Enabling NAC reassessment based on fingerprint change

US 8,862,730 B1
Filed: 03/28/2006
Issued: 10/14/2014
Est. Priority Date: 03/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method of providing security for a network, comprising:

monitoring network traffic associated with a client computer connected to the network for an activity pattern indicating that a configuration change of the client computer may or may not have occurred, wherein the monitoring is based upon an observation of a trigger in the network traffic;

detecting the activity pattern;

accessing a previously stored activity pattern associated with the client computer;

comparing the previously stored activity pattern with the detected activity pattern to determine a fingerprint difference;

detecting a configuration change of the client computer if the fingerprint difference exceeds a difference threshold; and

restricting access by the client computer to the network if the detected activity pattern was not previously associated with the client computer and indicates that the configuration change of the client computer may have occurred.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing security for a network is disclosed. Network traffic associated with a host is monitored. If an activity pattern associated with a configuration change of the host is observed, access by the host to the network is restricted based at least in part on the observed activity pattern.

Citations

20 Claims

1. A method of providing security for a network, comprising:
- monitoring network traffic associated with a client computer connected to the network for an activity pattern indicating that a configuration change of the client computer may or may not have occurred, wherein the monitoring is based upon an observation of a trigger in the network traffic;
  
  detecting the activity pattern;
  
  accessing a previously stored activity pattern associated with the client computer;
  
  comparing the previously stored activity pattern with the detected activity pattern to determine a fingerprint difference;
  
  detecting a configuration change of the client computer if the fingerprint difference exceeds a difference threshold; and
  
  restricting access by the client computer to the network if the detected activity pattern was not previously associated with the client computer and indicates that the configuration change of the client computer may have occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the network traffic is monitored at a node other than the client computer.
  - 3. The method of claim 1 wherein detecting the activity pattern includes active scanning.
  - 4. The method of claim 1 wherein detecting the activity pattern includes passive scanning.
  - 5. The method of claim 1 wherein detecting the activity pattern includes detecting one or more of an operating system, a web browser, a network protocol, and a file sharing protocol.
  - 6. The method of claim 1 further comprising generating an alert based at least in part on the detected activity pattern.
  - 7. The method of claim 1 further comprising storing a fingerprint associated with a configuration of the client computer.
  - 8. The method of claim 1 further comprising restricting access by the client computer to the network if the detected activity pattern was previously associated with the client computer and indicates that the configuration change of the client computer may not have occurred.
  - 9. The method of claim 1 wherein the configuration change of the client computer comprises at least one of:
    - software removal from the client computer;
      
      software installation on the client computer; and
      
      software modification on the client computer.

10. A system for providing security for a network, comprising:
- a processor, configured to;
  
  monitor network traffic associated with a client computer connected to the network for an activity pattern indicating that a configuration change of the client computer may or may not have occurred, wherein the monitoring is based upon an observation of a trigger in the network traffic;
  
  detect the activity pattern;
  
  access a previously stored activity pattern associated with the client computer;
  
  compare the previously stored activity pattern with the detected activity pattern to determine a fingerprint difference;
  
  detect a configuration change of the client computer if the fingerprint difference exceeds a difference threshold; and
  
  restrict access by the client computer to the network if the detected activity pattern was not previously associated with the client computer and indicates that the configuration change of the client computer may have occurred; and
  
  a memory, coupled to the processor, configured to provide the processor with instructions.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10 wherein the processor is included in a network switch.
  - 12. The system of claim 10 wherein the processor is configured to detect the activity pattern at least in part by passive scanning.
  - 13. The system of claim 10 wherein the processor is configured to detect the activity pattern at least in part by detecting one or more of an operating system, a web browser, a network protocol, and a file sharing protocol.
  - 14. The system of claim 10 wherein the processor is further configured to generate an alert based at least in part on the detected activity pattern.
  - 15. The system of claim 10 wherein the processor is further configured to store a fingerprint associated with a configuration of the client computer.
  - 16. The system of claim 10 wherein the processor is further configured to restrict access by the client computer to the network if the detected activity pattern was previously associated with the client computer and indicates that the configuration change of the client computer may not have occurred.

17. A computer program product for providing security for a network, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring network traffic associated with a client computer connected to the network for an activity pattern indicating that a configuration change of the client computer may or may not have occurred, wherein the monitoring is based upon an observation of a trigger in the network traffic;
  
  detecting the activity pattern;
  
  accessing a previously stored activity pattern associated with the client computer;
  
  comparing the previously stored activity pattern with the detected activity pattern to determine a fingerprint difference;
  
  detecting a configuration change of the client computer if the fingerprint difference exceeds a difference threshold; and
  
  restricting access by the client computer to the network if the detected activity pattern was not previously associated with the client computer and indicates that the configuration change of the client computer may have occurred.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product as recited in claim 17, wherein detecting the activity pattern includes passive scanning.
  - 19. The computer program product as recited in claim 17, the computer program product further comprising computer instructions for storing a fingerprint associated with a configuration of the client computer.
  - 20. The computer program product as recited in claim 17, the computer program product further comprising computer instructions for restricting access by the client computer to the network if the detected activity pattern was previously associated with the client computer and indicates that the configuration change of the client computer may not have occurred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Hernacki, Brian, Satish, Sourabh
Primary Examiner(s)
Winder, Patrice
Assistant Examiner(s)
TRAN, NAM T

Application Number

US11/392,093
Time in Patent Office

3,122 Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 41/08   Configuration management of...

H04L 41/0803   Configuration setting

H04L 63/00   Network architectures or ne...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Enabling NAC reassessment based on fingerprint change

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling NAC reassessment based on fingerprint change

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links