Detecting unsanctioned network servers

US 7,634,809 B1
Filed: 03/11/2005
Issued: 12/15/2009
Est. Priority Date: 03/11/2005
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring an enterprise network, comprising:

retrieving metadata describing the enterprise network from the Internet, wherein the metadata comprises domain name system (DNS) records describing the enterprise network;

analyzing the metadata describing the enterprise network, the analyzing comprising analyzing one or more of the DNS records to identify a set of sanctioned servers on the enterprise network;

generating a security profile responsive to the metadata, the security profile describing an expected usage of the enterprise network and identifying the set of sanctioned servers on the enterprise network;

analyzing traffic on the enterprise network using the security profile to determine whether the traffic indicates that an unsanctioned server is operating on the enterprise network; and

reporting an indication of an unsanctioned server operating on the enterprise network, the reporting comprising retrieving configuration information from the security profile describing an action to take responsive to the indication of the unsanctioned server, the action including one or more of;

blocking traffic to the unsanctioned server;

blocking traffic from the unsanctioned server; and

interacting with a network device to secure the network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise network can have sanctioned and unsanctioned servers on it. Sanctioned servers are approved by an administrator and perform tasks such as web page serving and mail routing. Unsanctioned servers are not approved by the administrator and represent possible security risks. A service monitor accesses one or more metadata sources having information describing the enterprise network, such as domain name system (DNS) records on the Internet. The service monitor analyzes the metadata and creates a security profile for the enterprise network. The security profile identifies the sanctioned servers. The service monitor monitors network traffic for compliance with the security profile, and detects unsanctioned servers on the network. The service monitor reports violations of the profile and informs the administrator of the unsanctioned servers.

36 Citations

View as Search Results

6 Claims

1. A method of monitoring an enterprise network, comprising:
- retrieving metadata describing the enterprise network from the Internet, wherein the metadata comprises domain name system (DNS) records describing the enterprise network;
  
  analyzing the metadata describing the enterprise network, the analyzing comprising analyzing one or more of the DNS records to identify a set of sanctioned servers on the enterprise network;
  
  generating a security profile responsive to the metadata, the security profile describing an expected usage of the enterprise network and identifying the set of sanctioned servers on the enterprise network;
  
  analyzing traffic on the enterprise network using the security profile to determine whether the traffic indicates that an unsanctioned server is operating on the enterprise network; and
  
  reporting an indication of an unsanctioned server operating on the enterprise network, the reporting comprising retrieving configuration information from the security profile describing an action to take responsive to the indication of the unsanctioned server, the action including one or more of;
  
  blocking traffic to the unsanctioned server;
  
  blocking traffic from the unsanctioned server; and
  
  interacting with a network device to secure the network.
- View Dependent Claims (2)
- - 2. The method of claim 1, further comprising:
    - observing an operation of the enterprise network during a training period to generate training data; and
      
      utilizing the training data to influence the analysis of the traffic and/or the reporting of unsanctioned servers operating on the enterprise network.

3. A system for monitoring an enterprise network, comprising:
- a computer-readable storage medium storing executable computer program code modules, comprising;
  
  a metadata retrieval module for retrieving metadata describing the enterprise network from the Internet, wherein the metadata comprises domain name system (DNS) records describing the enterprise network;
  
  a metadata analysis module for analyzing the metadata describing the enterprise network, the analyzing comprising analyzing one or more of the DNS records to identify a set of sanctioned servers on the enterprise network, and for generating a security profile describing an expected usage of the enterprise network and identifying the set of sanctioned servers on the enterprise network;
  
  a traffic analysis module for analyzing traffic on the enterprise network using the security profile to determine whether the traffic indicates that an unsanctioned server is operating on the enterprise network; and
  
  a reporting module for reporting an indication of an unsanctioned server operating on the enterprise network, the reporting comprising retrieving configuration information from the security profile describing an action to take responsive to the indication of the unsanctioned server, the action including one or more of;
  
  blocking traffic to the unsanctioned server;
  
  blocking traffic from the unsanctioned server; and
  
  interacting with a network device to secure the network.
- View Dependent Claims (4)
- - 4. The system of claim 3, wherein the computer-readable storage medium further comprises:
    - a training module for observing an operation of the enterprise network during a training period to generate training data,wherein the training data are utilized by the metadata analysis module and/or the reporting module.

5. A computer-readable storage medium having executable computer program code modules embodied therein for monitoring an enterprise network, comprising:
- a metadata retrieval module for retrieving metadata describing the enterprise network from the Internet, wherein the metadata comprises domain name system (DNS) records describing the enterprise network;
  
  a metadata retrieval module for analyzing the metadata describing the enterprise network, the analyzing comprising analyzing one or more of the DNS records to identify a set of sanctioned servers on the enterprise network, and for generating a security profile describing an expected usage of the enterprise network and identifying the set of sanctioned servers on the enterprise network;
  
  a traffic analysis module for analyzing traffic on the enterprise network using the security profile to determine whether the traffic indicates that an unsanctioned server is operating on the enterprise network; and
  
  a reporting module for reporting an indication of an unsanctioned server operating on the enterprise network, the reporting comprising retrieving configuration information from the security profile describing an action to take responsive to the indication of the unsanctioned server, the action including one or more of;
  
  blocking traffic to the unsanctioned server;
  
  blocking traffic from the unsanctioned server; and
  
  interacting with a network device to secure the network.
- View Dependent Claims (6)
- - 6. The computer-readable storage medium of claim 5, further comprising:
    - a training module for observing an operation of the enterprise network during a training period to generate training data,wherein the training data are utilized by the metadata analysis module and/or the reporting module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S., Schneider, Kenneth
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Nobahar; Abdulhakim

Application Number

US11/078,451
Time in Patent Office

1,740 Days
Field of Search

726 1- 7, 726 22- 25, 709223-226, 713/67, 713/189, 713/193, 714/4
US Class Current

726/22
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

Detecting unsanctioned network servers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting unsanctioned network servers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links