Systems and methods for network analysis and reporting

US 9,912,549 B2
Filed: 10/24/2014
Issued: 03/06/2018
Est. Priority Date: 06/14/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

collecting, by a computer system, data from a plurality of different types of sources, wherein the collected data includes network data and asset data;

identifying, by the computer system based on the network data, a network traffic event and a plurality of network assets related to the network traffic event;

identifying, by the computer system based on the asset data, connections between the plurality of network assets, wherein at least one of a characteristic of a connection between network assets or a characteristic of a network asset is identified based at least partially on an attribute selected from the collected data;

in response to detecting, based on the collected data, a change in an attribute of a first network asset associated with a first logical zone, moving the first network asset from the first logical zone to a second logical zone, the moving comprising updating a database to indicate that the first network asset is a member of the second logical zone, and wherein based on membership in the second logical zone, communication between the first network asset and other network assets is blocked;

generating, by the computer system, a flow information graph that depicts the plurality of network assets and the connections between the plurality of network assets, wherein the plurality of network assets includes the first network asset, and the flow information graph depicts network traffic that is allowed between network assets and network traffic that is blocked between network assets;

presenting the flow information graph via a display of a user interface in communication with the computer system, wherein the flow information graph depicts connections between the network assets using selectable directional flow lines; and

in response to selection, by a user via the user interface, of a respective flow line associated with a connection from the plurality of connections, displaying the characteristics of the selected connection including displaying rules for allowing and blocking traffic over the selected connection.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Among other things, embodiments of the present disclosure can collect and analyze asset and network data from multiple sources, and use such data to present a more complete and accurate representation of the network connections between various systems and software applications and the policies dictating the operation of security controls on a network compared to conventional systems.

88 Citations

View as Search Results

17 Claims

1. A computer-implemented method comprising:
- collecting, by a computer system, data from a plurality of different types of sources, wherein the collected data includes network data and asset data;
  
  identifying, by the computer system based on the network data, a network traffic event and a plurality of network assets related to the network traffic event;
  
  identifying, by the computer system based on the asset data, connections between the plurality of network assets, wherein at least one of a characteristic of a connection between network assets or a characteristic of a network asset is identified based at least partially on an attribute selected from the collected data;
  
  in response to detecting, based on the collected data, a change in an attribute of a first network asset associated with a first logical zone, moving the first network asset from the first logical zone to a second logical zone, the moving comprising updating a database to indicate that the first network asset is a member of the second logical zone, and wherein based on membership in the second logical zone, communication between the first network asset and other network assets is blocked;
  
  generating, by the computer system, a flow information graph that depicts the plurality of network assets and the connections between the plurality of network assets, wherein the plurality of network assets includes the first network asset, and the flow information graph depicts network traffic that is allowed between network assets and network traffic that is blocked between network assets;
  
  presenting the flow information graph via a display of a user interface in communication with the computer system, wherein the flow information graph depicts connections between the network assets using selectable directional flow lines; and
  
  in response to selection, by a user via the user interface, of a respective flow line associated with a connection from the plurality of connections, displaying the characteristics of the selected connection including displaying rules for allowing and blocking traffic over the selected connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the collected data is obtained from a source selected from the group consisting of:
    - a router, a switch, a firewall, an intrusion detection system, an intrusion protection system, and combinations thereof.
  - 3. The method of claim 1, further comprising filtering out duplicate information from the collected data.
  - 4. The method of claim 1, wherein the attribute is selected by the user via the user interface.
  - 5. The method of claim 1, wherein the attribute is automatically selected by the computer system.
  - 6. The method of claim 1, wherein the characteristic of the connection between network assets or the characteristic of the network asset is visually indicated in the flow information graph.
  - 7. The method of claim 1, wherein the flow lines indicate a type of the source of the collected data used to identify the connection.
  - 8. The method of claim 1, further comprising:
    - identifying characteristics of the connections between the network assets.
  - 9. The method of claim 1, further comprising:
    - receiving edits, from the user via the user interface, to the displayed rules for allowing and blocking traffic over the selected connection; and
      
      applying the edited rules to the selected connection.
  - 10. The method of claim 1, wherein generating the flow information graph includes:
    - identifying an asset associated with a type of security vulnerability; and
      
      visually indicating the identified asset is associated with the security vulnerability in the flow information graph.
  - 11. The method of claim 1, wherein the flow information graph depicts information on an asset and at least one of:
    - network data associated with the asset, or a system operational attribute associated with the asset.
  - 12. The method of claim 1, further comprising:
    - collecting updated data;
      
      updating the flow information graph based on the updated data; and
      
      presenting the updated flow information graph via the display of the user interface.
  - 13. The method of claim 1, further comprising storing data related to the flow information graph in response to user input via the user interface, wherein the data related to the flow information graph includes at least one of:
    - the collected data used to generate the flow information graph, or the flow information graph itself.
  - 14. The method of claim 1, further comprising:
    - analyzing the collected data; and
      
      generating an alert in response to the analysis of the collected data.
  - 15. The method of claim 14, wherein analyzing the collected data includes comparing the collected data to at least one of:
    - a security policy, a standards compliance policy, or a performance standard.

16. A tangible, non-transitory computer-readable medium storing instructions that, when executed, cause a computer system to:
- collect data from a plurality of different types of sources, wherein the collected data includes network data and asset data;
  
  identify, based on the network data, a network traffic event and a plurality of network assets related to the network traffic event;
  
  identify, based on the asset data, connections between the plurality of network assets, wherein at least one of a characteristic of a connection between network assets or a characteristic of a network asset is identified based at least partially on an attribute selected from the collected data;
  
  in response to detecting, based on the collected data, a change in an attribute of a first network asset associated with a first logical zone, move the first network asset from the first logical zone to a second logical zone, the moving comprising updating a database to indicate that the first network asset is a member of the second logical zone, and wherein based on membership in the second logical zone, communication between the first network asset and other network assets is blocked;
  
  generate a flow information graph that depicts the plurality of network assets and the connections between the plurality of network assets, wherein the plurality of network assets includes the first network asset, and the flow information graph depicts network traffic that is allowed between network assets and network traffic that is blocked between network assets;
  
  present the flow information graph via a display of a user interface in communication with the computer system, wherein the flow information graph depicts connections between the network assets using selectable directional flow lines; and
  
  in response to selection, by a user via the user interface, of a respective flow line associated with a connection from the plurality of connections, display the characteristics of the selected connection including displaying rules for allowing and blocking traffic over the selected connection.

17. A computer system comprising:
- a processor; and
  
  memory in communication with the processor and storing instructions that, when executed by the processor, cause the computer system to;
  
  collect data from a plurality of different types of sources, wherein the collected data includes network data and asset data;
  
  identify, based on the network data, a network traffic event and a plurality of network assets related to the network traffic event;
  
  identify, based on the asset data, connections between the plurality of network assets, wherein at least one of a characteristic of a connection between network assets or a characteristic of a network asset is identified based at least partially on an attribute selected from the collected data;
  
  in response to detecting, based on the collected data, a change in an attribute of a first network asset associated with a first logical zone, move the first network asset from the first logical zone to a second logical zone, the moving comprising updating a database to indicate that the first network asset is a member of the second logical zone, and wherein based on membership in the second logical zone, communication between the first network asset and other network assets is blocked;
  
  generate a flow information graph that depicts the plurality of network assets and the connections between the plurality of network assets, wherein the plurality of network assets includes the first network asset, and the flow information graph depicts network traffic that is allowed between network assets and network traffic that is blocked between network assets; and
  
  present the flow information graph via a display of a user interface in communication with the computer system, wherein the flow information graph depicts connections between the network assets using selectable directional flow lines; and
  
  in response to selection, by a user via the user interface, of a respective flow line associated with a connection from the plurality of connections, display the characteristics of the selected connection including displaying rules for allowing and blocking traffic over the selected connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Catbird Networks, Inc.
Original Assignee
Catbird Networks, Inc.
Inventors
Rieke, Malcolm
Primary Examiner(s)
Parsons, Theodore C

Application Number

US14/523,624
Publication Number

US 20160072831A1
Time in Patent Office

1,229 Days
Field of Search
US Class Current
CPC Class Codes

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

H04L 41/22   comprising specially adapte...

H04L 43/028   by filtering

H04L 43/045   for graphical visualisation...

H04L 43/062   related to network traffic

H04L 63/02   for separating internal fro...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Systems and methods for network analysis and reporting

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for network analysis and reporting

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links