Persistent host determination

US 9,280,667 B1
Filed: 01/10/2005
Issued: 03/08/2016
Est. Priority Date: 08/25/2000
Status: Active Grant

First Claim

Patent Images

1. A method for identifying persistent hosts in a dynamically configured network, comprising:

establishing a plurality of records, each record stored on a storage medium and describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network;

receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having a dynamically assigned IP address assigned on an as-needed basis from a Dynamic Host Configuration Protocol (DHCP) server;

matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records;

identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record;

retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instances; and

applying one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system comprises a security manager to scan a network for host instances representing hosts on the network at that time, and record characteristics of the host instances in a host record. The security manager subsequently scans the network for host instances in order to identify persistent hosts. A host profiling module takes snapshots of the network to generate host instances based on characteristics such as an IP address, a NetBIOS name, a DNS name, a MAC address. A host matching module correlates host instances from different snapshots using weighted rules (predetermined or customized) to discriminate between multiple potential matching host instances. Also, security logic makes security decisions based on data including persistent host information.

74 Citations

View as Search Results

34 Claims

1. A method for identifying persistent hosts in a dynamically configured network, comprising:
- establishing a plurality of records, each record stored on a storage medium and describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network;
  
  receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having a dynamically assigned IP address assigned on an as-needed basis from a Dynamic Host Configuration Protocol (DHCP) server;
  
  matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records;
  
  identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record;
  
  retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instances; and
  
  applying one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the host instance describes at least one host characteristic from a group consisting of:
    - an IP address, a NetBIOS name, a DNS name, and a MAC address.
  - 3. The method of claim 1, wherein receiving a snapshot comprises:
    - detecting an update to a database, the database describing the plurality of hosts on the network.
  - 4. The method of claim 1, wherein the matching comprises:
    - selecting from among a plurality of correlation rules responsive to the network.
  - 5. The method of claim 1, wherein the matching comprises:
    - calculating a host correlation metric representative of a probability that the host described by the host instance in the snapshot matches the persistent host described by the at least one record.
  - 6. The method of claim 1, wherein the matching comprises:
    - calculating a host correlation metric using weighted rules, each weighted rule specifying a potentially-matching attribute of the record and the host instance and a weight defining an influence of the rule.
  - 7. The method of claim 1, further comprising:
    - categorizing the host instance as a new host on the network.
  - 8. The method of claim 7, further comprising:
    - creating a host record describing the new host as a persistent host.
  - 9. The method of claim 1, wherein the establishing comprises:
    - establishing vulnerability information in the record, the vulnerability information describing vulnerabilities of the persistent host to network-based attacks.
  - 10. The method of claim 1, wherein the one or more characteristics of a persistent host on the network include application information.
  - 11. The method of claim 1, wherein the matching is performed using weighted rules, the weighted rules including rules that favor matching NetBIOS names over matching IP addresses.
  - 12. The method of claim 1, wherein the receiving the snapshot comprises interrogating the unknown host to inferentially determine one or more of an operating system or application running on the unknown host.
  - 13. The method of claim 12, wherein the interrogating is performed by:
    - sending instructions or data packets at one or more layers of the open systems interconnection (OSI) model; and
      
      examining responses sent by the unknown known responsive to the instructions or data packets.
  - 14. The method of claim 12, wherein the interrogating comprises:
    - sending anomalous data packets to the unknown host, the anomalous data packets being nonconforming relative to a request for comment (RFC) protocol; and
      
      determining an operating system running on the unknown host from the responses sent by the unknown host responsive to the anomalous data packets.

15. A system for identifying persistent hosts in a dynamically configured network, comprising:
- a computer processor; and
  
  a storage memory containing software modules thereon, the software modules comprising;
  
  a records manager module for storing a plurality of records each describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network;
  
  a host profiling module for receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having an IP address dynamically assigned from a Dynamic Host Configuration Protocol (DHCP) server;
  
  a host matching module for matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records and for identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record; and
  
  a security manager module for retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instance and applying the one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The system of claim 15, wherein the host instance describes at least one host characteristic from a group consisting of:
    - an IP address, a NetBIOS name, a DNS name, and a MAC address.
  - 17. The system of claim 15, wherein the host profiling module is adapted to receive a snapshot responsive to an update to a database, the database describing the plurality of hosts on the network.
  - 18. The system of claim 15, wherein the host matching module is adapted to select from among a plurality of correlation rules responsive to the network.
  - 19. The system of claim 15, wherein the host matching module is adapted to calculate a host correlation metric representative of a probability that the host described by the host instance in the snapshot matches the persistent host described by the at least one record.
  - 20. The system of claim 15, wherein the host matching module is adapted to calculate a host correlation metric using weighted rules, each weighted rule specifying a potentially-matching attribute of the record and the host instance and a weight defining an influence of the rule.
  - 21. The system of claim 15, wherein the host matching module is adapted to categorize the host instance as a new host on the network.
  - 22. The system of claim 21, wherein the records manager module is adapted to create a host record describing the new host as a persistent host.
  - 23. The system of claim 15, wherein the records manager module is adapted to store vulnerability information in the record, the vulnerability information describing vulnerabilities of the persistent host to network-based attacks.
  - 24. The system of claim 15, wherein the one or more characteristics of a persistent host on the network include application information.

25. A non-transitory computer program product comprising a computer-readable medium having embodied thereon computer program logic for identifying persistent hosts in a dynamically configured network, comprising:
- a records manager module for storing a plurality of records each describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network;
  
  a host profiling module for receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having a dynamically assigned IP address assigned on an as-needed basis from a Dynamic Host Configuration Protocol (DHCP) server;
  
  a host matching module for matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records and for identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record; and
  
  a security manager module for retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instance and applying the one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The computer program product of claim 25, wherein the host instance describes at least one host characteristic from a group consisting of:
    - an IP address, a NetBIOS name, a DNS name, and a MAC address.
  - 27. The computer program product of claim 25, wherein the host profiling module is adapted to receive a snapshot responsive to an update to a database, the database describing the plurality of hosts on the network.
  - 28. The computer program product of claim 25, wherein the host matching module is adapted to select from among a plurality of correlation rules responsive to the network.
  - 29. The computer program product of claim 25, wherein the host matching module is adapted to calculate a host correlation metric representative of a probability that the host described by the host instance in the snapshot matches the persistent host described by the at least one record.
  - 30. The computer program product of claim 25, wherein the host matching module is adapted to calculate a host correlation metric using weighted rules, each weighted rule specifying a potentially-matching attribute of the record and the host instance and a weight defining an influence of the rule.
  - 31. The computer program product of claim 25, wherein the host matching module is adapted to categorize the host instance as a new host on the network.
  - 32. The computer program product of claim 31, wherein the records manager module is adapted to create a host record describing the new host as a persistent host.
  - 33. The computer program product of claim 25, wherein the records manager module is adapted to store vulnerability information in the record, the vulnerability information describing vulnerabilities of the persistent host to network-based attacks.
  - 34. The computer program product of claim 25, wherein the one or more characteristics of a persistent host on the network include application information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Keanini, Timothy D., Cooper, Jeremy, Buchanan, Brian, Molitor, Andrew, Gurney, John-Mark
Primary Examiner(s)
Moorthy, Aravind

Application Number

US11/033,414
Time in Patent Office

4,075 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

Persistent host determination

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

74 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Persistent host determination

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links