Network data collection and response system

US 9,854,057 B2
Filed: 05/06/2014
Issued: 12/26/2017
Est. Priority Date: 05/06/2014
Status: Active Grant

First Claim

Patent Images

1. An enterprise network that is accessible to a computing device, the enterprise network comprising:

local network resources accessible to the device via the enterprise network;

a connection protocol server comprising a memory storing instructions and a processor executing the instructions, the processor of the connection protocol server executing instructions to assign a network address to the device to identify the device on the enterprise network in response to a network access request received from the device;

a network data collection and response system of the enterprise network that is operative to track network activity of the device including a device inventory comprising device type and configuration information for the device and a resource utilization profile for the device without utilization of a data monitoring agent installed on the device;

the network data collection and response system of the enterprise network is further operative to detect high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a monitoring agent installed on the device, wherein to detect high-risk or unauthorized network activity comprises identifying attempted access to applications that offer services that are not authorized by the enterprise;

the network data collection and response system further operative to implement a response action to mitigate the high-risk or unauthorized network activity, wherein the response action comprises one or more of;

blocking the unauthorized network activity and providing notice to a user of the device that the device has attempted to conduct unauthorized network activity;

notifying a user or monitoring system of the device of malware present on the device and removal of the malware from the device;

detecting malware transmitted from the device; and

removal of the malware from the enterprise network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.

Citations

15 Claims

1. An enterprise network that is accessible to a computing device, the enterprise network comprising:
- local network resources accessible to the device via the enterprise network;
  
  a connection protocol server comprising a memory storing instructions and a processor executing the instructions, the processor of the connection protocol server executing instructions to assign a network address to the device to identify the device on the enterprise network in response to a network access request received from the device;
  
  a network data collection and response system of the enterprise network that is operative to track network activity of the device including a device inventory comprising device type and configuration information for the device and a resource utilization profile for the device without utilization of a data monitoring agent installed on the device;
  
  the network data collection and response system of the enterprise network is further operative to detect high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a monitoring agent installed on the device, wherein to detect high-risk or unauthorized network activity comprises identifying attempted access to applications that offer services that are not authorized by the enterprise;
  
  the network data collection and response system further operative to implement a response action to mitigate the high-risk or unauthorized network activity, wherein the response action comprises one or more of;
  
  blocking the unauthorized network activity and providing notice to a user of the device that the device has attempted to conduct unauthorized network activity;
  
  notifying a user or monitoring system of the device of malware present on the device and removal of the malware from the device;
  
  detecting malware transmitted from the device; and
  
  removal of the malware from the enterprise network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The enterprise network of claim 1, further comprising a gateway configured in a local network to provide the device with access to external resources via the local network.
  - 3. The enterprise network of claim 1, wherein the passively monitored network activity includes one or more of a dynamic host configuration protocol (DHCP) request received from the device and a domain name server (DNS) request received from the device.
  - 4. The enterprise network of claim 1, wherein the passively monitored network activity includes one or more of a network flow information derived from network packets sent and received by the device and a hypertext transfer protocol (HTTP) request sent and response received by the device.
  - 5. The enterprise network of claim 1, wherein the high-risk or unauthorized network activity comprises one or more of:
    - a combination of resources accessed by the device consistent of a high-risk activity profile maintained by the system; and
      
      short response times and periodic response patterns indicative of programmatic or robot activity.
  - 6. The enterprise network of claim 1, wherein the network data collection and response system tracks and profiles the resource utilization of a device.
  - 7. The enterprise network of claim 1, wherein the network data collection infers one or more of the type and configuration information of the device.

8. A computer program product for providing a user-supplied computing device with access to an enterprise network comprising local network resources accessible to the device via the enterprise network, the computer program product comprising:
- a non-transitory computer readable storage medium readable by a processing circuit and storing instructions that, when executed by the processing circuit, perform a method comprising;
  
  tracking, by the enterprise network, network activity of the device through passive monitoring without utilization of a data monitoring agent installed on the device;
  
  inferring type and configuration information of the device;
  
  creating a device inventory comprising device type and one or more of configuration information for the device and a resource utilization profile for the device;
  
  detecting, by the enterprise network, one or more of high-risk or unauthorized network activity involving the device, wherein the detecting high-risk or unauthorized network activity comprises identifying attempted access to applications that offer services that are not authorized by the enterprise; and
  
  implementing a response action to mitigate the high-risk or unauthorized network activity, wherein the response action comprises one or more of;
  
  blocking the unauthorized network activity and providing notice to a user of the device that the device has attempted to conduct unauthorized network activity;
  
  notifying a user or monitoring system of the device of malware present on the device and removal of the malware from the device;
  
  detecting malware transmitted from the device; and
  
  removal of the malware from the enterprise network.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer program product of claim 8, wherein tracking network activity includes one or more of detecting and recording a dynamic host configuration protocol (DHCP) request received from the device, a domain name server (DNS) request received from the device, a network flow information derived from network packets sent and received by the device, and a hypertext transfer protocol (HTTP) request sent and response received by the device.
  - 10. The computer program product of claim 8, wherein the high-risk or unauthorized network activity comprises a combination of resources accessed by the device consistent of a high-risk activity profile maintained by the system.
  - 11. The computer program product of claim 8, wherein the high-risk or unauthorized network activity comprises a short response times indicative of robot activity.
  - 12. The computer program product of claim 8, wherein the network data collection and response system tracks and profiles the resource utilization of a device.
  - 13. The computer program product of claim 8, wherein the network data collection infers one or more of the type and configuration information of the device.

14. A network data recording and response system for enhancing security in a computer enterprise network providing a computing device with access to the enterprise network, the system operable for:
- assigning, by a processor executing instructions stored on a memory of a connection protocol server, a network address to the device to identify the device on the enterprise network in response to a network access request received from the device;
  
  tracking, by the enterprise network, network activity of the device through passive monitoring without utilization of a data monitoring agent installed on the device;
  
  inferring one or more of type and configuration information of the device;
  
  creating a device inventory comprising one or more of device type and configuration information for the device and a resource utilization profile for the device;
  
  detecting, by the enterprise network, high-risk or unauthorized network activity involving the device, wherein the detecting high-risk or unauthorized network activity comprises identifying attempted access to applications that offer services that are not authorized by the enterprise; and
  
  implementing a response action to mitigate the high-risk or unauthorized network activity, wherein the response action comprises one or more of;
  
  blocking the unauthorized network activity and providing notice to a user of the device that the device has attempted to conduct unauthorized network activity;
  
  notifying a user or monitoring system of the device of malware present on the device and removal of the malware from the device;
  
  detecting malware transmitted from the device; and
  
  removal of the malware from the enterprise network.
- View Dependent Claims (15)
- - 15. The network data recording and response system of claim 14, wherein tracking network activity includes one or more of detecting and recording a dynamic host configuration protocol (DHCP) request received from the device, a domain name server (DNS) request received from the device, a network flow information packet received form the device, and a hypertext transfer protocol (HTTP) request received from the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chari, Suresh N., Cheng, Pau-Chen, Hu, Xin, Koved, Lawrence, Rao, Josyula R., Sailer, Reiner, Schales, Douglas L., Singh, Kapil K., Stoecklin, Marc P.
Primary Examiner(s)
DOLLY, KENDALL LYNN

Application Number

US14/270,937
Publication Number

US 20150326594A1
Time in Patent Office

1,330 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04L 67/303   Terminal profiles

H04L 67/535   Tracking the activity of th...

Network data collection and response system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Network data collection and response system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links