Synthetic data for determining health of a network security system
US-2016359878-A1 · Dec 8, 2016 · US
Network device spoofing detection for information security
US10375099B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10375099-B2 |
| Application number | US-201715660593-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 26, 2017 |
| Priority date | Jul 26, 2017 |
| Publication date | Aug 6, 2019 |
| Grant date | Aug 6, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system that includes a threat management server configured to store a device log identifying location information for endpoint devices that have passed authentication. The threat management server identifies a first instance and a second instance of an endpoint device in the device log file. The threat management server identifies a first switch connected to the first instance of the endpoint device and a second switch connected to the second instance of the endpoint device. The threat management server sends location information request to the first switch and the second switch requesting location information for the first instance and the second instance of the endpoint device, respectively. The threat management server compared the received location information to the information in the device log file to identify a spoofed instance of the endpoint device and blocks the spoofed instance of the endpoint device from accessing the communications network.
First claim
Opening claim text (preview).
The invention claimed is: 1. A system comprising: a threat management server in a network, comprising: a memory configured to store: a device log file identifying location information for endpoint devices that have passed authentication; a threat management engine implemented by a processor configured to: identify a first instance of an endpoint device in the device log file; identify a second instance of the endpoint device in the device log file; determine a device identifier for the endpoint device based on the device log file; identify a first switch connected the first instance of the endpoint device based on the device log file; send a first location information request comprising the device identifier to the first switch, wherein the first location information request requests location information for the first instance of the endpoint device; receive location information for the first instance of the endpoint device in response to sending the first location information request; identify a second switch connected to the second instance of the endpoint device based on the device log file; send a second location information request comprising the device identifier to the second switch, wherein the second location information request requests location information for the second instance of the endpoint device; receive location information for the second instance of the endpoint device in response to sending the second location information request; compare the location information for the first instance of the endpoint device and the location information for the second instance of the endpoint device to the location information for the endpoint device in the device log file; identify a spoofed instance of the endpoint device based on the comparison, wherein: the spoofed instance of the endpoint device is one of the first instance of the endpoint device and the second instance of the endpoint device; and identifying the spoofed instance of the endpoint device is based on a location mismatch between received location information and the location information for the endpoint device in the device log file; and block the spoofed instance of the endpoint device from accessing the network in response to identifying the spoofed instance of the endpoint device; the first switch operably coupled to the threat management server, configured to: receive the first location information request for the first instance of the endpoint device; identify the first instance of the endpoint device connected to the first switch; and send location information for the first instance of the endpoint device to the threat management server; and the second switch operably coupled to the threat management server, configured to: receive the second location information request for the second instance of the endpoint device; identify the second instance of the endpoint device connected to the first switch; and send location information for the second instance of the endpoint device to the threat management server. 2. The system of claim 1 , wherein the threat management engine is configured to remove the spoofed instance of the endpoint device from a white list in response to blocking the spoofed instance of the endpoint device from accessing the network. 3. The system of claim 1 , wherein the location mismatch is a geographic region mismatch for the endpoint device. 4. The system of claim 1 , wherein: blocking the spoofed instance of the endpoint device from accessing the network comprises sending a blackhole command; and the blackhole command triggers a transformation of the destination of traffic associated with the spoofed instance of the endpoint device to a null destination. 5. The system of claim 1 , wherein: blocking the spoofed instance of the endpoint device from accessing the network comprises sending a blackhole command; and the blackhole command triggers traffic associated with the spoofed instance of the endpoint device to be discarded. 6. The system of claim 1 , wherein: blocking the spoofed instance of the endpoint device from accessing the network comprises sending a disable command; and the disable command disables a port the spoofed instance of the endpoint device is connected to. 7. The system of claim 1 , wherein: blocking the spoofed instance of the endpoint device from accessing the network comprises sending a disable command; and the disable command triggers disconnecting electrical power to a port the spoofed instance of the endpoint device is connected to. 8. A threat management server in a network, comprising: a memory configured to store: a device log file identifying location information for endpoint devices that have passed authentication; a threat management engine implemented by a processor configured to: identify a first instance of an endpoint device in the device log file; identify a second instance of the endpoint device in the device log file; determine a device identifier for the endpoint device based on the device log file; identify a first switch connected the first instance of the endpoint device based on the device log file; send a first location information request comprising the device identifier to the first switch, wherein the first location information request requests location information for the first instance of the endpoint device; receive location information for the first instance of the endpoint device in response to sending the first location information request; identify a second switch connected to the second instance of the endpoint device based on the device log file; send a second location information request comprising the device identifier to the second switch, wherein the second location information request requests location information for the second instance of the endpoint device; receive location information for the second instance of the endpoint device in response to sending the second location information request; compare the location information for the first instance of the endpoint device and the location information for the second instance of the endpoint device to the location information for the endpoint device in the device log file; identify a spoofed instance of the endpoint device based on the comparison, wherein: the spoofed instance of the endpoint device is one of the first instance of the endpoint device and the second instance of the endpoint device; and identifying the spoofed instance of the endpoint device is based on a location mismatch between received location information and the location information for the endpoint device in the device log file; and block the spoofed instance of the endpoint device from accessing the network in response to identifying the spoofed instance of the endpoint device. 9. The device of claim 8 , wherein the threat management engine is configured to remove the spoofed instance of the endpoint device from a white list in response to blocking the spoofed instance of the endpoint device from accessing the network. 10. The device of claim 8 , wherein the location mismatch is a geographic region mismatch for the endpoint device. 11. The device of claim 8 , wherein: blocking the spoofed instance of the endpoint device from accessing the network comprises sending a blackhole command; and the blackhole command triggers a transformation of the destination of traffic associated with the spoofed instance of the endpoint device to a null destination. 12. The device of claim 8 , wherein: blocking the spoofed instance of the endpoint device from accessing the network comprises sending a blackhole command; and the
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
service impersonation, e.g. phishing, pharming or web spoofing (detection of rogue wireless access points H04W12/12) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10375099B2 cover?
- A system that includes a threat management server configured to store a device log identifying location information for endpoint devices that have passed authentication. The threat management server identifies a first instance and a second instance of an endpoint device in the device log file. The threat management server identifies a first switch connected to the first instance of the endpoint…
- Who is the assignee on this patent?
- Bank Of America
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 06 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).