;

a resource inventory comprising information describing a plurality of resources in an information technology datacenter and a plurality of open communication ports on the plurality of resources described in the resource inventory;

one or more listeners configured to observe one or more network conversations that occur in the datacenter, the one or more network conversations involving the plurality of open communication ports on the plurality of resources described in the resource inventory; and

a correlation engine that analyzes at least one observed network conversation of the one or more network conversations observed by the one or more listeners for modeling interdependencies in the network datacenter, wherein the correlation engine causes the one or more physical processors to;

drop the at least one observed network conversation in response to a determination that the at least one observed network conversation fails to correlate with any of the plurality of open communication ports on the plurality of resources described in the resource inventory and further in response to a determination that the at least one observed network conversation comprises a network conversation between one of the resources in the information technology datacenter and a resource outside the information technology datacenter; and

model a relationship between two of the plurality of resources described in the resource inventory in response to a determination that the at least one observed network conversation correlates with open communication ports on the two resources,wherein the correlation engine drops the at least one observed network conversation by no longer observing the network conversation for modeling interdependencies in the network datacenter.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method described herein may include a discovery engine that scans a network datacenter to inventory resources in the datacenter and populate a configuration management database with the resource inventory. One or more destination listeners created from the resource inventory may then selectively sample monitored flows in the datacenter to model interdependencies between the inventoried resources. For example, any monitored flows originating outside the datacenter or failing to correlate with the inventoried resources may be dropped, whereby the interdependencies may be modeled from a deliberately reduced sample of the monitored flows that have information relevant to modeling relationships between resources within the datacenter. Furthermore, directionalities for the monitored flows may be determined, wherein the directionalities provide further information relevant to modeling the relationships between the resources within the datacenter.

176 Citations

20 Claims

1. A system for modeling interdependencies in a network datacenter, comprising:
- a machine-readable storage medium;
  
  one or more physical processors;
  
  a resource inventory comprising information describing a plurality of resources in an information technology datacenter and a plurality of open communication ports on the plurality of resources described in the resource inventory;
  
  one or more listeners configured to observe one or more network conversations that occur in the datacenter, the one or more network conversations involving the plurality of open communication ports on the plurality of resources described in the resource inventory; and
  
  a correlation engine that analyzes at least one observed network conversation of the one or more network conversations observed by the one or more listeners for modeling interdependencies in the network datacenter, wherein the correlation engine causes the one or more physical processors to;
  
  drop the at least one observed network conversation in response to a determination that the at least one observed network conversation fails to correlate with any of the plurality of open communication ports on the plurality of resources described in the resource inventory and further in response to a determination that the at least one observed network conversation comprises a network conversation between one of the resources in the information technology datacenter and a resource outside the information technology datacenter; and
  
  model a relationship between two of the plurality of resources described in the resource inventory in response to a determination that the at least one observed network conversation correlates with open communication ports on the two resources,wherein the correlation engine drops the at least one observed network conversation by no longer observing the network conversation for modeling interdependencies in the network datacenter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the at least one observed network conversation includes a first flow directed from an originating resource to a destination resource and a second flow directed from the destination resource to the originating resource.
  - 3. The system of claim 2, wherein the one or more listeners only observe the first flow in the at least one observed network conversation directed from the originating resource to the destination resource.
  - 4. The system of claim 3, wherein the correlation engine causes the one or more processors to determine that the modeled relationship has a directionality from the originating resource to the destination resource in response to locating the destination resource in the resource inventory.
  - 5. The system of claim 2, wherein the correlation engine causes the one or more processors to:
    - determine whether the originating resource has a location that falls within a network address range for the information technology datacenter; and
      
      determine whether the destination resource has a location that falls within the network address range for the information technology datacenter.
  - 6. The system of claim 5, wherein the correlation engine causes the one or more processors - to drop the at least one observed network conversation further in response to the determined location for the originating resource or the determined location for destination resource falling outside the network address range for the information technology datacenter.
  - 7. The system of claim 5, wherein the correlation engine causes the one or more processors to model the relationship between the two resources further in response to the determined location for the originating resource and the determined location for the destination falling within the network address range for the information technology datacenter.
  - 8. The system of claim 1, further comprising a configuration management database configured to store the information contained in the resource inventory and a dependency map describing the modeled relationship.
  - 9. The system of claim 1, wherein the correlation engine causes the one or more processors to validate , in response to dropping the at least one observed network conversation, whether the one or more listeners have previously observed activity that resulted in detection of a security violation.
  - 10. The system of claim 9, wherein the correlation engine causes the one or more processors to de-provision the one or more listeners in response to a determination that the one or more listeners have not previously observed activity that resulted in detection of a security violation.

11. A computer-implemented method of modeling interdependencies in a network datacenter, the method being implemented by one or more physical processors executing one or more computer program instructions which, when executed, perform the method, the method comprising:
- discovering a resource inventory with a discovery engine coupled to an information technology datacenter, wherein the resource inventory comprises information describing a plurality of resources in the information technology datacenter and a plurality of open communication ports on the plurality of resources described in the resource inventory;
  
  observing one or more network conversations that occur in the datacenter, the one or more network conversations involving the plurality of open communication ports on the plurality of resources described in the resource inventory by one or more listeners for modeling interdependencies in the network datacenter;
  
  dropping, by the one or more physical processors, at least one observed network conversation of the one or more observed network conversations in response to a determination by a correlation engine that the at least one observed network conversation fails to correlate with any of the plurality of open communication ports on the plurality of resources described in the resource inventory and further in response to a determination that that the at least one observed network conversation comprises a network conversation between one of the resources in the information technology datacenter and a resource outside the information technology datacenter; and
  
  modeling, by the one or more physical processors, a relationship between two of the plurality of resources described in the resource inventory in response to a determination by the correlation engine that the at least one observed network conversation correlates with open communication ports on the two resources,wherein dropping the at least one observed network conversation comprises no longer observing the network conversation for modeling interdependencies in the network datacenter.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the at least one observed network conversation includes a first flow directed from an originating resource to a destination resource and a second flow directed from the destination resource to the originating resource.
  - 13. The method of claim 12, wherein the one or more listeners only observe the first flow in the at least one observed network conversation directed from the originating resource to the destination resource.
  - 14. The method of claim 13, further comprising determining that the modeled relationship has a directionality from the originating resource to the destination resource in response to the correlation engine locating the destination resource in the resource inventory.
  - 15. The method of claim 12, further comprising:
    - determining whether the originating resource has a location that falls within a network address range for the information technology datacenter; and
      
      determining whether the destination resource has a location that falls within the network address range for the information technology datacenter.
  - 16. The method of claim 15, wherein the dropping the at least one observed network conversation is in response to a determination by the correlation engine that the location for the originating resource or the location for destination resource falls outside the network address range for the information technology datacenter.
  - 17. The method of claim 15, wherein the modeling the relationship between the two resources is in response to a determination by the correlation engine that the location for the originating resource and the location for the destination fall within the network address range for the information technology datacenter.
  - 18. The method of claim 11, further comprising populating a configuration management database with the information contained in the resource inventory and a dependency map describing the modeled relationship.
  - 19. The method of claim 11, further comprising validating, in response to the dropping the at least one observed network conversation, whether the one or more listeners have previously observed activity that resulted in detection of a security violation.
  - 20. The method of claim 19, further comprising de-provisioning the one or more listeners in response to a determination by the correlation engine that the one or more listeners have not previously observed activity that resulted in detection of a security violation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Westerfeld, Kurt Andrew, Judson, John Ross
Primary Examiner(s)
Nguyen, Phuoc
Assistant Examiner(s)
ZAND, DAVOUD AMAN

Application Number

US12/868,426
Publication Number

US 20110302295A1
Time in Patent Office

1,406 Days
Field of Search

709/224, 709/204, 709/208
US Class Current

709/224
CPC Class Codes

G06F 8/71 Version control security ar...

H04L 43/10 Active monitoring, e.g. hea...

System and method for modeling interdependencies in a network datacenter

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

176 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for modeling interdependencies in a network datacenter

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

176 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links