Persistent host determination

摘要

A system comprises a security manager to scan a network for host instances representing hosts on the network at that time, and record characteristics of the host instances in a host record. The security manager subsequently scans the network for host instances in order to identify persistent hosts. A host profiling module takes snapshots of the network to generate host instances based on characteristics such as an IP address, a NetBIOS name, a DNS name, a MAC address. A host matching module correlates host instances from different snapshots using weighted rules (predetermined or customized) to discriminate between multiple potential matching host instances. Also, security logic makes security decisions based on data including persistent host information.

主权项

1. A method for identifying persistent hosts in a dynamically configured network, comprising:
establishing a plurality of records, each record stored on a storage medium and describing one or more characteristics of a persistent host on the network and one or more detected vulnerabilities of the persistent host, wherein the persistent host corresponds to a previously observed host instance on the network; receiving a snapshot of the network having at least one currently existing host instance for an unknown host on the network, the unknown host having a dynamically assigned IP address assigned on an as-needed basis from a Dynamic Host Configuration Protocol (DHCP) server; matching one or more characteristics of the currently existing host instance to the characteristics of a persistent host described in at least one of the records; identifying the unknown host associated with the currently existing host instance to be the persistent host described by the matching record; retrieving from the matching record one or more of the detected vulnerabilities of the persistent host corresponding to the currently existing host instances; and applying one or more security decisions for the currently existing host instance based on the retrieved detected vulnerabilities of the persistent host corresponding to the currently existing host instance.