Detecting transparent network communication interception appliances

US 9,094,309 B2
Filed: 03/13/2012
Issued: 07/28/2015
Est. Priority Date: 03/13/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method, in a data processing system, for identifying transparent network communication interception appliances in a network topology, comprising:

collecting, by an application detection mechanism in the data processing system, network configuration data from a plurality of devices in the network topology;

analyzing, by the appliance detection mechanism, the collected network configuration data using one or more heuristics to identify patterns in the collected network configuration data indicative of the presence of a transparent network communication interception appliance, wherein the appliance detection mechanism is a separate mechanism from the transparent network communication interception appliance;

calculating, by the appliance detection mechanism, a confidence measure value based on results of the analysis of the collected network configuration data; and

sending, by the appliance detection mechanism, a notification of a detected presence of a transparent network communication interception appliance to a computing device in response to the calculated confidence measure value meeting or exceeding at least one threshold value;

wherein the one or more heuristics comprises a multiple gateway heuristic that analyzes subnet gateway computing device assignment to an associated group of devices, in the plurality of devices in the network topology to identify whether more than one gateway computing device is associated with the group of devices, and wherein calculating the confidence measure value comprises increasing the confidence measure value in response to the multiple gateway heuristic identifying more than one gateway computing device being associated with the group of devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for identifying transparent network communication interception appliances in a network topology. The mechanisms collect network configuration data from a plurality of devices in the network topology and analyze the collected network configuration data using one or more heuristics to identify patterns in the collected network configuration data indicative of the presence of a transparent network communication interception appliance. The mechanisms calculate a confidence measure value based on results of the analysis of the collected network configuration data. The mechanisms further send a notification of a detected presence of a transparent network communication interception appliance to a computing device in response to the calculated confidence measure value meeting or exceeding at least one threshold value.

42 Citations

View as Search Results

23 Claims

1. A method, in a data processing system, for identifying transparent network communication interception appliances in a network topology, comprising:
- collecting, by an application detection mechanism in the data processing system, network configuration data from a plurality of devices in the network topology;
  
  analyzing, by the appliance detection mechanism, the collected network configuration data using one or more heuristics to identify patterns in the collected network configuration data indicative of the presence of a transparent network communication interception appliance, wherein the appliance detection mechanism is a separate mechanism from the transparent network communication interception appliance;
  
  calculating, by the appliance detection mechanism, a confidence measure value based on results of the analysis of the collected network configuration data; and
  
  sending, by the appliance detection mechanism, a notification of a detected presence of a transparent network communication interception appliance to a computing device in response to the calculated confidence measure value meeting or exceeding at least one threshold value;
  
  wherein the one or more heuristics comprises a multiple gateway heuristic that analyzes subnet gateway computing device assignment to an associated group of devices, in the plurality of devices in the network topology to identify whether more than one gateway computing device is associated with the group of devices, and wherein calculating the confidence measure value comprises increasing the confidence measure value in response to the multiple gateway heuristic identifying more than one gateway computing device being associated with the group of devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the transparent network communication interception appliance is a load balancer appliance.
  - 3. The method of claim 1, wherein analyzing the collected network configuration data using one or more heuristics to identify patterns in the collected network configuration data comprises:
    - calculating, by the appliance detection mechanism, a pattern in the collected network configuration data;
      
      comparing, by the appliance detection mechanism, the calculated pattern in the collected network configuration data to one or more known patterns indicative of a presence of a transparent network communication interception appliance; and
      
      determining, by the appliance detection mechanism, if the calculated pattern matches, within a given tolerance, at least one of the one or more known patterns.
  - 4. The method of claim 1, further comprising:
    - receiving, by the appliance detection mechanism, feedback input indicative of whether or not results of the analysis and calculation of the confidence measure was accurate; and
      
      modifying, by the appliance detection mechanism, at least one of the one or more heuristics based on the feedback input.
  - 5. The method of claim 1, wherein the one or more heuristics comprises a distance heuristic that calculates a difference distance between at least one of device names or device communication ports being used by the plurality of devices of the topology network, and compares the difference distance to at least one threshold value, and wherein calculating the confidence measure value comprises increasing the confidence measure value in response to the difference distance being equal to or greater than the at least one threshold value.
  - 6. The method of claim 5, wherein the difference distance is calculated using a weighted difference algorithm that determines an amount of change necessary to change one server name or port assignment of a first device to a server name or port assignment of a second device in the plurality of devices, and weights different types of changes with different weighting values.
  - 7. The method of claim 1, wherein the one or more heuristics comprises a loopback network interface heuristic that determines if a loopback device is present in the network topology and has an associated address that is not within an established range of loopback addresses, and wherein calculating the confidence measure comprises increasing the confidence measure in response to a determination that a loopback device is present in the network topology and has an associated address that is not within an established range of loopback addresses.
  - 8. The method of claim 1, wherein the one or more heuristics comprises a gateway address analysis heuristic that analyzes addresses associated with the devices in the plurality of devices to identify a pattern in the addresses associated with the devices that indicates that an associated device is a transparent network communication interception appliance.
  - 9. The method of claim 8, wherein the pattern in the address is one of a specific setting of a most significant byte of the address to a value indicative of the device being a transparent network communication interception appliance, or a specific setting of the first two significant bytes of the address to a value indicative of the device being a transparent network communication interception appliance.
  - 10. The method of claim 1, wherein the one or more heuristics comprises a multiple address resolution heuristic that determines if one or more address resolution data structures of one or more routers in the plurality of devices of the network topology comprise mappings in which multiple network addresses map to a same device address, and wherein calculating the confidence measure comprises increasing the confidence measure in response to a determination that one or more address resolution data structures of one or more routers in the plurality of devices of the network topology comprise mappings in which multiple network addresses map to a same device address.
  - 11. The method of claim 2, wherein the method is implemented as part of a migration operation for migrating a cluster of server computing devices and the load balancer appliance to a different physical and/or logical location of the network topology.

12. A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on an appliance detection computing device, causes the computing device to:
- collect network configuration data from a plurality of devices in a network topology;
  
  analyze the collected network configuration data using one or more heuristics to identify patterns in the collected network configuration data indicative of the presence of a transparent network communication interception appliance, wherein the appliance detection computing device is a separate device from the transparent network communication interception appliance;
  
  calculate a confidence measure value based on results of the analysis of the collected network configuration data; and
  
  send a notification of a detected presence of a transparent network communication interception appliance to a computing device in response to the calculated confidence measure value meeting or exceeding at least one threshold value;
  
  wherein the one or more heuristics comprises a multiple gateway heuristic that analyzes subnet gateway computing device assignment to an associated group of devices, in the plurality of devices in the network topology to identify whether more than one gateway computing device is associated with the group of devices, and wherein calculating the confidence measure value comprises increasing the confidence measure value in response to the multiple gateway heuristic identifying more than one gateway computing device being associated with the group of devices.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer program product of claim 12, wherein the transparent network communication interception appliance is a load balancer appliance.
  - 14. The computer program product of claim 12, wherein the computer readable program further causes the appliance detection computing device to analyze the collected network configuration data using one or more heuristics to identify patterns in the collected network configuration data by:
    - calculating a pattern in the collected network configuration data;
      
      comparing the calculated pattern in the collected network configuration data to one or more known patterns indicative of a presence of a transparent network communication interception appliance; and
      
      determining if the calculated pattern matches, within a given tolerance, at least one of the one or more known patterns.
  - 15. The computer program product of claim 12, wherein the computer readable program further causes the appliance detection computing device to:
    - receive feedback input indicative of whether or not results of the analysis and calculation of the confidence measure was accurate; and
      
      modify at least one of the one or more heuristics based on the feedback input.
  - 16. The computer program product of claim 12, wherein the one or more heuristics comprises a distance heuristic that calculates a difference distance between at least one of device names or device communication ports being used by the plurality of devices of the topology network, and compares the difference distance to at least one threshold value, and wherein calculating the confidence measure value comprises increasing the confidence measure value in response to the difference distance being equal to or greater than the at least one threshold value.
  - 17. The computer program product of claim 16, wherein the difference distance is calculated using a weighted difference algorithm that determines an amount of change necessary to change one server name or port assignment of a first device to a server name or port assignment of a second device in the plurality of devices, and weights different types of changes with different weighting values.
  - 18. The computer program product of claim 12, wherein the one or more heuristics comprises a loopback network interface heuristic that determines if a loopback device is present in the network topology and has an associated address that is not within an established range of loopback addresses, and wherein calculating the confidence measure comprises increasing the confidence measure in response to a determination that a loopback device is present in the network topology and has an associated address that is not within an established range of loopback addresses.
  - 19. The computer program product of claim 12, wherein the one or more heuristics comprises a gateway address analysis heuristic that analyzes addresses associated with the devices in the plurality of devices to identify a pattern in the addresses associated with the devices that indicates that an associated device is a transparent network communication interception appliance.
  - 20. The computer program product of claim 19, wherein the pattern in the address is one of a specific setting of a most significant byte of the address to a value indicative of the device being a transparent network communication interception appliance, or a specific setting of the first two significant bytes of the address to a value indicative of the device being a transparent network communication interception appliance.
  - 21. The computer program product of claim 12, wherein the one or more heuristics comprises a multiple address resolution heuristic that determines if one or more address resolution data structures of one or more routers in the plurality of devices of the network topology comprise mappings in which multiple network addresses map to a same device address, and wherein calculating the confidence measure comprises increasing the confidence measure in response to a determination that one or more address resolution data structures of one or more routers in the plurality of devices of the network topology comprise mappings in which multiple network addresses map to a same device address.
  - 22. The computer program product of claim 13, wherein the computer readable program is executed as part of a migration operation for migrating a cluster of server computing devices and the load balancer appliance to a different physical and/or logical location of the network topology.

23. An appliance detection apparatus, comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to;
  
  collect network configuration data from a plurality of devices in a network topology;
  
  analyze the collected network configuration data using one or more heuristics to identify patterns in the collected network configuration data indicative of the presence of a transparent network communication interception appliance, wherein the appliance detection apparatus is a separate apparatus from the transparent network communication interception appliance;
  
  calculate a confidence measure value based on results of the analysis of the collected network configuration data; and
  
  send a notification of a detected presence of a transparent network communication interception appliance to a computing device in response to the calculated confidence measure value meeting or exceeding at least one threshold value;
  
  wherein the one or more heuristics comprises a multiple gateway heuristic that analyzes subnet gateway computing device assignment to an associated group of devices, in the plurality of devices in the network topology to identify whether more than one gateway computing device is associated with the group of devices, and wherein calculating the confidence measure value comprises increasing the confidence measure value in response to the multiple gateway heuristic identifying more than one gateway computing device being associated with the group of devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Branch, Joel W., Nidd, Michael E., Rissmann, Ruediger
Primary Examiner(s)
Osman, Ramy M
Assistant Examiner(s)
SHIU, HO T

Application Number

US13/418,761
Publication Number

US 20130246606A1
Time in Patent Office

1,232 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/0853   by actively collecting conf...

H04L 41/12   Discovery or management of ...

H04L 43/12   Network monitoring probes

Detecting transparent network communication interception appliances

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting transparent network communication interception appliances

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links