Real-time change detection for network systems

US 20050154733A1
Filed: 12/03/2004
Published: 07/14/2005
Est. Priority Date: 12/05/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of assessing network change comprising:

receiving data traffic from a network;

establishing a baseline configuration for the network;

scanning the data traffic for the network in a continuous manner; and

comparing the scanned data traffic with the baseline configuration to determine if a change to the network has occurred.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for conducting continuous, real-time vulnerability detection of computer networks. The system includes a user interface, a scan engine and a database for obtaining and storing information concerning a network in general and devices and services that may interact with the network. The system provides continuous scanning of the network, each scan being compared with a predetermined baseline network configuration to determine if a change to the network has occurred. If a change has occurred, the system issues an alert informing a network administrator of the where and how the network has changed so appropriate action may be taken by the network administrator.

69 Citations

View as Search Results

74 Claims

1. A method of assessing network change comprising:
- receiving data traffic from a network;
  
  establishing a baseline configuration for the network;
  
  scanning the data traffic for the network in a continuous manner; and
  
  comparing the scanned data traffic with the baseline configuration to determine if a change to the network has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the comparison occurs in real-time.
  - 3. The method of claim 1 further comprising issuing an alert to a network administrator if a change to the network has been detected.
  - 4. The method of claim 3, wherein the alert to the network administrator occurs in real-time.
  - 5. The method of claim 1 further comprising launching at least one vulnerability scanner to be used by the network if a change to the network is detected.
  - 6. The method of claim 1, wherein the comparison step uses a detection algorithm.
  - 7. The method of claim 1, wherein the scanning step uses a continuous scanning algorithm.
  - 8. The method of claim 1 further comprising using a module having deep knowledge about a particular part of the network to identify changes to the particular part of the network.
  - 9. The method of claim 1 further comprising limiting a bandwidth used during the scanning step.
  - 10. The method of claim 1 further comprising reporting network information to a network administrator.
  - 11. The method of claim 1 further comprising storing an inventory of devices and services connected to the network.
  - 12. The method of claim 11, wherein the inventory is updated in real-time.
  - 13. The method of claim 1 further comprising receiving operation preferences from a network administrator using a graphical user interface.

14. A computer based medium, comprising an application being executable by a computer, wherein the computer executes the steps of:
- receiving data traffic from a network;
  
  establishing a baseline configuration for the network;
  
  scanning the data traffic for the network in a continuous manner; and
  
  comparing the scanned data traffic with the baseline configuration to determine if a change to the network has occurred.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The computer based medium of claim 14, wherein the comparison occurs in real-time.
  - 16. The computer based medium of claim 14, further comprising issuing an alert to a network administrator if a change to the network has occurred.
  - 17. The computer based medium of claim 16, wherein the alert to the network administrator occurs in real-time.
  - 18. The computer based medium of claim 14, further comprising launching at least one vulnerability scanner to be used by the network if a change to the network is detected.
  - 19. The computer based medium of claim 14, wherein the comparison step uses a detection algorithm.
  - 20. The computer based medium of claim 14, wherein the scanning step uses a continuous scanning algorithm.
  - 21. The computer based medium of claim 14 further comprising using a module having deep knowledge about a particular part of the network to identify changes to the particular part of the network.
  - 22. The computer based medium of claim 14, further comprising limiting a bandwidth used during the scanning step.
  - 23. The computer based medium of claim 14, further comprising reporting network information to a network administrator.
  - 24. The computer based medium of claim 14 further comprising storing an inventory of devices and services connected to the network.
  - 25. The computer based medium of claim 24, wherein the inventory is updated in real-time.
  - 26. The computer based medium of claim 14, further comprising receiving operation preferences from a network administrator using a graphical user interface.

27. A system for assessing network change comprising:
- a computer system including a processor for executing computer code; and
  
  an application for execution on the computer system, wherein the computer system, when executing the application receives data traffic from a network, establishes a baseline configuration for the network, scans the data traffic for the network in a continuous manner, and compares the scanned data traffic with the baseline configuration to determine if a change to the network has occurred.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 28. The system of claim 27, further comprising a management server for coordinating communications between at least one scan engine and at least one user interface, wherein the communications are used in determining if the network has changed.
  - 29. The system of claim 28, wherein the management server coordinates information transferred from a database containing network information and sends network information to the database based on requests by the user interface and the scan engine.
  - 30. The system of claim 29, wherein the database stores information associated with an inventory of devices and services connected to the network.
  - 31. The system of claim 30, wherein the inventory is updated in real-time.
  - 32. The system of claim 28, wherein the communications between the management server, the at least one scan engine and the at least one use interface uses an encrypted socket protocol.
  - 33. The system of claim 28, wherein the management server maintains relational information between at least one client and the network.
  - 34. The system of claim 28, wherein the scan engine scans data traffic in a continuous manner.
  - 35. The system of claim 34, wherein the scan engine scans data in real-time.
  - 36. The system of claim 28, wherein the scan engine uses a module to obtain information particular to a network device for use in scanning the particular network device.
  - 37. The system of claim 28 wherein the scan engine uses a web crawler to identify links in a web page for use when scanning a web service.
  - 38. The system of claim 28, wherein the scan engine separates a host scan from a port scan for use by a network administrator in controlling scan engine performance.
  - 39. The system of claim 28 wherein the scan engine further comprises a heuristics engine for identifying a particular asset on the network and indicating when the particular asset on the network changes.
  - 40. The system of claim 28 wherein the scan engine a bandwidth shaping algorithm for limiting a bandwidth used by the system when communicating with network devices.
  - 41. The system of claim 28, wherein the scan engine launches at least one vulnerability scanner to be used by the network if a change to the network is detected.
  - 42. The system of claim 28, wherein the scan engine uses a scripting language to launch external scanners and external intrusion detection systems.
  - 43. The system of claim 28, wherein the scan engine uses a detection algorithm to determine if a change to the network has occurred.
  - 44. The system of claim 28, wherein the scan engine uses a continuous scanning algorithm.
  - 45. The system of claim 28, wherein the user interface is a graphical user interface.
  - 46. The system of claim 28, wherein the user interface is used to modify a network profile.
  - 47. The system of claim 28, wherein a network administrator uses the user interface to assign a criticality level to a device connected to the network.
  - 48. The system of claim 27 further comprising an alert manager for issuing an alert to a network administrator if a change to the network has occurred.
  - 49. The system of claim 48, wherein the alert from the alert manager to the network administrator occurs in real-time.
  - 50. The system of claim 27, wherein the system reports network information to a network administrator.

51. A system for assessing network change comprising:
- means for receiving data traffic from a network;
  
  means for establishing a baseline configuration for the network;
  
  means for scanning the data traffic for the network in a continuous manner; and
  
  means for comparing the scanned data traffic with the baseline configuration to determine if a change to the network has occurred.

52. A heuristics engine comprising:
- an IP layer component for monitoring at least one port of a network;
  
  an application services component for monitoring at least one application running on the network; and
  
  a web services component for monitoring at least one web service running on the network.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 53. The engine of claim 52, wherein the IP layer component monitors a TCP port.
  - 54. The engine of claim 52, wherein the IP layer component monitors a UDP port.
  - 55. The engine of claim 52, wherein the IP layer component monitors a port range.
  - 56. The engine of claim 52, wherein the IP layer component issues an alert to a network administrator if a change occurs to a port between scans.
  - 57. The engine of claim 52, wherein the IP layer component continuously scans at least one IP addresses, at least one TCP port and at least one UDP port.
  - 58. The engine of claim 52, wherein the IP layer component continuously scans at least one IP addresses, at least one TCP port or at least one UDP port.
  - 59. The engine of claim 52, wherein the IP layer component launches the application services component to obtain information about a service.
  - 60. The engine of claim 52, wherein the application services component interrogates a service to obtain statistical data point from the service.
  - 61. The engine of claim 52, wherein the application services component parses check information from a service.
  - 62. The engine of claim 52, wherein the web services component determines if a change to a web service has occurred.
  - 63. The engine of claim 52, wherein the web services component determines if a change to a file hosted on a web server has occurred.
  - 64. The engine of claim 52, wherein the web services component uses a check to identify whether a change has occurred within a web service.
  - 65. The engine of claim 52, wherein the web services component creates a graphical representation of a web server directory tree for use in monitoring a web server.

66. A computer based medium, comprising:
- an application being executable by a computer, wherein the computer executes the steps of;
  
  receiving network traffic from a network;
  
  setting a baseline network configuration based on the network traffic received; and
  
  scanning the network in a continuous manner to determine if a change has occurred to the network, wherein the scanning of the network is limited by a bandwidth setting which establishes a maximum usable bandwidth for a scan engine during the scan.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74)
- - 67. The computer based medium of claim 66, wherein a network administrator sets the bandwidth settings.
  - 68. The computer based medium of claim 66, wherein a network administrator sets a skip host detection setting for performing port scans using active host detection.
  - 69. The computer based medium of claim 66, wherein a network administrator sets a port and new host scanning rate.
  - 70. The computer based medium of claim 66, wherein a bandwidth logger is used to track the bandwidth being used during a scan.
  - 71. The computer based medium of claim 70, wherein the bandwidth logger delays a scan if the maximum usable bandwidth has been reached for the scan engine.
  - 72. The computer based medium of claim 71, wherein the amount of delay for the scan is calculated using a rate of delay algorithm.
  - 73. The computer based medium of claim 66, wherein the maximum usable bandwidth for a scan is set by a network administrator according a network usage schedule.
  - 74. The computer based medium of claim 66, wherein a network administrator sets a maximum number of scans of the network that may occur within a predetermined period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Meltzer, David, Albert, Jim, Larimer, Jon, Weisser, Will, Gisby, Doug

Application Number

US11/004,289
Publication Number

US 20050154733A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1416 Event detection, e.g. attac...

Real-time change detection for network systems

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

74 Claims

Specification

Use Cases

Quick Links

Others

Real-time change detection for network systems

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

74 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others