Credential management and network querying
| Title: | Credential management and network querying |
|---|---|
| Patent Number: | 7,571,239 |
| Publication Date: | August 04, 2009 |
| Appl. No: | 10/127938 |
| Application Filed: | April 22, 2002 |
| Abstract: | The present invention is directed to a system and method for determining one or more credentials of a network device. The system and method select a first network device from among a plurality of network devices, access a credential repository, contact the first network device, and test the validity of the first set of credentials. The credential repository comprises a first set of credentials corresponding to the first network device. If a user provides invalid or no credentials, a candidate credential queue can be used to guess a valid second set of credentials when the first set of credentials is not valid. |
| Inventors: | Goringe, Christopher M. (Seven Hills, AU); Minhazuddin, Muneyb (Quakers Hill, AU); Schreuder, James D. (Summer Hill, AU); Krumm-Heller, Alex M. (Gladesville, AU); Rankine, Alastair J. (Boulder, CO, US); Smith, Melanie L. (Rozelle, AU) |
| Assignees: | Avaya Inc. (Basking Ridge, NJ, US) |
| Claim: | 1. A method for determining one or more credentials of a network device, comprising: selecting, for valid credential discovery, at least one of a first network device and an electronic address of the first network device from among a plurality of network devices and/or corresponding electronic addresses in a network; accessing a credential repository, the credential repository comprising a collection of electronic addresses corresponding to the network devices and, for each electronic address, a respective set of credentials previously used at the corresponding electronic address to evidence privileges for a network device associated with the corresponding electronic address, and a candidate credential queue, the candidate credential queue comprising a collection of candidate credentials, each candidate credential having a corresponding at least one of a priority and protocol identifier, the priority indicating a likelihood that the corresponding credential is in current use by the first network device and the protocol identifier indicating a protocol compatible with the corresponding credential, wherein the credentials comprise at least one of a community string, User-Based Security Model (USM) mode, authentication method, authentication password, privacy method, and privacy password; contacting the first network device; accessing, from the credential repository, a first set of credentials corresponding to a first electronic address of the first network device; testing the validity of each member of the first set of credentials in the credential repository with the first network device; when no credential in the first set of credentials is valid for use with the first network device, testing the validity of selected credentials in the candidate credential queue with the first network device; and when a credentials is valid for use with the first network device, recording the credential as being valid for the first network device. |
| Claim: | 2. The method of claim 1 , wherein the at least one of a priority and protocol identifier is priority value. |
| Claim: | 3. The method of claim 2 , wherein the priority value is based on at least one of the following: a candidate credential frequency counter indicating a number of instances of use, by the plurality of network devices and over a selected time period, of a respective credential, a recency of valid use of the respective credential by the plurality of network devices, and a proximity, relative to the first network device, of an administrative locality of at least one of a network device and electronic address found to have validly used the respective credential to the first network device. |
| Claim: | 4. The method of claim 3 , wherein the priority value is a function of a plurality of the candidate credential frequency counter, the recency of valid use of the respective credential and the proximity, relative to the first network device. |
| Claim: | 5. The method of claim 3 , wherein the priority value is a function of the candidate credential frequency counter, the recency of valid use of the respective credential and the proximity, relative to the first network device. |
| Claim: | 6. The method of claim 1 , wherein the credential repository comprises for at least one credential a plurality of a credential state, a protocol identifier indicating a protocol for which the respective credential is compatible, a protocol access level, a total number of instances of use of the respective credential by the plurality of network devices, a priority of use among the plurality of network devices of the respective credential, a candidate credential frequency counter to reflect a frequency of use of the credential among the plurality of network devices, a recency of use among the plurality of network devices of the respective credential, an administrative locality of the respective credential. |
| Claim: | 7. The method of claim 1 , wherein the selected credentials are tested in an order based on priority value. |
| Claim: | 8. The method of claim 2 , wherein the priority value is based on the candidate credential frequency counter. |
| Claim: | 9. The method of claim 2 , wherein the priority value is based on the recency of valid use of the respective credential. |
| Claim: | 10. The method of claim 2 , wherein the priority value is based on the proximity, relative to the first network device, of an administrative locality of at least one of a network device and electronic address found to have validly used the respective credential to the first network device. |
| Claim: | 11. The method of claim 1 , further comprising, when at least one credential is valid for use with the first network device: adding the valid credential to the candidate credential queue. |
| Claim: | 12. The method of claim 1 , further comprising, when at least one credential is not valid: pinging the first network device to determine whether the first network device is contactable; when a response is received, removing the credential from the respective set of credentials in the credential repository corresponding to the at least one of the first network device and first electronic address; and when a response is not received, assigning a state of NOT CONTACTABLE to a corresponding entry in the credential repository. |
| Claim: | 13. The method of claim 1 , wherein the at least one of a priority and protocol identifier is protocol identifier. |
| Claim: | 14. The method of claim 13 , further comprising: comparing a protocol associated with the first network device with a protocol identifier associated with a first credential in the selected set of credentials in the candidate credential queue; and when the protocol associated with the first network device is determined to be the same as the protocol associated with the protocol identifier, testing the selected credential for use with the first network device. |
| Claim: | 15. The method of claim 1 , further comprising, when the selected set of credentials in the candidate credential queue is not valid for use with the first network device: prompting a user for a candidate set of credentials; and when the candidate set of credentials is received from the user, testing the validity of the candidate set of credentials. |
| Claim: | 16. A computer readable storage medium comprising processor executable instructions operable, when executed, to perform the steps of claim 1 . |
| Claim: | 17. A computer, comprising: a credential repository, the credential repository comprising a collection of electronic addresses corresponding to a plurality of network devices and, for each electronic address, a respective set of credentials previously used at the corresponding electronic address to evidence privileges for a network device associated with the corresponding electronic address; a candidate credential queue, the candidate credential queue comprising a collection of candidate credentials, each candidate credential having a corresponding at least one of a priority and protocol identifier, the priority indicating a likelihood that the corresponding credential is in current use by the first network device and the protocol identifier indicating a protocol compatible with the corresponding credential, wherein the credentials comprise at least one of a community string, User-Based Security Model (USM) mode, authentication method, authentication password, privacy method, and privacy password; a credential discovery agent operable to: select, for valid credential discovery, at least one of a first network device and an electronic address of the first network device from among the plurality of network devices; contact the first network device; access, from the credential repository, a first set of credentials corresponding to a first electronic address of the first network device; test the validity of each member of the first set of credentials in the credential repository with the first network device; when no credential in the first set of credentials is valid for use with the first network device, test the validity of selected credentials in the candidate credential queue with the first network device; and when a credentials is valid for use with the first network device, recording the credential as being valid for the first network device. |
| Claim: | 18. The computer of claim 17 , wherein the at least one of a priority and protocol identifier is priority value. |
| Claim: | 19. The computer of claim 17 , wherein the priority value is based on at least one of the following: a candidate credential frequency counter indicating a number of instances of use, by the plurality of network devices and over a selected time period, of a respective credential, a recency of valid use of the respective credential by the plurality of network devices, and a proximity, relative to the first network device, of an administrative locality of at least one of a network device and electronic address found to have validly used the respective credential to the first network device. |
| Claim: | 20. The computer of claim 19 , wherein the priority value is a function of a plurality of the candidate credential frequency counter, the recency of valid use of the respective credential and the proximity, relative to the first network device. |
| Claim: | 21. The computer of claim 19 , wherein the priority value is a function of the candidate credential frequency counter, the recency of valid use of the respective credential and the proximity, relative to the first network device. |
| Claim: | 22. The computer of claim 17 , wherein the credential repository comprises for at least one credential a plurality of a credential state, a protocol identifier indicating a protocol for which the respective credential is compatible, a protocol access level, a total number of instances of use of the respective credential by the plurality of network devices, a priority of use among the plurality of network devices of the respective credential, a candidate credential frequency counter to reflect a frequency of use of the credential among the plurality of network devices, a recency of use among the plurality of network devices of the respective credential, an administrative locality of the respective credential. |
| Claim: | 23. The computer of claim 17 , wherein the selected credentials are tested in an order based on priority value. |
| Claim: | 24. The computer of claim 17 , wherein the credential discovery agent, when a credentials is valid for use with the first network device, records the credentials as being valid for the first network device. |
| Claim: | 25. The computer of claim 19 , wherein the priority value is based on the candidate credential frequency counter. |
| Claim: | 26. The computer of claim 19 , wherein the priority value is based on the recency of valid use of the respective credential. |
| Claim: | 27. The computer of claim 19 , wherein the priority value is based on the proximity, relative to the first network device, of an administrative locality of at least one of a network device and electronic address found to have validly used the respective credential to the first network device. |
| Claim: | 28. The computer of claim 17 , wherein, when at least one credential is valid for use with the first network device, the credential discovery agent adds the valid credential to the candidate credential queue. |
| Claim: | 29. The computer of claim 17 , wherein, when at least one credential is not valid, the credential discovery agent is adapted to: ping the first network device to determine whether the first network device is contactable; when a response is received, remove the credential from the respective set of credentials in the credential repository corresponding to the at least one of the first network device and first electronic address; and when a response is not received, assign a state of NOT CONTACTABLE to a corresponding entry in the credential repository. |
| Claim: | 30. The computer of claim 17 , wherein the at least one of a priority and protocol identifier is protocol identifier. |
| Claim: | 31. The computer of claim 30 , wherein the credential discovery agent is adapted to: compare a protocol associated with the first network device with a protocol identifier associated with a first credential in the selected set of credentials in the candidate credential queue; and when the protocol associated with the first network device is determined to be the same as the protocol associated with the protocol identifier, test the selected credential for use with the first network device. |
| Claim: | 32. The computer of claim 17 , wherein, when the selected set of credentials in the candidate credential queue is not valid for use with the first network device, the credential discovery agent is adapted to: prompt a user for a candidate set of credentials; and, when the candidate set of credentials is received from the user, the credential discovery agent is adapted to test the validity of the candidate set of credentials. |
| Claim: | 33. A system for analyzing a validity of credentials, comprising: a credential discovery agent configured to assign a rank to a selected set of candidate credentials based on whether or not the selected set of candidate credentials is valid, the rank being used to indicate a likelihood that the corresponding selected set of candidate credentials is valid for use with network devices; and a credential repository, the credential repository comprising a plurality of sets of candidate credentials for use with network devices and wherein the sets of candidate credentials comprise credentials other than a user name that are known to have been previously used at the network devices to evidence privileges for the network devices, the credential repository further comprising: (i) a protocol identifier identifying, from among a plurality of protocols, a particular protocol associated with a corresponding set of candidate credentials, wherein the repository includes a first protocol identifier identifying a first protocol and a second protocol identifier identifying a second protocol, the first and second protocols being different from one another; and (ii) a recency of use indicator indicating a recency of use, among multiple network devices in the network, of the set of candidate credentials in the network, wherein the rankings are a function of magnitudes of the use counters, frequency counters, and recency of use indicators and wherein the credential discovery agent is further configured to select a set of candidate credentials from a candidate credential queue, test the validity of the selected set of candidate credentials, and assign the ranking to the selected set of candidate credentials based on whether or not the at least one credential is valid. |
| Claim: | 34. The system of claim 33 , wherein the credential repository further comprises at least one of the following: (iii) a use counter indicating a total number of instances of use, by multiple network devices in the network, of a corresponding set of candidate credentials; and (iv) a candidate credential frequency counter associated with use, by multiple network devices in the network, of a selected set of candidate credentials. |
| Claim: | 35. The system of claim 33 , wherein the credential repository comprises (iii). |
| Claim: | 36. The system of claim 33 , wherein the credential repository comprises (iv). |
| Claim: | 37. A method for determining one or more credentials of a network device, comprising: selecting a first network device from among a plurality of network devices; accessing a candidate credential queue, the candidate credential queue comprising a collection of candidate credentials, each candidate credential having a corresponding protocol identifier, the protocol identifier indicating a protocol compatible with the corresponding credential, wherein the credentials comprise at least one of a community string, User-Based Security Model (USM) mode, authentication method, authentication password, privacy method, and privacy password; contacting the first network device; accessing a credential repository, the credential repository comprising a collection of electronic addresses corresponding to the network devices and, for each electronic address, a respective set of credentials previously used at the corresponding electronic address; accessing, from the credential repository, a first set of credentials corresponding to a first electronic address of the first network device; determining that a first protocol is currently used by the first network device; selecting a first credential and not a second credential from the candidate credential queue, the first credential having a first protocol identifier associated with the first protocol and the second credential having a second protocol identifier associated with a second protocol, the first and second protocols being different; testing the validity of the first but not the second credential with the first network device; testing the validity of each member of the first set of credentials in the credential repository with the first network device; when no credential in the first set of credentials is valid with the first network device, testing the validity of the first credential from the candidate credential queue; and when a credentials is valid for use with the first network device, recording the credential as being valid for the first network device. |
| Claim: | 38. A computer readable storage medium comprising processor executable instructions operable, when executed, to perform the steps of claim 37 . |
| Current U.S. Class: | 709/229 |
| Patent References Cited: | 4556972 December 1985 Chan et al. 4644532 February 1987 George et al. 5136690 August 1992 Becker et al. 5185860 February 1993 Wu 5226120 July 1993 Brown et al. 5450408 September 1995 Phaal 5557745 September 1996 Perlman et al. 5564048 October 1996 Eick et al. 5572650 November 1996 Antis et al. 5581797 December 1996 Baker et al. 5596703 January 1997 Eick et al. 5623590 April 1997 Becker et al. 5636350 June 1997 Eick et al. 5644692 July 1997 Eick 5734824 March 1998 Choi 5737526 April 1998 Periasamy et al. 5751971 May 1998 Dobbins et al. 5805593 September 1998 Busche 5812763 September 1998 Teng 5850397 December 1998 Raab et al. 5881051 March 1999 Arrowood et al. 5881246 March 1999 Crawley et al. 5926463 July 1999 Ahearn et al. 5943317 August 1999 Brabson et al. 5966513 October 1999 Horikawa et al. 6047330 April 2000 Stracke, Jr. 6088451 July 2000 He et al. 6108702 August 2000 Wood 6119171 September 2000 Alkhatib 6122639 September 2000 Babu et al. 6131117 October 2000 Clark et al. 6249820 June 2001 Dobbins et al. 6252856 June 2001 Zhang 6256675 July 2001 Rabinovich 6269398 July 2001 Leong et al. 6269400 July 2001 Douglas et al. 6275492 August 2001 Zhang 6282404 August 2001 Linton 6298381 October 2001 Shah et al. 6360255 March 2002 McCormack et al. 6377987 April 2002 Kracht 6405248 June 2002 Wood 6418476 July 2002 Luciani 6430612 August 2002 Iizuka 6442144 August 2002 Hansen et al. 6446121 September 2002 Shah et al. 6456306 September 2002 Chin et al. 6550012 April 2003 Villa et al. 6744739 June 2004 Martin 6747957 June 2004 Pithawala et al. 6859878 February 2005 Kerr et al. 6871284 March 2005 Cooper et al. 6895436 May 2005 Caillau et al. 6952779 October 2005 Cohen et al. 7069343 June 2006 Goringe et al. 7131140 October 2006 O'Rourke et al. 7133929 November 2006 Shah 7143184 November 2006 Shah et al. 7185100 February 2007 Shah 7200673 April 2007 Augart 7302700 November 2007 Mao et al. 2001/0034837 October 2001 Kausik et al. 2001/0049786 December 2001 Harrison et al. 2002/0087704 July 2002 Chesnais et al. 2002/0112062 August 2002 Brown et al. 2002/0116647 August 2002 Mont et al. 2002/0128885 September 2002 Evans 2002/0141593 October 2002 Kurn et al. 2002/0144149 October 2002 Hanna et al. 2002/0161591 October 2002 Danneels et al. 2002/0188708 December 2002 Takahashi et al. 2003/0004840 January 2003 Gharavy 2003/0043820 March 2003 Goringe et al. 2003/0065626 April 2003 Allen 2003/0065940 April 2003 Brezak et al. 2003/0084176 May 2003 Tewari et al. 2003/0163686 August 2003 Ward et al. 2005/0071469 March 2005 McCollom et al. 0 455 402 November 1991 455402 November 1991 H01-315833 December 1989 7-334445 December 1995 H11-085701 March 1999 11-340995 December 1999 2000-32132 January 2000 2000-082043 March 2000 2000-101631 April 2000 2000-83057 September 2000 2001-94560 April 2001 2001-144761 May 2001 2001-514409 September 2001 WO 98/18306 May 1998 WO 99/10793 March 1999 |
| Other References: | Improving System Security via Proactive Password Checking, M Bishop, DV Klein—Computers & Security—asociacion-aecsi.es, 1995. cited by examiner Request For Comments (RFC) 1067—A Simple Network Management Protocol, J Case, M Fedor, M Schoffstall, J Davin. cited by examiner John the Ripper v1.3, printed from the Dec. 25, 2001 web archive of “http://web.textfiles.com/computers/john.txt”. cited by examiner Novotney, J et al. “An Online Credential Repository for the Grid: MYProxy” from High Performance Distributed Computing, 2001 Proceedings. Lawrence Berkely Lab. CA USA pp. 104-111 Aug. 7-9, 2001. see pp. 107-110 sections 4-6. cited by examiner Y. Breitbart et al., “Topology Discovery in Heterogeneous IP Networks,” Proceedings of IEEE Infocom 2000 (Mar. 2000), 10 pages. cited by other B. Huffaker et al., “Topology Discovery by Active Probing,” CAIDA (2002), 8 pages. cited by other M.R. Meiss et al., “Standards-Based Discovery of Switched Ethernet Topology,” Advanced Network Management Lab, (Apr. 2002), pp. 1-20. cited by other R. Siamwalla et al., “Discovering Internet Topology,” Cornell University (Jul. 1998), pp. 1-16. cited by other Jason Novotny et al., “An Online Credential Repository for the Grid: MyProxy” from High Performance Distributed Computing, 2001 Proceedings. Berkely, CA (Aug. 2001), pp. 104-111. cited by other Moy, J., Network Working Group, OSPF Version 2, Mar. 1994, pp. 62, 68-76, 85. cited by other PCT Written Opinion for Intl. App. No. PCT/US02/28467. cited by other Official Action for Canadian Patent Application No. 2,468,841, mailed Oct. 31, 2007. cited by other Moy, J., OSPF Version 2 Memorandum to Network Working Group, Mar. 1994, 2 pages. cited by other NET-SNMP, The NET-SNMP Project Home Page, Dec. 13, 2000, 5 pages, http://net-snmp.sourceforge.net. cited by other Network Working Group, Management Information Base for Network Management of TCP/IP-based Internets: MIB-II, Mar. 1991, 62 pages, http://www.ietf.org/rfc/rfc1213.txt. cited by other Network Working Group, OSPF Version 2 Management Information Base, Nov. 1995, 71 pages, http://www.ietf.org/rfc/rfc1850.txt. cited by other Network Working Group, OSPF Version 2, Apr. 1998, 191 pages, http://www.ietf.org/rfc/rfc2328.txt. cited by other Network Working Group, RIP Version 2, Nov. 1998, 35 pages, http://www.ierf.org/rfc/rfc2453.txt. cited by other Network Working Group, The OSPF NSSA Option, Mar. 1994, 15 pages, http://www.ietf.org/rfc/rfc1587.txt. cited by other OpenSSL, The Open Source Toolkit for SSL/TLS, Apr. 17, 2002, 2 pages, http://www.openssl.org. cited by other Packet Design CNS, “Route Explorer™ Simplifying Route Analysis”, undated, 4 pages. cited by other Packet Design, Inc., “Route Explorer™—Reports, Alerts, and Queries”, undated, 2 pages. cited by other International Search Report for International Application No. PCT/US02/30630 mailed Jan. 3, 2003. cited by other “Computer & Network LAN” vol. 18, No. 1, pp. 47-57 (Relevance described in Japanese Patent Office's First Office Action for Japanese Patent App. No. 2003/527620 mailed Sep. 11, 2006). cited by other National Technical Report (including translated abstract), Vo. 39, No. 1, pp. 63-71. cited by other Japanese Patent Office's First Office Action for Japanese Patent App. No. 2003/527620 mailed Sep. 11, 2006. cited by other Official Action for Canadian Patent Application No. 2,468,841, mailed Jan. 9, 2009. cited by other Examiner's Office Letter (including translation) for Japanese Patent Application No. 2003-560770, mailed Dec. 1, 2008 (4366-60-PJP). cited by other |
| Primary Examiner: | Barqadle, Yasin M |
| Attorney, Agent or Firm: | Sheridan Ross P.C. |
| Accession Number: | edspgr.07571239 |
| Database: | USPTO Patent Grants |
| Language: | English |
|---|