Network eavesdropping detection

US 9,130,984 B2
Filed: 05/17/2013
Issued: 09/08/2015
Est. Priority Date: 05/17/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

sending a series of impulse signals over a communication line for a time period;

receiving a series of impedance values for the communication line over the time period in response to the series of impulse signals;

calculating a baseline impedance as a function of the series of impedance values;

receiving an impedance measurement generated after the time period;

calculating a difference between the impedance measurement and the baseline impedance;

comparing the difference to a threshold impedance tolerance; and

generate a warning message when the absolute value of the difference exceeds the threshold impedance tolerance.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, network taps are detected using impedance measurements from a network. A network device is configured to calculate a baseline impedance as a function of a sequence of impedance values. As impedance measurements subsequent to the sequence of impedance values are received, the network device is configured to calculate a difference between the impedance measurement and the baseline impedance. The network device generates a network tap warning message when the difference between the impedance measurement and the baseline impedance exceeds a threshold. The network device may be an endpoint computer, a data switch, or an external device remote from the network.

9 Citations

19 Claims

1. A method comprising:
- sending a series of impulse signals over a communication line for a time period;
  
  receiving a series of impedance values for the communication line over the time period in response to the series of impulse signals;
  
  calculating a baseline impedance as a function of the series of impedance values;
  
  receiving an impedance measurement generated after the time period;
  
  calculating a difference between the impedance measurement and the baseline impedance;
  
  comparing the difference to a threshold impedance tolerance; and
  
  generate a warning message when the absolute value of the difference exceeds the threshold impedance tolerance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - receiving a return signal in response to the impulse signal; and
      
      performing a calculation of at least one of the series of impedance values for the communication line from the return signal.
  - 3. The method of claim 2, wherein the calculation includes a comparison of the return signal to the impulse signal.
  - 4. The method of claim 2, further comprising:
    - sending the impulse signal to the communication line, wherein the return signal results from the impulse signal.
  - 5. The method of claim 2, wherein the series of impedance values are calculated at different frequencies of the impulse signal.
  - 6. The method of claim 1, further comprising:
    - calculating a variance of the series of impedance values for the communication line as the series of impedance values are received; and
      
      calculating the time period as a function of the variance.
  - 7. The method of claim 1, further comprising:
    - calculating the time period as a function of a number of the series of impedance values.
  - 8. The method of claim 1, wherein the function for calculating the baseline impedance includes a sliding average of the series of impedance values.
  - 9. The method of claim 1, further comprising:
    - recording the warning message in a log; and
      
      sending the log to a central threat defense system or a cloud service.
  - 10. The method of claim 1, wherein the warning message includes a command to disable a port of a network device.

11. An apparatus comprising:
- a communication interface configured to receive a series of impedance values for a communication line over a time period; and
  
  a controller configured to calculate a baseline impedance as a function of the series of impedance values and a difference between a current impedance measurement and the baseline impedance,wherein an alert is generated when the difference between the current impedance measurement and the baseline impedance exceeds a threshold impedance tolerance, wherein the alert indicates that a network tap may be coupled with the communication interfacewherein the controller is configured to generate an impulse signal for the communication line and the series of impedance values are derived from a reflection of the impulse signal.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the series of impedance values are based on a ratio of the reflection of the impulse signal to the impulse signal.
  - 13. The apparatus of claim 11, wherein the controller is configured to calculate the time period as a function of a variance of the series of impedance values.
  - 14. The apparatus of claim 11, wherein the controller records the alert, an identifier for the communication line, and a time stamp in memory.
  - 15. The apparatus of claim 14, wherein the identifier for the communication line identifies a port.

16. A non-transitory computer readable medium including instructions that when executed by a processor are operable to:
- send an impulse signal;
  
  receive a return signal including an impedance measurement;
  
  detect a network tap as a function of the impedance measurement;
  
  generate a network tap warning message in response to the detection of the network tap; and
  
  send the network tap warning message to a cloud service.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory computer readable medium of claim 16, wherein the network tap warning message specifies a port of a network device.
  - 18. The non-transitory computer readable medium of claim 16, wherein the sequence of impedance values includes a plurality of impedance values from each of multiple ports of a network device and the baseline includes a baseline value for each of the multiple ports of the network device.
  - 19. The non-transitory computer readable medium of claim 16, wherein the impulse signal is a sweeping signal having multiple frequencies and the detection of the network tap is based on the impedance measurement from the sweeping signal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Foley, John
Primary Examiner(s)
To, Baotran N

Application Number

US13/896,550
Publication Number

US 20140344930A1
Time in Patent Office

844 Days
Field of Search

726/23, 726/22, 726/24, 726/25
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1475 Passive attacks, e.g. eaves...

Network eavesdropping detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Network eavesdropping detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links