(12) United States Patent
`Gleichauf et al.
`
`I lllll llllllll Ill lllll lllll lllll lllll lllll 111111111111111111111111111111111
`US006415321Bl
`US 6,415,321 Bl
`Jul. 2, 2002
`
`(10) Patent No.:
`(45) Date of Patent:
`
`(54) DOMAIN MAPPING METHOD AND SYSTEM
`
`OTHER PUBLICATIONS
`
`(75)
`
`Inventors: Robert E. Gleichauf, San Antonio;
`Gerald S Lathem, Elgin; Scott V.
`Waddell, Austin, all of TX (US)
`
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`(US)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 09/223,072
`
`(22)
`
`Filed:
`
`Dec. 29, 1998
`
`(51)
`
`Int. Cl.7 . ... ... .. ... ... ... ... .. ... ... ... ... ... .. ... ... .. G06F 13/00
`
`(52)
`
`U.S. Cl. ....................................................... 709/224
`
`Cheswick et al. "Firewalls and Internet Security Repelling
`the Wily Hacker" ISBN 0-201-63357-4 (pp. 143 to 156),
`1994.*
`
`"Introduction to Algorithms," by Thomas H. Carmen,
`Charles E. Leiserson, Ronald L. Rivest, Chap 34, pp.
`853-885, Copyright © 1990.
`
`"Preliminary Report on Advanced Security Audit Trail
`Analysis on UNIX," N. Habra et al., pp. 1-34 (found at
`http://www.cs.purdue.edu/coast/archive/data/categ24.html),
`Sep. 1994.
`
`"Idiot-Users Guide," M. Crosbie, et al., pp. 1-63, (found at
`http://www.cs.purdue.edu/coast/archive/data/categ24.html),
`Sep. 1996.
`
`(List continued on next page.)
`
`(58)
`
`Field of Search ................................. 709/200, 220,
`709/223, 224, 225, 226
`
`Primary Examiner-Robert B. Harrell
`(74) Attorney, Agent, or Firm-Baker Botts L.L.P.
`
`(56)
`
`References Cited
`
`(57)
`
`ABSTRACT
`
`U.S. PATENT DOCUMENTS
`
`5,032,979 A
`5,101,402 A
`5,278,901 A
`5,414,833 A
`5,448,724 A
`5,488,715 A
`5,524,238 A
`5,557,742 A
`5,606,668 A
`5,621,889 A
`5,699,513 A
`5,793,763 A
`5,796,942 A
`5,796,951 A *
`5,798,706 A
`5,805,801 A
`5,826,014 A
`5,919,257 A
`5,931,946 A
`5,991,881 A
`
`7/1991
`3/1992
`1/1994
`5/1995
`9/1995
`1/1996
`6/1996
`9/1996
`2/1997
`4/1997
`12/1997
`8/1998
`8/1998
`8/1998
`8/1998
`9/1998
`10/1998
`7/1999
`8/1999
`11/1999
`
`Hecht et al. . . . . . . . . . . . . . . . . 364/200
`Chiu et al. . . . . . . . . . . . . . . . . . . . . 370/17
`Shieh et al.
`.. .. ... ... ... ... ... 380/4
`Hershey et al. ............. 395/575
`Hayashi ... .. ... ... ... ... 395/182.02
`Wainwright .. ... ... ... 395/182.02
`Miller et al. . . . . . . . . . . . . . . . . 395 /600
`Smaha et al. ............... 395/186
`Shwed .................. 395/200.11
`Lemuzeaux et al. ........ 395/186
`Feigen et al. .......... 395/187.01
`Mayes et al. ............... 370/389
`Esbensen ............... 395/187.01
`Hamner et al. ............. 709/223
`Kraemer et al. ....... 340/825.07
`Holloway et al.
`..... 395/187.01
`Coley et al. ........... 395/187.01
`Trostle ....................... 713/200
`Terada et al. ............... 713/201
`Conklin et al. ............. 713/201
`
`A method and system for mapping a network domain
`provides a centralized repository for network information to
`support network devices, including an intrusion detection
`system. A domain mapping device includes an acquisition
`engine for acquiring network information, hypercube stor(cid:173)
`age for storing network information, and a query engine for
`responding to queries from network devices for network
`information. The acquisition engine acquires network infor(cid:173)
`mation by active scanning of network devices, passive
`scanning of network devices, polling of network devices, or
`receiving network information pushed from network
`devices. The network information includes device type,
`operating system, service and vulnerability information. The
`query engine provides network information in response to
`queries from network devices, such as intrusion detection
`devices that use the data to detect attacks on the vulnerabili(cid:173)
`ties of the network.
`
`20 Claims, 3 Drawing Sheets
`
`OS 22
`
`SERVICES
`24
`
`POTENTIAL
`VULNERABILITIES
`26
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 1
`
`
`Gleichauf et al.
`
`I lllll llllllll Ill lllll lllll lllll lllll lllll 111111111111111111111111111111111
`US006415321Bl
`US 6,415,321 Bl
`Jul. 2, 2002
`
`(10) Patent No.:
`(45) Date of Patent:
`
`(54) DOMAIN MAPPING METHOD AND SYSTEM
`
`OTHER PUBLICATIONS
`
`(75)
`
`Inventors: Robert E. Gleichauf, San Antonio;
`Gerald S Lathem, Elgin; Scott V.
`Waddell, Austin, all of TX (US)
`
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`(US)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 09/223,072
`
`(22)
`
`Filed:
`
`Dec. 29, 1998
`
`(51)
`
`Int. Cl.7 . ... ... .. ... ... ... ... .. ... ... ... ... ... .. ... ... .. G06F 13/00
`
`(52)
`
`U.S. Cl. ....................................................... 709/224
`
`Cheswick et al. "Firewalls and Internet Security Repelling
`the Wily Hacker" ISBN 0-201-63357-4 (pp. 143 to 156),
`1994.*
`
`"Introduction to Algorithms," by Thomas H. Carmen,
`Charles E. Leiserson, Ronald L. Rivest, Chap 34, pp.
`853-885, Copyright © 1990.
`
`"Preliminary Report on Advanced Security Audit Trail
`Analysis on UNIX," N. Habra et al., pp. 1-34 (found at
`http://www.cs.purdue.edu/coast/archive/data/categ24.html),
`Sep. 1994.
`
`"Idiot-Users Guide," M. Crosbie, et al., pp. 1-63, (found at
`http://www.cs.purdue.edu/coast/archive/data/categ24.html),
`Sep. 1996.
`
`(List continued on next page.)
`
`(58)
`
`Field of Search ................................. 709/200, 220,
`709/223, 224, 225, 226
`
`Primary Examiner-Robert B. Harrell
`(74) Attorney, Agent, or Firm-Baker Botts L.L.P.
`
`(56)
`
`References Cited
`
`(57)
`
`ABSTRACT
`
`U.S. PATENT DOCUMENTS
`
`5,032,979 A
`5,101,402 A
`5,278,901 A
`5,414,833 A
`5,448,724 A
`5,488,715 A
`5,524,238 A
`5,557,742 A
`5,606,668 A
`5,621,889 A
`5,699,513 A
`5,793,763 A
`5,796,942 A
`5,796,951 A *
`5,798,706 A
`5,805,801 A
`5,826,014 A
`5,919,257 A
`5,931,946 A
`5,991,881 A
`
`7/1991
`3/1992
`1/1994
`5/1995
`9/1995
`1/1996
`6/1996
`9/1996
`2/1997
`4/1997
`12/1997
`8/1998
`8/1998
`8/1998
`8/1998
`9/1998
`10/1998
`7/1999
`8/1999
`11/1999
`
`Hecht et al. . . . . . . . . . . . . . . . . 364/200
`Chiu et al. . . . . . . . . . . . . . . . . . . . . 370/17
`Shieh et al.
`.. .. ... ... ... ... ... 380/4
`Hershey et al. ............. 395/575
`Hayashi ... .. ... ... ... ... 395/182.02
`Wainwright .. ... ... ... 395/182.02
`Miller et al. . . . . . . . . . . . . . . . . 395 /600
`Smaha et al. ............... 395/186
`Shwed .................. 395/200.11
`Lemuzeaux et al. ........ 395/186
`Feigen et al. .......... 395/187.01
`Mayes et al. ............... 370/389
`Esbensen ............... 395/187.01
`Hamner et al. ............. 709/223
`Kraemer et al. ....... 340/825.07
`Holloway et al.
`..... 395/187.01
`Coley et al. ........... 395/187.01
`Trostle ....................... 713/200
`Terada et al. ............... 713/201
`Conklin et al. ............. 713/201
`
`A method and system for mapping a network domain
`provides a centralized repository for network information to
`support network devices, including an intrusion detection
`system. A domain mapping device includes an acquisition
`engine for acquiring network information, hypercube stor(cid:173)
`age for storing network information, and a query engine for
`responding to queries from network devices for network
`information. The acquisition engine acquires network infor(cid:173)
`mation by active scanning of network devices, passive
`scanning of network devices, polling of network devices, or
`receiving network information pushed from network
`devices. The network information includes device type,
`operating system, service and vulnerability information. The
`query engine provides network information in response to
`queries from network devices, such as intrusion detection
`devices that use the data to detect attacks on the vulnerabili(cid:173)
`ties of the network.
`
`20 Claims, 3 Drawing Sheets
`
`OS 22
`
`SERVICES
`24
`
`POTENTIAL
`VULNERABILITIES
`26
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 1
`
`
`
`US 6,415,321 Bl
`Page 2
`
`OIBER PUBLI CATI 0 NS
`
`"An Introduction to Intrusion Detection," A. Sundaram, pp.
`1-10, (found at http://www.cs.purdue.edu/coast/archive/
`data/categ24.html), No date.
`"Use of A Taxonomy of Security Faults," T. Aslam, et al., pp.
`1-10, (found at http://www.cs.purdue.edu/coast/archive/
`data/categ24.html), Sep. 1996.
`"Artificial Intelligence and Instrusion Detection: Current
`and Future Directions," Jeremy Frank, pp. 1-12, (found at
`http://www.cs.purdue.edu/coast/archive/data/categ24.html),
`Jun. 1994.
`"ASAX Conceptual Overview," ASAX Brochure, A.
`Mounji, (found at http://www.cs.purdue.edu/coast/archive/
`data/categ24.html), No date.
`"GrIDS-A Graph Based Intrusion Detection System For
`Large Networks," S. Staniford-Chen, et al., 10 pages,
`at
`http://www.cs.purdue.edu/coast/archive/data/
`(found
`categ24.html), No date.
`"A Pattern Matching Model For Misuse Intrusion Detec(cid:173)
`tion," S. Kumar, et al., pp. 1-11, (found at http://www.c(cid:173)
`s.purdue.edu/coast/archive/data/categ24.html), No date.
`"An Application of Pattern Matching in Intrusion Detec(cid:173)
`tion", S. Kumar, et al., pp. 1-55, (found at http://www.c(cid:173)
`s.purdue.edu/coast/archive/data/categ24.html), Jun. 1994.
`"A Software Architecture to Support Misuse Intrusion
`Detection", S. Kumar, et al., pp. 1-17, (found at http://
`www.cs.purdue.edu/coast/archive/data/categ24.html), Mar.
`1995.
`"Applying Genetic Programming to Intrusion Detection",
`M. Crosbie, et al., pp. 1-8, (found at http://www.cs.pur(cid:173)
`due.edu/coast/archive/data/categ24.html), No date.
`"Defending a Computer System Using Autonomous
`Agents", M. Crosbie, et al., pp. 1-11, (found at http://
`www.cs.purdue.edu/coast/archive/data/categ24.html), Mar.
`1994.
`"Analysis Of An Algorithm For Distributed Recognition
`And Accountability", C. Ko, et al., pp. 1-11, (found at
`http://www.cs.purdue.edu/coast/archive/data/categ24.html),
`No date.
`"A Standard Audit Trail Format", Matt Bishop, 10 pages,
`at
`http://www.cs.purdue.edu/coast/archive/data/
`(found
`categ24.html), No date.
`Master Thesis entitled USTAT A Real-time Intrusion Detec(cid:173)
`tion System for UNIX, University of California, K. Ilgun,
`pp. 1-204, (found at http://www.cs.purdue.edu/coast/ar(cid:173)
`chive/data/categ24.html), Nov. 1992.
`"A Weakness in the 4.2BSD Unix TCP/IP Software", R.
`Morris, 4 pages, (found at http://www.cs.purdue.edu/coast/
`archive/data/categ30.html), Feb. 1985.
`"The Architecture and Implementation of Network-Layer
`Security Under Unix", J. Ioannidis, et al., 11 pages, (found
`at
`http://www.cs.purdue.edu/coast/archive/data/
`categ30.html), No date.
`"A Best-Case Network Performance Model", S.M. Bell(cid:173)
`ovin, pp. 1-10, (found at http://www.cs.purdue.edu/coast/
`archive/data/categ30.html), Feb. 1992.
`"OARnet Security Procedures", K. Varadhan, pp. 1-14,
`(found
`at
`http://www.cs.purdue.edu/coast/archive/data/
`categ30.html), Sep. 1992.
`"Paving The Road To Network Security Or The Value Of
`Small Cobblestones", H. Orman, et al., pp. 1-17, (found at
`http://www.cs.purdue.edu/coast/archive/data/categ30.html),
`May 1994.
`
`"Packets Found on an Internet", S. Bellovin, pp. 1-6, (found
`at
`http://www.cs.purdue.edu/coast/archive/data/
`categ30.html), Aug. 1993.
`"Security Problems in the TCP/IP Protocol Suite", S.M.
`Bellovin,
`(reprinted
`from Computer Communication
`Review, vol. 19, No. 2, pp. 32-48) pp. 1-17, Apr. 1989.
`"A Security Analysis of the NTP Protocol", Matt Bishop, pp.
`1-20, (found at http://www.cs.purdue.edu/coast/archive/
`data/categ30.html), 1990.
`"WAN-hacking with AutoHack-Auditing Security Behind
`the Firewall", Alec Muffett, 14 pages, (found at http://
`www.cs.purdue.edu/coast/archive/data/categ30.html), Jun.
`1995.
`"ACMAINT: An Account Creation and Maintenance Sys(cid:173)
`tem for Distributed UNIX Systems", D.A. Curry, et al., pp.
`1-9, (found at http://www.cs.purdue.edu/coast/archive/data/
`categ30.html), Oct. 1990.
`"NFS Tracing By Passive Network Monitoring", Matt
`Blaze, 11 pages, (found at http://www.cs.purdue.edu/coast/
`archive/data/categ30.html), No date.
`"Pseudo-Network Drivers and Virtual Networks", S.M.
`Bellovin, 15 pages, (found at http://www.cs.purdue.edu/
`coast/archive/data/categ30.html), No date.
`Masters Thesis entitled "Addressing Weaknesses In The
`Domain Name System Protocol", Purdue University, Chris(cid:173)
`toph Schuba, pp. 1-87., (found at http://www.cs.purdue.edu/
`coast/archive/data/categ30.html), Aug. 1993.
`"Countering Abuse of Name-Based Authentication", C.L.
`Schuba, et al., pp. 1-21., (found at http://www.cs.pur(cid:173)
`due.edu/coast/archive/data/categ30.html), No date.
`"The 'Session Tty' Manager", S.M. Bellovin, pp. 1-16.,
`(found
`at
`http://www.cs.purdue.edu/coast/archive/data/
`categ30.html), No date.
`"Secure RPC Authentication (SRA) for TELNET and FTP",
`D.R. Safford, et al., pp. 1-5, (found at http://www.cs.pur(cid:173)
`due.edu/coast/archive/data/categ30.html), 1993.
`"A Reliable and Secure UNIX Connection Service", D.
`Draheim, et al., pp. 1-12, (found at http://www.cs.pur(cid:173)
`due.edu/coast/archive/data/categ30.html), No date.
`"TCP Wrapper Network Monitoring, Access Control, and
`Booby Traps", Wietse Venema, 8 pages., (found at http://
`www.cs.purdue.edu/coast/archive/data/categ30.html), No
`date.
`"Characteristics of Wide-Area TCP/IP Conversations", R.
`Caceres, et al., pp. 1-12, (found at http://www.cs.pur(cid:173)
`due.edu/coast/archive/data/categ30.html), No date.
`"A Unix Network Protocol Security Study: Network Infor(cid:173)
`mation Service", D.K. Hess, et al., 5 pages, (found at
`http://www.cs.purdue.edu/coast/archive/data/categ30.html),
`No date.
`"Insertion, Evasion, and Denial of Service: Eluding Network
`Intrusion Detection", T.H. Ptacek et al., pp. 1-63, Jan. 1998.
`"A Method to Detect Intrusive Activity in a Networked
`Environment", L.T. Heberlein et al., Proc. of the 14th
`National Computer Security Conference, Oct. 1991, pp.
`362-371., (found at http://seclab.sc.ucdavis.edu/papers.h(cid:173)
`tml.), 1991.
`"Internetwork Security Monitor: An Intrusion-Detection
`System for Large-Scale Networks", L.T. Heberlein et al.,
`Proc. of the 15th National Computer Security Conference,
`Oct. 1992, pp. 262-271, 1992.
`"Comparison Between Internet Security Scanner (ISS) 1.x
`and Internet Scanner 3.2", by Internet Security Systems.,
`(found at http://www.iss.net), 1996.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 2
`
`
`
`US 6,415,321 Bl
`Page 3
`
`"Automated Tools for Testing Computer System Vulnerabil(cid:173)
`ity", W.T. Polk, 40 pages, Dec. 1992.
`The Design of GrIDS: A Graph-Based Intrusion Detection
`System, S. Cheung et al., U.C. Davis Computer Science
`Department Technical Report SCE-99-2, 1999, pp. 1-47,
`(found at http://seclab.cs.ucdavis.edu/papers.html), Jan. 26,
`1999.
`"Luby-Rackoff Backwards: Increasing Security by Making
`Block Ciphers Non-Invertible", M. Bellare, et al., Advances
`in in Cryptology-Eurocrypt 98 Proceedings, Lecture Notes
`in Computer Science, vol. 1403 Springer-Verlat (1998) pp.
`1-27, (found at http://seclab.cs.ucdavis.edu/papers.html),
`Oct. 17, 1998.
`"Detecting Disruptive Routers: A Distributed Network
`Monitoring Approach", K.A. Bradley, et al., Proceedings of
`the 1998 IEEE Symposium on Security and Privacy, Oak(cid:173)
`land, CA, pp. 115-124 (found at http://seclab.cs.uc(cid:173)
`davis.edu/papers.html), May 1998.
`"Stack and Queue Integrity on Hostile Platforms", P.T.
`Devanbu, et al., IEEE Symposium on Security and Privacy,
`Oakland CA, (found at http://seclab.cs.ucdavis.edu/paper(cid:173)
`s.html), 1998.
`"Techniques for Trusted Software Engineering", P.T.
`Devanbu et al., Proceedings of the 20th International Con(cid:173)
`ference on Software Engineering, Kyoto, Japan, (found at
`http://seclab.cs.ucdavis.edu/papers.html), 1998.
`"Data Level Inference Detection in Database Systems", R.
`W. Yip et al., Proceedings of the 11th IEEE Computer
`Security Foundations Workshop, Rockport, Massachusetts,
`(found at http://seclab.cs.ucdavis.edu/papers.html), 1998.
`"The Design and Implementation of a Data Level Database
`Inference Detection System", Yip et al., Proceedings of the
`Twelfth Annual IFIP WG 11.3 Working Conference on
`Database Security, Chalkidiki, Greece 14 pages, (found at
`http://seclab.cs.ucdavis.edu/papers.html), 1998.
`"Theft of Information in the Take-Grant Protection Model",
`Matt Bishop, 35 pages, Journal of Computer Security
`4( 4)(1996), (found at http://seclab.cs.ucdavis.edu/papers.h(cid:173)
`tml), Mar. 13, 1997.
`"Information Survivability Security, and Fault Tolerance",
`Matt Bishop, position paper for the Information Survivabil(cid:173)
`ity Workshop Journal of Computer Security #6) 1 page,
`(found at http://seclab.cs.ucdavis.edu/papers.html), 1997.
`"Teaching Computer Security", Matt Bishop, position paper
`for the Workshop on Education in Computer Security, Mon(cid:173)
`erey CA, 3 pages, (found at http://seclab.cs.ucdavis.edu/
`papers.html), 1997.
`"Protecting Routing Infrastructures from Denial of Service
`Using Cooperative Intrusion Detection", S. Cheung et al.,
`Proc. New Security Paradigms Workshop, Cumbria, UK 13
`pages, (found at http://seclab.cs.ucdavis.edu/papers.html),
`1997.
`"An Efficient Message Authentication Scheme for Link
`State Routing", S. Cheung, Proc. 13th Annual Computer
`Security Applications Conference, San Diego, CA, 9 pages,
`(found at http://seclab.cs.ucdavis.edu/papers.html), 1997.
`"Cryptographic Verification of Test Coverage Claims", P.
`Devanbu et al., Proceedings, FifthACM/SIGSOFT Confer(cid:173)
`ence on Foundations of Software Engineering Zurich, Swit(cid:173)
`zerland) found at http://seclab.cs.ucdavis.edu/papers.html),
`1997.
`
`"Property-Based Testing; A New Approach to Testing for
`Assurance", Fink et al., ACM SIGSOFT Software Engineer(cid:173)
`ing Notes, 22(4), (found at http://seclab.cs.ucdavis.edu/pa(cid:173)
`pers.html), 1997.
`"Checking for Race Conditions in File Accesses", Bishop et
`al., Computing Systems 9(2)., (found at http://seclab.cs.uc(cid:173)
`davis.edu/papers.html), 1996.
`"An Isolated Network for Research", Bishop et al., The 19th
`NISSC, pp. 1-9, (found at http://seclab.cs.ucdavis.edu/pa(cid:173)
`pers.html), 1996.
`"Goal-Oriented Auditing and Logging", Bishop et al., sub(cid:173)
`mitted to IEEE Transactions on Computing Systems, (found
`at http://seclab.cs.ucdavis.edu/papers.html), 1996.
`"Extending The Take-Grant Protection System", J. Frank et
`al., The IEEE Oakland Conference on Research in Security
`and Privacy., (found at http://seclab.cs.ucdavis.edu/paper(cid:173)
`s.html), Dec. 5, 1996.
`Network Security Via Reverse Engineering of TCP Code:
`Vulnerability Analysis and Proposed Solutions, Guha et al.,
`Proc. of the IEEE Infocom '96, San Francisco, CA (found at
`http://seclab.cs.ucdavis.edu/papers.html), 1996.
`"Attack Class: Address Spoofing", Heberlein et al., The 19th
`National Information Systems Security Conference, (found
`at http://seclab.cs.ucdavis.edu/papers.html), 1996.
`PhD. Theses entitled Execution Monitoring Of Security(cid:173)
`-Critical Programs In A Distributed System: A Sepcifica(cid:173)
`tion-Based Approach, Calvin Cheuk Wang Ko, 111 pages,
`(found at http://seclab.cs.ucdavis.edu/papers.html), 1996.
`"A Methodology for Testing Intrusion Detection Systems",
`Puketza et al., IEEE Transactions on Software Engineering,
`vol. 22, No. 10, (found at http://seclab.cs.ucdavis.edu/pa(cid:173)
`pers.html), 1996.
`"The Exact Security of Digital Signatures-How to Sign with
`RSA and Rabin", Bellare et al. Earlier version ppears in
`Advances in Cryptology-Eurocrypt '96, LNCS vol. 1070, U.
`Maurer ed., Springer-Verlag, pp. 399-416), (found at http://
`seclab.cs.ucdavis.edu/papers.html), 1996.
`"How to Protect DES Against Exhaustive Key Search",
`Kilian et al., Advance in Cryptology-CRYPTO '96., (found
`at http://seclab.cs.ucdavis.edu/papers.html), 1996.
`"GrIDS-A Graph Based Intrusion Detection System For
`Large Networks", Staniford-Chen et al., The 19thNISSC. 10
`pages, (found at http://seclab.cs.ucdavis.edu/papers.html),
`1996.
`"NetKuang-A Multi-Host Configuration Vulnerability
`Checker", Zerkle et al., Proc. of the 6th USENIX Security
`Symposium, San Jose, CA, (found at http://seclab.cs.uc(cid:173)
`davis.edu/papers.html), 1996.
`"A Standard Audit Trail Format", Matt Bishop, Proc. of the
`1995 NISSC, Baltimore, MD., (found at http://seclab.cs.uc(cid:173)
`davis.edu/papers.html), 1995.
`Abstract entitled Theft of Information in the Take-Grant
`Protection Model, Matt Bishop, Journal of Computer Secu(cid:173)
`rity, vol. 3, No. 4, (found at http://seclab.cs.ucdavis.edu/
`papers.html), 1995.
`"Improving System Security via Proactive Password Check(cid:173)
`ing", Matt Bishop, Computers & Security, vol. 14, No. 3, pp.
`233-249, (found at http://seclab.cs.ucdavis.edu/papers.h(cid:173)
`tml), 1995.
`"Simulating Concurrent Intrusions for Testing Intrusion
`Detection Systems: Parallelizing Intrustion", Chung et al.,
`Proc. of the 1995 NISSC, Baltimore, MD, 11 pages, (found
`at http://seclab.cs.ucdavis.edu/papers.html), 1995.
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 3
`
`
`
`US 6,415,321 Bl
`Page 4
`
`"Network Security Monitor", L. Todd Heberlein, Lawrence
`Livermore National Laboratory project deliverable, (found
`at http://seclab.cs.ucdavis.edu/papers.html), 1995.
`"Audit Log Analysis Using the Visual Audit Browser Tool(cid:173)
`kit", Hoagland et al., U.C. Davis Computer Science Depart(cid:173)
`ment TechnicalReport CSE-95-11, (found at http://seclab.c(cid:173)
`s.ucdavis.edu/papers.html), 1995.
`"MCF: A Malicious Code Flter", R.W. Lo et al., Computers
`& Security, (1995) vol. 14, No. 6. (27 pages.), (found at
`http://seclab.cs.ucdavis.edu/papers.html), 1995.
`"Bucket Hashing and its Application to Fast Message
`Authentication", Phillip Rogaway, Acvances in Cryptol(cid:173)
`ogy---CRYPTO '95, (found at http://seclab.cs.ucdavis.edu/
`papers.html), 1995.
`"Provably Secure Session Key Distribution-The Three
`Party Case", Bellare et al., Proc., of the 27th Annual ACM
`Symposium on Theory of Computing, Las Vegas, NV, (found
`at http://seclab.cs.ucdavis.edu/papers.html), 1995.
`"XOR MACs: New Methods for Message Authentication
`Using Finite Pseudorandom Functions", Bellare et al.,Ac(cid:173)
`vances in Cryptology---CRYPTO '95, (found at http://se(cid:173)
`clab.cs.ucdavis.edu/papers.html), Oct. 1995.
`"Holding Intruders Accountable on the Internet", Staniford(cid:173)
`-Chen et al., Proc. of the 1995 IEEE Symposium on Security
`and Privacy, Oakland, CA, (11 pages) (found at http://
`seclab.cs.ucdavis.edu/papers.html), 1995.
`"LAFS: A Logging and Auditing File System", Christopher
`Wee, Proc. of the 11th Computer Security Applications
`Conference, 10 pages, (found at http://seclab.cs.ucdavis.edu/
`papers.html), 1995.
`"Towards a Property-based Testing Environment with
`Applications to Security-Critical Software", Fink et al.,
`Proc. of the 4th irvine Software Symposium. 10 pages,
`(found at http://seclab.cs.ucdavis.edu/papers.html), 1994.
`"Property-based Testing of Privileged Programs", Fink et
`al., Proc. of the 10th Annual Computer Security Applications
`Conference, Orlando, FL. 10 pages, (found at http://seclab.c(cid:173)
`s.ucdavis.edu/papers.html), Dec. 1994.
`"Arificial Intelligence and Intrusion Detection: Current and
`Future Directions", Jeremy Frank, Proc. of the 17th National
`Computer Security Conference. 12 pages, (found at http://
`seclab .cs.ucdavis.edu/papers.html), 1994.
`"Automated Detection of Vulnerabilities in Privileged Pro(cid:173)
`grams by Execution Monitoring", Ko et al., Proc. of the 10th
`Annual Computer Security Applications Conference,
`Orlando FL. (found at http://seclab.cs.ucdavis.edu/papers.h(cid:173)
`tml), 1994.
`"Common Techniques in Fault-Tolerance and Security",
`Levitt et al., Proc. of the Dependable Computing for Critical
`Applications 4, San Diego, CA 4 pages, (found at http://
`seclab .cs.ucdavis.edu/papers.html), 1994.
`"Network Intrustion Detection", Mukherjee et al., IEEE
`Network, May-Jun. 1994, vol. 8, No. 3, pp. 26-41. (found
`at http://seclab.cs.ucdavis.edu/papers.html).
`"A New Suggestion for How to Encrypt with RSA", Bellare
`et al., Eurocrypt '94, 20 pages, (found at http://seclab.cs.uc(cid:173)
`davis.edu/papers.html), 1994.
`"The Security of Cipher Block Chaining", Bellare et al.,
`Advances in Cryptology---CRYPTO '94, Santa Barbara CA
`(19 pages.) (found at http://seclab.cs.ucdavis.edu/papers.h(cid:173)
`tml), 1994.
`
`"Analysis Of An Algorithm For Distributed Recognition
`And Accountability", Ko et al., Proc. 1st ACM Conference
`or Computer and Communication Security. Fairfax, VA,
`Nov. 1993, 11 pages, (found at http://seclab.cs.ucdavis.edu/
`papers.html).
`"Entity Authentication and Key Distribution". Bellare et al.,
`Advances in Cryptology---CRYPTO '93, Santa Barbara, CA,
`Aug 1993, pp. 232-249. (found at http://seclab.cs.uc(cid:173)
`davis.edu/papers.html).
`"Random Oracles are Practical: A paradigm for Designing
`Efficient Protocols", Bellare et al., Proc. of the 1st ACM
`Conference on Computer and Communication Security,
`Fairfax, VA, Nov. 1993, pp. 1545-164 (found at http://
`seclab.cs.ucdavis.edu/papers.html).
`"A Software-Optimized Encryption Algorithm", Rogaway
`et al., Proc. of the Fast Software Encryption Cambrige
`Security Workshop, Cambridge, UK (16 pages.) (found at
`http://seclab.cs.ucdavis.edu/papers.html), 1993.
`"Anatomy of a Proactive Password Changer", Matt Bishop,
`Proc. of the UNIX Security Symposium III Baltimore, MD,
`15 pages. (found at http://seclab.cs.ucdavis.edu/papers.h(cid:173)
`tml), 1992.
`DIDS (Distributed Intrusion Detection System)-Motivation,
`Architecture, and An Early Prototype, Snapp et al., Proc.
`14th National Computer Security Conference, Washington,
`DC (9 pages.) (found at http://seclab.cs.ucdavis.edu/paper(cid:173)
`s.html), 1991.
`"Proactive Password Checking", Matt Bishop, Proc. of the
`7th International Conference on Information Security, May
`1991, pp. 169-181. (found at http://seclab.cs.ucdavis.edu/
`papers.html).
`Dissertation entitled Issues in Debugging Sequential and
`Concurrent Programs: Methods, Techniques, and Implemen(cid:173)
`tation, University of California, Wingshun Wilson Ho, 191
`pages. (found at http://seclab.cs.ucdavis.edu/papers.html),
`1992.
`Abstract entitled Collaboration Using Roles' by M. Bishop,
`Software-Practice and Experience, vol. 20, No. 5, May
`1990. (found at http://seclab.cs.ucdavis.edu/papers.html).
`Abstract entitled "An Extendable Password Checker" by M.
`Bishop, Proc. UNIX Security II Portland, OR, 27-28 Aug.
`1990, pp. 15-16, (found at http://seclab.cs.ucdavis.edu/pa(cid:173)
`pers.html).
`Abstract entitled "A Security Analysis of the NTP Protocol
`Version 2" by M. Bishop, Dec. 1990.
`Abstract entitled "A Little Knowledge Goes a Long Way:
`Faster Detection of Compromised Data in 2-D Tables" by
`D. Gusfield, Proc. of the 1990 IEEE Symposium on Research
`in Security and Privacy Oakland, CA, May 7-9, 1990, pp.
`86-94, (found at http://seclab.cs.ucdavis.edu/papers.html).
`Abstract entitled "A Network Security Monitor" by L.T.
`Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, and others
`Proc. of the 1990 IEE Symposium on Research in Security
`and Privacy, Oakland, CA, May 7-9, 1990, pp. 296-304,
`(found at http://seclab.cs.ucdavis.edu/papers.html).
`Abstract entitled "Static Analysis Virus Detection Tools for
`UNIX Systems" by P. Kerchen, et al., Proc. 13th National
`Computer Security Conference, Washington, DC, Oct. 1-4,
`1990, pp. 350-365, (found at http://seclab.cs.ucdavis.edu/
`papers.html).
`Abstract entitled "Security with Low Communication Over(cid:173)
`head" by D. Beaver, et al., Proc. Advances in Cryptology(cid:173)
`-CRYPTO '90, Santa Barbara, CA, Aug. 11-15, 1990, pp.
`62-76, (found at http://seclab.cs.ucdavis.edu/papers.html).
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 4
`
`
`
`US 6,415,321 Bl
`Page 5
`
`Abstract entitled "The Round Complexity of Secure Proto(cid:173)
`cols" by D. Beaver, et al., Proc. of the 22nd Annual ACM
`Symposium on Theory of Computing, Baltimore, MD, May
`14-16, 1990, pp. 503-513. (found at http://seclab.cs.uc(cid:173)
`davis.edu/papers.html).
`Abstract entitled "PACLs: An Access Control List Approach
`to Anti-Viral Security" by D.R. Wichers, et al., Proc. 13th
`National Computer Security Conference, Washington, DC,
`Oct. 1-4, 1990, pp. 340-349. (found at http://seclab.cs.uc(cid:173)
`davis.edu/papers.html).
`Abstract entitled "Verification of Secure Distributed Sys(cid:173)
`tems in Higher Order Logic: A Modular Approach Using
`Generic Components" by J. Alves-Foss, K. Levitt, Proc. of
`the 1991 IEEE Computer Society Symposium on Research in
`Security and Privacy, Oakland CA May 20-22, 1991, pp.
`122-135. (found at http://seclab.cs.ucdavis.edu/papers.h(cid:173)
`tml).
`Abstract entitled "An Authentication Mechanism for
`USENET" by M. Bishop, Proc. of the Winter 1991 USENIX
`Conference. Jan. 21-25, 1991, pp. 281-287, (found at http://
`seclab.cs.ucdavis.edu/papers.html).
`Abstract entitled "Password Management" by M. Bishop,
`COMPCON Spring '91. Digest of Papers. San Francisco,
`CA, Feb. 25-Mar. 1, 1991, pp. 167-169. (found at http://
`seclab.cs.ucdavis.edu/papers.html).
`Abstract entitled "Teaching Computer Security" by M.
`Bishop.
`Abstract enttled "Recent Changes to Privacy Enhanced
`Electronic Mail" by M. Bishop, Journal of Internetworking:
`Research and Experience. vol. 4, No. 1, Mar. 1993, pp.
`47-59. (found at http://seclab.cs.ucdavis.edu/papers.html).
`Abstract entitled "A Modified Random Perutrbation Method
`for Database Security" by P. Tendick, N. Matloff, ACM
`Transactions on Database Systems, Mar. 1994, vol. 19, No.
`1, pp. 47-63, (found at http://seclab.cs.ucdavis.edu/paper(cid:173)
`s.html).
`
`Short presentation entitled "Intrusion Detection for network
`Infrastructures" by S. Cheung, K.N. Levitt, C. Ko. The 1995
`IEEE symposium on Security and Privacy, Oakland CA,
`May 1995.
`
`Master Thesis entitled "Paradigms for the Reduction of
`Audit Trails" by B. Wetmore, pp. i-6, Unable to obtain
`entire thesis-portion downloaded from http://seclab.cs.uc(cid:173)
`davis.edu/papers.html), 1993.
`
`"Open System Security-an Architectural Framework" by
`Arto T. Karila, (found at http://www/cs.purdue.edu/coast/
`archive/data/categ.30.html), Jun. 1991.
`
`Product description for "Oil Change" located on the Internet
`at http://store.mcafee.com/product.asp?ProductID=28&Cat(cid:173)
`egoryID-12, pp. 1-2, No date.
`
`NetRanger 1.3 User's Guide, Copyright© 1997 by Wheel(cid:173)
`Group Corporation, NetRanger product first available sum(cid:173)
`mer of 1996.
`
`"Information Security and Privacy in Network Environ(cid:173)
`ments," by U.S. Office of Technology Assessment,
`OTA-TCT-606 (Washington DC: US Government Printing
`Office), Sep. 1994.
`
`"A Few Attacks on the Zero Knowledge State in Novell's
`Netware" by Greg Miller, pp. 1-11. (found at http://www.c(cid:173)
`s.purdue.edu/coast/archive/data/categ30.html),
`Jul.
`30,
`1996.
`
`* cited by examiner
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 5
`
`
`
`U.S. Patent
`
`Jul. 2, 2002
`
`Sheet 1 of 3
`
`US 6,415,321 Bl
`
`FIG. 1
`~
`
`NETWORK
`INFORMATION
`1
`
`i
`
`ANALYSIS
`~
`
`i
`
`PRIORllY
`l
`
`I
`
`ACTIVE PROCESS
`I+- (NETWORK VULNERABILIIY v
`ASSESSMENT)
`
`2
`
`I+--
`
`+--
`
`QUERY PROCESS
`(DOMAIN MAPPING
`SYSTEM)
`
`PASSIVE PROCESS
`(INTELLIGENT PACKET
`ANALYSIS)
`
`v
`
`3
`
`4
`
`!+-+
`
`NETWORK MAP
`
`"'-.. 6
`
`FIG. 4
`START
`
`100
`
`102
`
`104
`
`108
`
`ACQUIRING NETWORK INFORMATION FOR
`ONE OR MORE NETWORK DEVICES
`ASSOCIATED WITH A NETWORK DOMAIN
`
`STORING THE NETWORK INFORMATION
`
`INTERFACING THE STORED NETWORK
`INFORMATION WITH THE NETWORK
`
`QUERYING THE STORED NETWORK
`INFORMATION WITH ONE OR
`MORE OF THE NETWORK DEVICES
`
`END
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 6
`
`
`
`lo-"
`~
`lo-"
`N
`~
`(It
`lo-"
`~
`O'I
`\JJ.
`
`e
`
`~
`0 .....,
`N
`~ .....
`'Jl =(cid:173)~
`
`N c c
`~ F-
`
`~N
`
`N
`
`~ = ......
`~ ......
`~
`\JJ. .
`d .
`
`· DELETING QUEUES
`·CRASHING
`
`·FTP
`1 · M3-CONFIGURED I · PRINTER OPEN
`
`/\
`
`/\
`
`· DENIAL OF SERVICE
`· ADMIN ACCOUNT OPEN
`· SHADES OPEN
`
`/\
`
`· LP (LINE PRINTER)
`
`/\
`
`LEXMARK 2.0
`
`·FTP
`·WEB SERVER
`~_A /\
`· NETBIOS
`XYLOGICS
`WIN
`
`'95
`
`NT 4.0
`
`·FTP
`·WEB SERVER
`· NETBIOS
`
`PRINTER
`
`WORKSTATION
`
`WORKSTATION
`
`11~1
`
`iiiiiliiiiiiiii
`
`38
`
`SERVER
`TERMINAL
`CJ
`CJ
`CJ
`CJ
`
`16
`
`12
`!
`
`14
`
`c::::::J
`
`~L,-34
`
`FILE SERVER
`
`WORKSTATION
`
`=====
`32-fWr
`
`HP 10.2.0
`
`SOLARIS 2.5.1
`
`'95
`
`WIN
`
`WEB SERVER
`
`30-Jfar ---
`
`!i!
`
`18
`
`·FTP
`·WEB SERVER
`· NETBIOS
`
`LINUX 5.0
`~
`·RADIUS ~
`·VPN
`·SMTP
`
`PIX 4.1
`
`IOS 11.3
`
`·TFTP
`· CHARGEN
`·TELNET
`
`24
`
`SERVICES
`
`OS 22
`
`20
`TYPE
`DEVICE
`
`20
`TYPE
`DEVICE
`
`OS 22
`
`24
`
`SERVICES
`
`. TELNET OPEN I , . REMOTE WATCH
`
`·SNMP
`
`·SMTP BUGS
`
`·NFS OPEN
`
`·SERIAL PORTS OPEN
`. TELNET OPEN
`· SNMP OPEN
`· TFTP OPEN
`
`26
`
`VULNERABILITIES
`
`POTENTIAL
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 7
`
`
`
`lo-"
`~
`lo-"
`N
`~
`(It
`lo-"
`~
`O'I
`rJ'J.
`
`e
`
`~
`0 .....,
`~
`~ .....
`'Jl =(cid:173)~
`
`N c c
`
`N
`
`~N
`
`~ :-
`
`~ = ......
`~ ......
`~
`\JJ. .
`d .
`
`44
`
`FIG. 3
`
`IEE~
`
`DEVICE
`
`DEVICE
`
`(/)
`
`/ ~
`
`<
`
`52
`
`48
`
`DOMAIN MAPPING DEVICE
`
`WORKSTATION
`
`VULNERABILITIES
`
`ASSESSMENT
`
`NETWORK
`
`~Lr34
`
`FILE SERVER
`
`SERVER
`TERMINAL
`Cl
`Cl
`Cl
`Cl
`
`IDS
`
`12
`\
`
`16
`
`10
`
`2J1
`( D
`DOMAIN MAPPING -ACTIVE SCAN }r __ j __ , r __ j __ , /cONFIGS
`DEVICE
`
`1 ENGINE
`: : ENGINE
`: ACQUISITION I I QUERY
`
`DATA COLLECTION -PASSIVE SCAN
`
`46
`
`APPLICATION
`-ONE PER
`CJ
`
`---: HYrERcUBE~ OPERATING SYSTEM
`
`VULNERABILITIES
`
`: SERVICES
`
`------
`l STORAGE
`
`50
`
`t=:--\---{DEVICE TYPE
`-PUSHED DATA L------.J L------J
`-POLLING
`1
`
`/
`
`SERVICES I DEVICE
`~~e
`~ $
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1005
`Page 8
`
`
`
`US 6,415,321 Bl
`
`1
`DOMAIN MAPPING METHOD AND SYSTEM
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is related to U.S. patent application Ser.
`No. 09/222,414 issued as U.S. patent Ser. No. 6,301,668 on
`Oct. 9, 2001, entitled "Method and System for Adaptive
`Network Security Using Network Vulnerability
`Assessment", filed Dec. 29, 1998, and presently pending
`U.S. patent application Ser. No. 09/223,071 entitled
`"Method and System for Adaptive Network Security Using
`Intelligent Packet Analysis", filed Dec. 29, 1998.
`
`TECHNICAL FIELD OF THE INVENTION
`
`The present invention relates in general to computer
`networks and, more particularly, to a method and system for
`domain mapping of a network.
`
`BACKGROUND OF THE INVENTION
`
`Network security products such as intrusion detection
`systems (ID systems) and firewalls can use a passive filter(cid:173)
`ing technique to detect policy violations and patterns of
`misuse upon networks to which the Security products are
`coupled. The passive filtering technique usually comprises
`monitoring traffic upon the network for packets of data. A
`signature analysis or pattern matching algorithm is used
`upon the packets, wherein the packets are compared to
`"attack signatures", or signatures of known policy violations
`or patterns of misuse.
`In order to properly detect policy violations and patterns
`of misuse, security products often must place the packets of
`data in contexts relevant to such connection criteria as space,
`time, and event. Space is usually defined in terms of a 35
`source-destination connection at the port level. Time is
`defined as the amount of time to continue associating
`packets for the type of connection defined by the source(cid:173)
`destination connection. Event is defined as a type of
`connection, which in turn defines the types of policy and 40
`misuse signatures that can occur with each packet. As the
`size of a network expands, there are greater numbers of
`connections which leads to greater numbers of lookups and
`comparisons that must be performed by the Security prod-
`uct.
`Two problems are associated with conventional security
`products. First, conventional security products have insuf(cid:173)
`ficient information to. self-configure for reliable detection of
`policy violations and patterns of misuse. For example,
`conventional security products have no mechanism to reli- 50
`ably ascertain network information of the network to which
`the security product is coupled. This leads to such disad(cid:173)
`vantages such as being unable to accurately predict the effect
`of a particular packet upon a destination device.
`Furthermore, a conventional security product has no mecha- 55
`nism to ascertain the network topology and thus cannot
`predict if a certain packet will reach its intended destination.
`Such a lack of n
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
