Network segmentation

US 10,021,116 B2
Filed: 02/17/2015
Issued: 07/10/2018
Est. Priority Date: 02/19/2014
Status: Active Grant

First Claim

Patent Images

1. A system for automatically generating segments in a medical provider network, the system comprising:

a plurality of hosts configured to generate network activity information, at least a portion of the hosts belonging to a medical provider organization and connected via the medical provider network; and

an analyzer server configured to analyze the network activity information, the analyzer server comprising;

memory that stores computer-executable instructions; and

at least one processor configured to access the memory and execute the computer-executable instructions to at least;

receive a portion of the network activity information collected during an observation period, the portion of the network activity information describing interactions of the plurality of hosts of a first medical system and a second medical system on the medical provider network during the observation period;

identify one or more metrics based in part on at least the portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts;

determine a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and representing individual hosts of the plurality of hosts;

generate a plurality of clusters based at least in part on the plurality of observation vectors, a particular cluster of the plurality of clusters comprising a particular set of observation vectors representing a first set of hosts of the first medical system and a second set of hosts of the second medical system,at least some hosts of the first set of hosts and the second set of hosts dissimilar from each other with respect to network interactions performable by the respective hosts the medical provider network;

in response to generating the plurality of clusters, identify a cluster profile for the particular cluster of the plurality of clusters;

determine a system type to which both of the first medical system and the second medical system belong based at least in part on characteristics of the identified cluster profile;

verify the system type using outside information, the outside information comprising information other than the network activity information and being associated with at least a portion of the plurality of hosts;

determine at least one segment within the medical provider network based at least in part on the system type and verifying the system type, the at least one segment being specific to the system type and comprising a plurality of sub-segments that create a plurality of barriers within the at least one segment that affect network communications between;

other hosts of the medical provider network outside the at least one segment; and

the first set of hosts in a first sub-segment of the plurality of sub-segments and the second set of hosts in a second sub-segment of the plurality of sub-segment; and

exclude or include, based on the at least one segment, a portion of the network communications between the other hosts and the first set of hosts and the second set of hosts on the medical provider network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for segmenting a network including a plurality of hosts is disclosed. In an example embodiment, the network is a provider network. The method receives network activity information describing network traffic between hosts of the plurality. The method generates observations from the network activity information and organizes the observations into clusters. The method determines a profile for each cluster that corresponds to a potential system type implemented by one or more of the hosts of the medical provider network. The method determines segments within the provider network based on the profiled system types.

Citations

18 Claims

1. A system for automatically generating segments in a medical provider network, the system comprising:
- a plurality of hosts configured to generate network activity information, at least a portion of the hosts belonging to a medical provider organization and connected via the medical provider network; and
  
  an analyzer server configured to analyze the network activity information, the analyzer server comprising;
  
  memory that stores computer-executable instructions; and
  
  at least one processor configured to access the memory and execute the computer-executable instructions to at least;
  
  receive a portion of the network activity information collected during an observation period, the portion of the network activity information describing interactions of the plurality of hosts of a first medical system and a second medical system on the medical provider network during the observation period;
  
  identify one or more metrics based in part on at least the portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts;
  
  determine a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and representing individual hosts of the plurality of hosts;
  
  generate a plurality of clusters based at least in part on the plurality of observation vectors, a particular cluster of the plurality of clusters comprising a particular set of observation vectors representing a first set of hosts of the first medical system and a second set of hosts of the second medical system,at least some hosts of the first set of hosts and the second set of hosts dissimilar from each other with respect to network interactions performable by the respective hosts the medical provider network;
  
  in response to generating the plurality of clusters, identify a cluster profile for the particular cluster of the plurality of clusters;
  
  determine a system type to which both of the first medical system and the second medical system belong based at least in part on characteristics of the identified cluster profile;
  
  verify the system type using outside information, the outside information comprising information other than the network activity information and being associated with at least a portion of the plurality of hosts;
  
  determine at least one segment within the medical provider network based at least in part on the system type and verifying the system type, the at least one segment being specific to the system type and comprising a plurality of sub-segments that create a plurality of barriers within the at least one segment that affect network communications between;
  
  other hosts of the medical provider network outside the at least one segment; and
  
  the first set of hosts in a first sub-segment of the plurality of sub-segments and the second set of hosts in a second sub-segment of the plurality of sub-segment; and
  
  exclude or include, based on the at least one segment, a portion of the network communications between the other hosts and the first set of hosts and the second set of hosts on the medical provider network.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, further comprising a collector server, the collector server configured to at least:
    - collect the network activity information generated by the plurality of hosts; and
      
      save the network activity information in association with a data store; and
      
      provide the portion of the network activity information to the analyzer server.
  - 3. The system of claim 1, wherein the at least one processor is further configured to access the memory and execute the computer-executable instructions to at least:
    - receive a request to add a new host to the medical provider network; and
      
      assign the new host to a cluster of the plurality of clusters by comparing characteristics of the new host with characteristics of a first portion of hosts belonging to the cluster.

4. A computer-implemented method for automatically generating segments in a medical provider network, the method comprising:
- receiving, by a computer system, network activity information collected during an observation period, the network activity information describing interactions of a plurality of hosts of a first medical system and a second medical system on the medical provider network during the observation period;
  
  identifying one or more metrics based in part on at least a portion of the network activity information, the one or more metrics identifying relationships between hosts of the plurality of hosts;
  
  determining a plurality of observation vectors based at least in part on the one or more metrics, individual observation vectors of the plurality comprising one or more dimensions and representing individual hosts of the plurality of hosts;
  
  generating, by the computer system, a plurality of clusters based in part on the plurality of observation vectors, a particular cluster of the plurality of clusters comprising a particular set of observation vectors representing a first set of hosts of the first medical system and a second set of hosts of the second medical system at least some hosts of the first set of hosts and the second set of hosts dissimilar from each other with respect to network interactions performable by the respective hosts on the medical provider network;
  
  in response to generating the plurality of clusters, identifying a cluster profile for the particular cluster of the plurality of clusters;
  
  determine a system type to which both of the first medical system and the second medical system belong based at least in part on characteristics of the identified cluster profile;
  
  verifying the system type using outside information, the outside information comprising information other than the network activity information and being associated with at least a portion of the plurality of hosts;
  
  determining, by the computer system, a segment within the medical provider network based at least in part on the system type and verifying the system type, the segment being specific to the system type and comprising a plurality of sub-segments that create a plurality of barriers within the segment that affect network communications between;
  
  other hosts of the medical provider network outside the at least one segment; and
  
  the first set of hosts in a first sub-segment of the plurality of sub-segments and the second set of hosts in a second sub-segment of the plurality of sub-segments; and
  
  exclude or include, based on the segment, a portion of the network communications between the other hosts and the first set of hosts and the second set of hosts on the medical provider network.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 18)
- - 5. The computer-implemented method of claim 4, further comprising:
    - collecting the network activity information generated by the plurality of hosts; and
      
      saving the network activity information in association with a data store.
  - 6. The computer-implemented method of claim 4, wherein the network activity information is collected using third-party collection software, the network activity information provided in at least one of the following formats:
    - Internet Protocol Flow Information Exchange, Domain Name System (DNS) records, web proxy records or packet capture.
  - 7. The computer-implemented method of claim 4, further comprising:
    - receiving a request to add a new host to the medical provider network; and
      
      assigning the new host to a cluster of the plurality of clusters by comparing characteristics of the new host with characteristics of a first portion of hosts belonging to the cluster.
  - 8. The computer-implemented method of claim 4, further comprising:
    - in response to generating the plurality of clusters, identifying a target host belonging to the particular cluster at a first time when the cluster profile is identified; and
      
      determining a host profile for the target host with respect to a comparison of the cluster profile and a subset of network activity information for the target host.
  - 9. The computer-implemented method of claim 8, further comprising:
    - after determining the host profile, monitoring first network interactions of the target host; and
      
      providing an indication to an authorized user when a portion of the first network interactions indicate that the target host is operating outside of the host profile.
  - 10. The computer-implemented method of claim 4, further comprising:
    - in response to generating the plurality of clusters, identifying a compromised profile for a second cluster of the plurality of clusters, the compromised profile representative of compromised hosts; and
      
      comparing first network interactions of the plurality of hosts with the compromised profile to determine whether a particular host of the plurality of hosts has been compromised.
  - 11. The computer-implemented method of claim 4, wherein identifying the cluster profile for the particular cluster of the plurality of clusters comprises:
    - receiving a plurality of cluster profiles from a third party, the cluster profile included in the plurality of cluster profiles; and
      
      selecting the cluster profile from among the plurality of cluster profiles based at least in part on characteristics of the particular cluster.
  - 12. The computer-implemented method of claim 4, wherein determining the segment within the medical provider network comprises determining a plurality of segments, each segment of the plurality of segments including or excluding at least one potential system.
  - 13. The computer-implemented method of claim 12, wherein the plurality of segments comprises at least one of a device segment, an application segment, a user segment, a clinical segment, a profile user segment, a department segment, a medical device segment, or a control system segment.
  - 14. The computer-implemented method of claim 4, wherein the plurality of clusters is generated using one or more clustering techniques, the one or more clustering techniques comprising at least one of a k-means clustering technique, a hierarchal clustering technique, an expectation maximization clustering technique, a density-based special clustering of applications with noise technique, or a self-organizing map clustering technique.
  - 18. The computer-implemented method of claim 4, wherein:
    - generating the plurality of clusters comprises;
      
      determining a centroid for each cluster of the plurality of clusters;
      
      determining a distortion for each cluster of the plurality of clusters; and
      
      generating, based at least in part on the centroid and the distortion for each cluster, a data structure that includes at least a host identifier, a cluster identifier, and an observation vector; and
      
      identifying the cluster profile is based on the data structure.

15. A computer-implemented method for identifying compromised profiles using probability profiles, the method comprising:
- receiving, by a computer system, network activity information collected during an observation period, the network activity information describing interactions of a user with a plurality of hosts on a medical provider network during the observation period, each of the plurality of hosts associated with at least one sub-segment of a plurality of segments of the medical provider network;
  
  determining a client profile based at least in part on the network activity information corresponding to the interactions of the user with at least a portion of the plurality of hosts on the medical provider network, the client profile comprising an identified state path for the user that identifies the portion of the plurality of hosts and an order according to which the user has previously accessed the plurality of hosts;
  
  determining, by the computer system and based on the client profile, a probability profile for the user, the probability profile including a prediction that the user will use a client device to interact with a next host of the plurality of hosts given a current host selected from the portion of the plurality of hosts, individual hosts of the plurality of hosts dissimilar from each other with respect to network interactions performable by the plurality of hosts on the medical provider network;
  
  verifying the probability profile using outside information, the outside information comprising information other than the network activity information and being associated with at least the portion of the plurality of hosts;
  
  determining, based on the probability profile and a first host with which the client device has interacted, that a particular interaction of the client device with a second host of the plurality of hosts falls outside the probability profile of the user;
  
  providing an indication about the particular interaction to an authorized user, the indication including the probability profile; and
  
  excluding future network communications of the client device on the medical provider network based on the particular interaction falling outside the probability profile for the user.
- View Dependent Claims (16, 17)
- - 16. The computer-implemented method of claim 15, wherein the probability profile comprise a probabilistic determination for subsequent hosts of the portion of the plurality of hosts, given the current host selected from the portion of the plurality of hosts.
  - 17. The computer-implemented method of claim 15, wherein the client profile comprises a state machine representative of the network activity information corresponding to the interactions of the user with the portion of the plurality of hosts on the medical provider network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
C-HCA, Inc.
Original Assignee
HCA Holdings Incorporated (HCA Healthcare, Inc.)
Inventors
Bassett, Gabriel David
Primary Examiner(s)
Avellino, Joseph E
Assistant Examiner(s)
Kunwar, Binod J

Application Number

US14/623,806
Publication Number

US 20150236935A1
Time in Patent Office

1,239 Days
Field of Search

709224
US Class Current
CPC Class Codes

H04L 41/08   Configuration management of...

H04L 41/14   Network analysis or design

H04L 43/18   Protocol analysers

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Network segmentation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Network segmentation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links