System and method for automatic service discovery and protection

US 9,930,025 B2
Filed: 03/21/2016
Issued: 03/27/2018
Est. Priority Date: 03/23/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A system for automatically discovering services operating on a network, the system comprising:

a service discovery database configured to store expected service behavioral characteristics and service identities of known services operating on the network, each of the service identities being associated with a set of the expected service behavioral characteristics in the service discovery database;

a set of service discovery modules, the set of service discovery modules configured to collect service behavioral data of unknown services operating on the network, wherein the unknown services are not previously known to the network, wherein the set of service discovery modules comprise an identity provider service discovery module configure to;

monitor authentication attempts to an identity provider service; and

generate a log of authentication attempt data associated with the authentication attempts of services attempting to authenticate to the network;

a service discovery module controller communicatively coupled to the service discovery database and the set of service discovery modules, the service discovery module controller configured to identify the unknown services operating on and attempting to authenticate to the network, wherein the identifying includes;

generating a first set of service behavioral characteristics from the service behavioral data;

analyzing the first set of service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis;

analyzing the log of authentication attempt data to identify characteristics of the log of authentication attempt data;

comparing the characteristics of the log of authentication attempt data to a predetermined authentication attempt fingerprint dataset, andidentifying a first service identity of at least one of the unknown services operating on the network that is attempting to authenticate to the network using (i) the first behavioral analysis and an association of the first service identity and a first set of the expected service behavioral characteristics and (ii) results of the comparison of the characteristics of the log of authentication attempt data to the predetermined authentication attempt fingerprint dataset; and

wherein the service discovery module controller is configured to;

automatically implement a security measure based on identifying the after identifying the first service identity of the unknown service, wherein implementing the security measure includes modifying a network access method of the unknown service corresponding to the first service identity to require, at least, a multi-factor authentication measure for connecting to or continued operation of the unknown service on the network thereby reducing or mitigating vulnerability in the network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automatically discovering services operating on a network including a service discovery database configured to store expected service behavioral characteristics and service identities of the services operating on the network, a set of service discovery modules configured to collect service behavioral data of the services operating on the network, and a service discovery module controller communicatively coupled to the service discovery module database and the set of service discovery modules, the service discovery module controller configured to generate service behavioral characteristics from the service behavioral data, analyze the service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis, identify a first service identity of at least one service operating on the network from the first behavioral analysis and an association of the first service identity and the expected service behavioral characteristics.

19 Citations

View as Search Results

24 Claims

1. A system for automatically discovering services operating on a network, the system comprising:
- a service discovery database configured to store expected service behavioral characteristics and service identities of known services operating on the network, each of the service identities being associated with a set of the expected service behavioral characteristics in the service discovery database;
  
  a set of service discovery modules, the set of service discovery modules configured to collect service behavioral data of unknown services operating on the network, wherein the unknown services are not previously known to the network, wherein the set of service discovery modules comprise an identity provider service discovery module configure to;
  
  monitor authentication attempts to an identity provider service; and
  
  generate a log of authentication attempt data associated with the authentication attempts of services attempting to authenticate to the network;
  
  a service discovery module controller communicatively coupled to the service discovery database and the set of service discovery modules, the service discovery module controller configured to identify the unknown services operating on and attempting to authenticate to the network, wherein the identifying includes;
  
  generating a first set of service behavioral characteristics from the service behavioral data;
  
  analyzing the first set of service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis;
  
  analyzing the log of authentication attempt data to identify characteristics of the log of authentication attempt data;
  
  comparing the characteristics of the log of authentication attempt data to a predetermined authentication attempt fingerprint dataset, andidentifying a first service identity of at least one of the unknown services operating on the network that is attempting to authenticate to the network using (i) the first behavioral analysis and an association of the first service identity and a first set of the expected service behavioral characteristics and (ii) results of the comparison of the characteristics of the log of authentication attempt data to the predetermined authentication attempt fingerprint dataset; and
  
  wherein the service discovery module controller is configured to;
  
  automatically implement a security measure based on identifying the after identifying the first service identity of the unknown service, wherein implementing the security measure includes modifying a network access method of the unknown service corresponding to the first service identity to require, at least, a multi-factor authentication measure for connecting to or continued operation of the unknown service on the network thereby reducing or mitigating vulnerability in the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The system of claim 1, wherein the set of service discovery modules comprises a DNS service discovery module configured to:
    - receive a hostname to query;
      
      query a DNS server with the hostname; and
      
      receive a DNS response;
      
      wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the DNS response.
  - 3. The system of claim 2, wherein the DNS service module is configured to:
    - transmit an HTTP request to an address identified in the DNS response; and
      
      receive an HTTP response from the address;
      
      wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the HTTP response.
  - 4. The system of claim 1, wherein the identity provider service discovery module is a plugin to the identity provider service, and wherein the identity provider service is an Active Directory service.
  - 5. The system of claim 1, wherein the set of service discovery modules comprises a network traffic service discovery module configured to:
    - monitor network traffic of the network; and
      
      generate a log of network traffic data associated with the network traffic, wherein the network traffic data comprises at least two of;
      
      packet source, packet destination, packet content, and transmission time;
      
      wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the log of network traffic data.
  - 6. The system of claim 5, wherein the network traffic service discovery module is a plugin to network traffic monitoring software.
  - 7. The system of claim 1, wherein the set of service discovery modules comprises at least two of:
    - a DNS service discovery module, an identity provider service discovery module, and a network traffic service discovery module,wherein the DNS service discovery module is configured to transmit HTTP requests to identified addresses and collect HTTP response data,wherein the identity provider service discovery module is configured to collect authentication attempt data associated with authentication attempts to an identity provider service on the network,wherein the network traffic service discovery module is configured to collect network traffic data associated with the network, andwherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on data collected from both a first and a second service discovery module of the set of service discovery modules.
  - 8. The system of claim 1, wherein the set of service behavioral characteristics comprises the service behavioral data and an analysis of the service behavioral data.
  - 9. The system of claim 8, wherein the analysis of the service behavioral data comprises at least one of:
    - a HTTP response metric, an authentication attempt metric, and a network traffic metric,wherein the HTTP response metric is generated based on an HTTP response analysis of HTTP headers of an HTTP response,wherein the authentication attempt metric is generated based on a comparison between authentication attempts to an identity provider service on the network over a baseline timeframe and authentication attempts to the identity provider service over a later timeframe, wherein the baseline timeframe is associated with a known baseline state of the services operating on the network.
  - 10. The system of claim 9, wherein the network traffic metric is generated based on bandwidth usage of the at least one service operating on the network.
  - 11. The system of claim 1, wherein the service discovery module controller is further configured to:
    - generate a second set of service behavioral characteristics from the service behavioral data;
      
      analyze the second set of service behavioral characteristics using the expected service behavioral characteristics, resulting in a second behavioral analysis; and
      
      identify a second service identity of at least one service operating on the network from the second behavioral analysis and an association of the second service identity and a second set of expected service behavioral characteristics.
  - 12. The system of claim 11, wherein the first and the second sets of expected service behavioral characteristics share at least one service behavioral characteristic.
  - 13. The system of claim 1, wherein a service discovery module of the set of service discovery modules is integrated with the service discovery module controller, and wherein the service discovery module is executed by the service discovery module controller.
  - 14. The system of claim 1, wherein the service discovery module controller is further configured to:
    - control the service discovery module to transmit a service behavioral data probe configured to request service behavioral data; and
      
      receive the requested service behavioral data, wherein the service discovery module controller is configured to generate the first set of service behavioral characteristics, and consequently identify the first service identity, based on the requested service behavioral data.
  - 15. The system of claim 1, wherein the first behavioral analysis comprises a similarity score generated from a comparison of the first set of service behavioral characteristics and the first set of expected service behavioral characteristics.
  - 16. The system of claim 1, wherein the service discovery module controller is configured to assign weights to service behavioral characteristics of the first set of service behavioral characteristics, wherein analyzing the first set of service behavioral characteristics comprises generating a digital fingerprint from the first set of service behavioral characteristics and the weights.
  - 17. The system of claim 16, wherein the service discovery module is configured to identify the first service identity from a comparison of the digital fingerprint and an expected digital fingerprint associated with the first service identity.
  - 18. The system of claim 1, wherein the first behavioral analysis comprises evaluating the first set of service behavioral characteristics using a model generated from the expected service behavioral characteristics.
  - 19. The system of claim 18, wherein the model is configured to be updated with the first set of service behavioral characteristics, wherein the first set of service behavioral characteristics has a link to the first service identity.
  - 20. The system of claim 19, wherein the model is updated only after verification of the link between the first set of service behavioral characteristics and the first service identity.
  - 21. The system of claim 1 wherein the service discovery module controller is configured to:
    - generate a service discovery notification comprising the first service identity; and
      
      notify an administrator of the network with the service discovery notification.
  - 22. The system of claim 1, wherein the service discovery module controller is configured to generate a service discovery notification comprising the first service identity;
    - wherein the service discovery notification comprises an option to verify accuracy of service identification, and wherein the service discovery module database is configured to store a response to the service discovery notification and an association between the response and the first set of service behavioral characteristics.
  - 23. The system of claim 1, wherein the multi-factor authentication measure automatically implementing the security measure comprises configuring the at least one service to require two-factor authentication in response to identifying the first service identity.

24. A method for automatically discovering unknown services operating on a network, the method comprising:
- storing expected service behavioral characteristics and service identities of known services operating on the network, each service identity associated with a set of the expected service behavioral characteristics;
  
  collecting service behavioral data of the unknown services operating on the network;
  
  monitoring authentication attempts to an identity provider service and generating a log of authentication attempt data associated with the authentication attempts of services attempting to authenticate to the network;
  
  generating service behavioral characteristics from the service behavioral data;
  
  analyzing the service behavioral characteristics using the expected service behavioral characteristics, resulting in a first behavioral analysis;
  
  analyzing the log of authentication attempt data to identify characteristics of the log of authentication attempt data;
  
  comparing the characteristics of the log of authentication attempt data to a predetermined authentication attempt fingerprint dataset, andidentifying a first service identity of at least one of the unknown services operating on the network that is attempting to authenticate to the network based on (i) the first behavioral analysis and an association of the first service identity and a first set of the expected service behavioral characteristics and (ii) results of the comparison of the characteristics of the log of authentication attempt data to the predetermined authentication attempt fingerprint dataset;
  
  wherein, based on identifying the first service of the at least one of the unknown services operating on the network;
  
  automatically implementing a security measure based on identifying the first service identity of the unknown service, wherein implementing the security measure includes modifying a network access method of the at least one unknown service corresponding to the first service identity to require an authentication measure comprising a multi-factor authentication for continued operation of the unknown service on the network thereby reducing or mitigating vulnerability in the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Dug
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Stoica, Adrian

Application Number

US15/075,687
Publication Number

US 20160285847A1
Time in Patent Office

736 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6281   at program execution time, ...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/00   Arrangements for program co...

H04L 61/4511   using domain name system [DNS]

H04L 61/4541   Directories for service dis...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/02   based on web technology, e....

H04L 67/51   Discovery or management the...

System and method for automatic service discovery and protection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automatic service discovery and protection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links