Persistent host determination
First Claim
1. A method for identifying persistent hosts in a dynamically configured network, comprising:
- establishing a plurality of records, each record stored on a storage medium and describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network;
receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having a dynamically assigned IP address assigned on an as-needed basis from a Dynamic Host Configuration Protocol (DHCP) server;
matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records;
identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record;
retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instances; and
applying one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance.
8 Assignments
0 Petitions
Accused Products
Abstract
A system comprises a security manager to scan a network for host instances representing hosts on the network at that time, and record characteristics of the host instances in a host record. The security manager subsequently scans the network for host instances in order to identify persistent hosts. A host profiling module takes snapshots of the network to generate host instances based on characteristics such as an IP address, a NetBIOS name, a DNS name, a MAC address. A host matching module correlates host instances from different snapshots using weighted rules (predetermined or customized) to discriminate between multiple potential matching host instances. Also, security logic makes security decisions based on data including persistent host information.
74 Citations
34 Claims
-
1. A method for identifying persistent hosts in a dynamically configured network, comprising:
-
establishing a plurality of records, each record stored on a storage medium and describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network; receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having a dynamically assigned IP address assigned on an as-needed basis from a Dynamic Host Configuration Protocol (DHCP) server; matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records; identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record; retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instances; and applying one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for identifying persistent hosts in a dynamically configured network, comprising:
-
a computer processor; and a storage memory containing software modules thereon, the software modules comprising; a records manager module for storing a plurality of records each describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network; a host profiling module for receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having an IP address dynamically assigned from a Dynamic Host Configuration Protocol (DHCP) server; a host matching module for matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records and for identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record; and a security manager module for retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instance and applying the one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer program product comprising a computer-readable medium having embodied thereon computer program logic for identifying persistent hosts in a dynamically configured network, comprising:
-
a records manager module for storing a plurality of records each describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network; a host profiling module for receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having a dynamically assigned IP address assigned on an as-needed basis from a Dynamic Host Configuration Protocol (DHCP) server; a host matching module for matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records and for identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record; and a security manager module for retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instance and applying the one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification